namazso
commented
1 year ago AKV doesn't seem to let you mark an imported cert as non-exportable in that case.
It does, you just need to use the REST API:
Open JosephekcoL opened 1 year ago
namazso
commented
1 year ago AKV doesn't seem to let you mark an imported cert as non-exportable in that case.
It does, you just need to use the REST API:
Hi,
I've been trying out different solutions for codesigning during Azure pipeline builds and I've managed to get AzureSignTool/AzureKeyVault working with a test cert in AKV, no trouble on that front.
The guide at https://github.com/vcsjones/AzureSignTool/blob/main/WALKTHROUGH.md states the application should be given the Secret | Get, List permissions.
We will be using a plain-old imported OV code signing cert, no HSM vault/EV cert and AKV doesn't seem to let you mark an imported cert as non-exportable in that case. Given how easy it is to expose secret pipeline variables in Azure Pipelines, that permission (Getting the private key) is a deal-breaker for us.
I've read in some of the other github issues that AzureSignTool uses the API to do digest signing and doesn't actually need pull the private key from AKV. I've removed the Secret permissions from the application and haven't run into any issues signing.
Can you elaborate on what the secret permissions are needed for?
Cheers,