Code Sign using Azure Key Vault

I need an OV certificate to code sign an Electron application. I was used to build in Jenkins the application oth for Windows and macOS using Electron-Forge (https://www.electronforge.io/guides/code-signing/code-signing-macos). To be more specific use XCode and Keychain to store the certificate.

Sadly, new certificate industry requirements will force me to use Azure Key Vaults (or other cloud HSM alternatives) to store the certificate.

I need to find a way to code-sign it for macOS from Azure Key Vaults or equivalent solutions.

Thank you

Answered by DTS Engineer in 805121022

Posting this as a reply to improve discoverability…

I just wrote up some generic instructions in Signing code with a hardware-based code-signing identity.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Both Xcode and codesign [1] support keys vended by a CryptoTokenKit app extension. You can build such an extension for either a hardware token or a virtual token, for example, a network accessible key vault. I don’t know if such an extension exists for your specific key vault vendor; you should ask them. If not, you could write your own, assuming they publish the protocol necessary to interact with their vault.

If you decide to go down the ‘write your own’ path, post back here so that I can share some hints and tips on that front.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] In the Xcode case this is a relatively recent development. It definitely works with Xcode 14. If older versions of Xcode are relevant to you, lemme know and I’ll track down when the fix rolled out.

Thanks, @eskimo !

I would love to know more about the effort to develop a CryptoTokenKit app extension.

Writing my own path is definitely a possible path I would take if I can't find anything ready that works for me.

Thanks again!

I would love to know more about the effort to develop a CryptoTokenKit app extension.

Please drop me a line via email. My address is in my signature. Make sure to reference this thread because… well… I get a lot of email |-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello @GCatenacci

I find myself in the same situation you described 6 months ago - did you have any luck getting this to work? Did you end up building a CryptoTokenKit extension?

Thanks!

Posting this as a reply to improve discoverability…

I just wrote up some generic instructions in Signing code with a hardware-based code-signing identity.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Code Sign using Azure Key Vault
 
 
Q