{"id":21012339,"url":"https://github.com/vcsjones/azuresigntool","last_synced_at":"2025-05-14T08:07:20.722Z","repository":{"id":43427845,"uuid":"102048753","full_name":"vcsjones/AzureSignTool","owner":"vcsjones","description":"SignTool Library and Azure Key Vault Support","archived":false,"fork":false,"pushed_at":"2025-04-21T01:18:43.000Z","size":9038,"stargazers_count":315,"open_issues_count":62,"forks_count":96,"subscribers_count":16,"default_branch":"main","last_synced_at":"2025-05-14T08:07:13.457Z","etag":null,"topics":["authenticode","azure","azure-key-vault","signersignex3"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vcsjones.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-08-31T21:55:22.000Z","updated_at":"2025-05-05T01:26:08.000Z","dependencies_parsed_at":"2023-01-29T21:46:31.025Z","dependency_job_id":"2be19236-2612-462f-a09e-77a5f01999c6","html_url":"https://github.com/vcsjones/AzureSignTool","commit_stats":{"total_commits":154,"total_committers":15,"mean_commits":"10.266666666666667","dds":0.5064935064935066,"last_synced_commit":"9f30f7a267eff7f3fe494c49e5a536a337c8dfde"},"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vcsjones%2FAzureSignTool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vcsjones%2FAzureSignTool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vcsjones%2FAzureSignTool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vcsjones%2FAzureSignTool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vcsjones","download_url":"https://codeload.github.com/vcsjones/AzureSignTool/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254101555,"owners_count":22014908,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authenticode","azure","azure-key-vault","signersignex3"],"created_at":"2024-11-19T09:36:20.564Z","updated_at":"2025-05-14T08:07:15.712Z","avatar_url":"https://github.com/vcsjones.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"Azure Sign Tool\n===============\n\nThe below README is based on functionality in `main` which may not be the same as the latest released version of AzureSignTool. For README information about released versions, please see the README for the version's associated tag. The README for the current release can [be found here](https://github.com/vcsjones/AzureSignTool/blob/v6.0.0/README.md).\n\nAzure Sign Tool is similar to `signtool` in the Windows SDK, with the major difference being that it uses\nAzure Key Vault for performing the signing process. The usage is like `signtool`, except with a limited set\nof options for signing and options for authenticating to Azure Key Vault.\n\nExample usage:\n\n    AzureSignTool.exe sign -du \"https://vcsjones.com\" \\\n\t  -fd sha384 -kvu https://my-vault.vault.azure.net \\\n\t  -kvi 01234567-abcd-ef012-0000-0123456789ab \\\n\t  -kvt 01234567-abcd-ef012-0000-0123456789ab \\\n\t  -kvs \u003ctoken\u003e \\\n\t  -kvc my-key-name \\\n\t  -tr http://timestamp.digicert.com \\\n\t  -td sha384 \\\n\t  -v \\\n\t  -ifl C:\\list\\of\\file\\to\\sign.txt \\\n\t  C:\\additional\\file\\to\\sign\\program1.exe \\\n\t  C:\\additional\\file\\to\\sign\\program2.exe\n\n\nThe `--help` or `sign --help` option provides more detail about each parameter.\n\n[A walk-through is available](WALKTHROUGH.md) if you're interested on getting set up from scratch.\n\n## Installation\n\nAzureSignTool can be installed in a couple of ways.\n\n### NuGet Tool\n\nYou can install AzureSignTool from NuGet using\n\n```powershell\ndotnet tool install --global --version 6.0.0 AzureSignTool\nAzureSignTool.exe\n```\n\nIt is recommended to specify an exact version such as 6.0.0, or a latest major-minor, like 6.0.* so that major versions, which often include a breaking change, are not automatically picked up.\n\n### Single-file Download\n\nAzureSignTool provides self-contained executables on the GitHub release. For example, to download the v6.0.0 ARM64 installer:\n\n```powershell\nInvoke-WebRequest https://github.com/vcsjones/AzureSignTool/releases/download/v6.0.0/AzureSignTool-arm64.exe -OutFile AzureSignTool.exe\n.\\AzureSignTool.exe\n```\n\nSee [latest release](https://github.com/vcsjones/AzureSignTool/releases/latest) for available downloads.\n\n### WinGet\n\nAzureSignTool can be install with the WinGet package manager.\n\n```PowerShell\nwinget install vcsjones.azuresigntool\n```\n\nThe WinGet package manager installs the same binary this is available from the Single-file Download on the GitHub release. It does not require .NET to be installed.\n\n### Which to use?\n\nThe NuGet tool offers smaller downloads that will install faster, however requires the .NET 8 SDK to be present on the system. The NuGet tool supports x64, x86, and ARM64.