Community
Select to view content in your preferred language

Digitally signing ArcGIS Pro AddIns using a certificate stored in Azure Key Vault

180
1
11-12-2024 12:08 PM
SébastienBlier
by
New Contributor
‎11-12-2024 12:08 PM

Hi,

We bought an Azure Key Vault EV Code Signing Certificate from SignMyCode (DigiCert certificate) and we succesfully import the certificate in our Azure Key Vault and we are able to sign our normal .exe files using the AzureSignTool.

I understand we need to use the utility ArcGISSignAddIn.exe to sign the add-in but I can't make it work with the certificate stored in the Azure Key Vault.

From the Azure  Portal, I exported the certificate as .pfx file.

SbastienBlier_0-1731441487487.png

Then I ran this command line:

ArcGISSignAddIn Test.esriAddinX" /c:\test.pfx

And I got that error: Signing key is not loaded.

SbastienBlier_1-1731441589081.png

I also tried to import the .pfx to the windows certificate store, then ran the ArcGISSignAddIn.exe without parameters and from the UI I selected my addin file and then from the store certificate list I choosed the certificate i just imported and the same result: Signing key is not loaded.

I also tried to use the AzureSignTool directly but I received an unsupported file type.

Anybody have an idea on how to sign and add-in from the Azure Key Vault ? ESRI have any documentation on using the sign utility with azure key vault certificate ?

Thanks

 

0 Kudos
1 Reply
SébastienBlier
by
New Contributor
‎11-13-2024 06:15 AM

Update on my previous post, according to this document:

https://github.com/Esri/arcgis-pro-sdk/wiki/ProGuide-Digitally-signed-add-ins-and-configurations#cod...

*If you are using a certificate imported from an HSM, the HSM must be connected to the physical machine on which the signing is being performed to provide the necessary private key to complete the signing process. A cloud based HSM will perform in a similar fashion via a secure connection. To disable any password prompt, please refer to the instructions provided by your Digital Certificate vendor on how to cache user/pwd credentials**.

I now understand that the ArcGISSignAddIn utility need to connect to the HSM to get the private key. My certificate is stored in an Azure Key Vault, how do I create that "secure connection" to the Azure Key Vault so the utility can retrieve the private key ? In AzureSignTool, we can specify clientId, secret, vault uri, etc. Why not in ArcGISSignAddIn utility ?

0 Kudos