Cloud code signing MSIX package
We build an MSIX package using a Visual Studio wapproj, and tell it which certificate to use by specifying a thumbprint. We now need to look at cloud code signing the package, due to new restrictions on code signing certs that make using a dongle unrealistic. Has anyone done this, or can point me at some documentation on how to set it up?
Please sign in to leave a comment.
We use an Azure Key Vault cloud instance, and the opensource project. vcsjones/AzureSignTool: SignTool Library and Azure Key Vault Support
Hopefully this might help.
Thanks Mark G . Do you resign the MSIX with that after its built? It looks like the cert is stored in azure, is that correct. Sorry this is a bit new to me, as we currently just give the cert thumbprint to msbuild and it handles making the msix & doing the signing.
We don't use MSIX, we use NSIS, and sign EXEs I'm making the assumption it's still signed the same way. but yes, the key is stored in the azure instance, which conforms to the secure key storage requirements.
Mark G Oh, I see. We use MSIX, and its built by calling msbuild app.wapproj (wapproj is a VS project type that you point to an application, and it will figure out how to build the MSIX) with some properties that tell it what cert to use; the wapproj is what does the actual signing. I think behind the scenes it does use signtool though, but we're not calling it ourselves, we're just calling msbuild and giving command line options that the wapproj picks up on.