\n\nThe single-file downloads do not require .NET to be installed on the system at all, only to be run on a supported version of Windows. They are entirely stand-alone binaries. This makes them useful in places that .NET is not installed at all, such as a CI pipeline that is not .NET-centric or desired. Single-file currently supports x64 and ARM64. If x86 support is needed, the NuGet tool is required.\n\n## Parameters\n\n* `--azure-key-vault-url` [short: `-kvu`, required: yes]: A fully qualified URL of the key vault with\n\tthe certificate that will be used for signing. An example value might be `https://my-vault.vault.azure.net`.\n\n* `--azure-key-vault-client-id` [short: `-kvi`, required: possibly]: This is the client ID used to authenticate to\n\tAzure, which will be used to generate an access token. This parameter is not required if an access token is supplied\n\tdirectly with the `--azure-key-vault-accesstoken` option. If this parameter is supplied, `--azure-key-vault-client-secret` and `--azure-key-vault-tenant-id`\n\tmust be supplied as well.\n\n* `--azure-key-vault-client-secret` [short: `-kvs`, required: possibly]: This is the client secret used to authenticate to\n\tAzure, which will be used to generate an access token. This parameter is not required if an access token is supplied\n\tdirectly with the `--azure-key-vault-accesstoken` option or when using managed identities with `--azure-key-vault-managed-identity`. If this parameter is supplied, `--azure-key-vault-client-id` and `--azure-key-vault-tenant-id` must be supplied as well.\n\n* `--azure-key-vault-tenant-id` [short: `-kvt`, required: possibly]: This is the tenant id used to authenticate to\n\tAzure, which will be used to generate an access token. This parameter is not required if an access token is supplied\n\tdirectly with the `--azure-key-vault-accesstoken` option or when using managed identities with `--azure-key-vault-managed-identity`. If this parameter is supplied, `--azure-key-vault-client-id` and `--azure-key-vault-client-secret` must be supplied as well.\n\n* `--azure-key-vault-certificate` [short: `-kvc`, required: yes]: The name of the certificate used to perform the signing\n\toperation.\n\n* `--azure-key-vault-accesstoken` [short: `-kva`, required: possibly]: An access token used to authenticate to Azure. This\n\tcan be used instead of the `--azure-key-vault-managed-identity`, `--azure-key-vault-client-id` and `--azure-key-vault-client-secret` options. This is useful\n\tif AzureSignTool is being used as part of another program that is already authenticated and has an access token to\n\tAzure.\n\n* `--azure-key-vault-managed-identity` [short: `-kvm`, required: possibly]: Use the ambiant Managed Identity to authenticate to Azure. This\n\tcan be used instead of the `--azure-key-vault-accesstoken`, `--azure-key-vault-client-id` and `--azure-key-vault-client-secret` options. This option uses a combination of authentication mechanisms listed under [DefaultAzureCredential Class](https://learn.microsoft.com/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet#definition). Beside Managed Identity, this also allows you to use existing sessions in the Azure CLI or PowerShell. It also supports Visual Studio Credentials, Interactive Browser Authentication and others.\n\n* `--description` [short: `-d`, required: no]: A description of the signed content. This parameter serves the same purpose\n\tas the `/d` option in the Windows SDK `signtool`. If this parameter is not supplied, the signature will not contain a\n\tdescription.\n\n* `--description-url` [short: `-du`, required: no]: A URL with more information of the signed content. This parameter serves\n\tthe same purpose as the `/du` option in the Windows SDK `signtool`. If this parameter is not supplied, the signature will\n\tnot contain a URL description.\n\n* `--timestamp-rfc3161` [short: `-tr`, required: no]: A URL to an RFC3161 compliant timestamping service. This parameter serves the\n\tsame purpose as the `/tr` option in the Windows SDK `signtool`. This parameter should be used in favor of the `--timestamp` option.\n\tUsing this parameter will allow using modern, RFC3161 timestamps which also support timestamp digest algorithms other than SHA1.\n\n* `--timestamp-authenticode` [short: `-t`, required: no]: A URL to a legacy \"Authenticode\" timestamping service. This parameter serves the\n\tsame purpose as the `/t` option in the Windows SDK `signtool`. Using a \"Authenicode\" timestamping service is deprecated.\n\tInstead, use the `--timestamp-rfc3161` option.\n\n* `--timestamp-digest` [short: `-td`, required: no]: The name of the digest algorithm used for timestamping. This parameter is ignored\n\tunless the `--timestamp-rfc3161` parameter is also supplied. The default value is `sha256`. Possible values:\n\t* sha1\n\t* sha256\n\t* sha384\n\t* sha512\n\n* `--file-digest` [short: `-fd`, required: no]: The name of the digest algorithm used for hashing the file being signed.  