We've been digitally signing an ArcGIS Pro add-in using the using the ArcGISSignAddIn.exe tool (per https://github.com/Esri/arcgis-pro-sdk/wiki/ProGuide-Digitally-signed-add-ins-and-configurations#app...). To date, we've been using the tool with a .pfx certificate file.
The world has changed. Beginning on June 1 of this year, per the latest standard, private keys for code signing certificates must be stored on hardware certified as FIPS 140-2 level 2, Common Criteria EAL 4+, or equivalent. For our use case, we elected to use a cloud-based Key Storage Provider (KSP) for this (i.e., DigiCert KeyLocker).
This new approach has worked well with conventional Microsoft signtool.exe based signing, but it's unfortunately not working with ArcGISSignAddin.exe. When attempting to use the tool with the new KSP-based certificate (as available via the certificate store), an "Internal consistency check failed" error is received and the add-in is not signed.
Any suggestions? Is anyone successfully using ArcGISSignAddIn.exe with a Key Storage Provider?
Have you had any success with getting an AddInX signed using a KSP? My Digicert certificate expired and now I'm left with the choice of going with a hardware token or cloud storage. I can't find any documentation stating if either one works using the ArcGISSignAddIn.exe tool.