The default\n \tvalue is `sha256`. Possible values:\n\t* sha1\n\t* sha256\n\t* sha384\n\t* sha512\n\n* `--additional-certificates` [short: `-ac`, required: no]: A list of paths to additional certificates to aide in building a full chain\n\tfor the signing certificate. Azure SignTool will build a chain, either as deep as it can or to a trusted root. This will also use\n\tthe Windows certificate store, in addition to any certificates specified with this option. Specifying this option does not guarantee\n\tthe inclusion of the certificate, only if it is part of the chain. To include multiple certificates, specify this option mulitple\n\ttimes, such as `-ac file1.cer -ac file2.cer`. The files specified must be public certificates only. They cannot be PFX, PKCS12 or\n\tPFX files.\n\n* `--verbose` [short: `-v`, required: no]: Include additional output in the log. This parameter does not accept a value and cannot be\n\tcombine with the `--quiet` option.\n\n* `--quiet` [short: `-q`, required: no]: Do not print output to the log. This parameter does not accept a value and cannot be\n\tcombine with the `--verbose` option. The exit code of the process can be used to determine success or failure of the sign operation.\n\t\n* `--continue-on-error` [short: `-coe`, required: no]: If multiple files to sign are specified, this flag will cause the signing process to\n\tmove on to the next file when signing fails. This flag modifies the exit code of the program. See the Exit Codes section for more\n\tinformation.\n\n* `--input-file-list` [short: `-ifl`, required: no]: Specifies a path to a text file which contains a list of files to sign, with one\n\tfile per-line in the text file. If this parameter is specified, it is combined with files directly specified on the command line. The\n\tdistinct result of the two options is signed.\n\n* `--skip-signed` [short: `-s`, required: no]: If a file is already signed it will be skipped, rather than replacing the existing\n\tsignature.\n\n* `--append-signature` [short: `-as`, required: no]: When specified the signing process adds a signature to an existing signature instead of\n        replacing it. Requires Windows 11 or later.\n\n### Advanced\n\n* `--page-hashing` [short: `-ph`, required: no]: Causes the Authenticode signing process to generate hashes of pages for verifying when\n\tthe application is paged in to memory. If this flag is omitted, the default configuration for the operating system will be used.\n\tThis flag will not affect non-PE file formats.\n\n* `---no-page-hashing` [short: `-nph`, required: no]: Causes the Authenticode signing process to exclude hashes of pages for verifying when\n\tthe application is paged in to memory. If this flag is omitted, the default configuration for the operating system will be used.\n\tThis flag will not affect non-PE file formats.\n\n* `--max-degree-of-parallelism` [short: `-mdop`, required: no]: When signing multiple files, specifies the maximum number of concurrent\n\toperations. Setting this value does not guarentee that number of concurrent operations will be performed. If this value is unspecified,\n\tthe system will use the default based on the number of available processor threads. Setting this value to \"1\" disable concurrent\n\tsigning.\n\nIn most circumances, using the defaults for page hashing is recommended, which can be done by simply omitting both of the parameters.\n\n## Supported Formats\n\nThis tool uses the same mechanisms for signing as the Windows SDK `signtool`. It will support the same formats as `signtool` supports.\nHowever, the formats that `azuresigntool` and `signtool` support vary by operating system and which Subject Interface Packages are\npresent on the system.\n\n## Exit Codes\n\nThe exit code is an HRESULT. Successfully signing produces a result of `S_OK` (\"0\"). If all files fail to sign, the exit code is\n0xA0000002. If some were signed successfully, the exit code is 0x20000001.\n\n## Cancellation\n\nThe standard Ctrl+C key sequence is used to cancel the signing. Any in-flight signing operations are finished, then the process exits with\na status code according to the complete signing operations.\n\n## Requirements\n\nWindows 10 or Windows Server 2016 is required. Some features require later versions of Windows.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvcsjones%2Fazuresigntool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvcsjones%2Fazuresigntool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvcsjones%2Fazuresigntool/lists"}