Support for /dg /ds /di

[avivanoff]

signtool.exe has a set of options for producing/signing/ingesting digests. It is imperative AzureSignTool has the same support for advanced singing workflows.

[vcsjones]

producing/signing/ingesting digests

I know what these flags do, but I don't see what AzureSignTool can do with them. AzureSignTool is all about signing something with Azure Key Vault. When you use digest signing, you are taking the the signing step out of the equation. What AzureSignTool would end up doing is exactly what regular signtool does.

How would these flags benefit AzureSignTool users, as opposed to continuing to use regular signtool?

[clairernovotny]

Please post these suggestions to https://github.com/dotnet/sign. That tool is intended to supersede AzureSignTool, NuGetKeyVaultSignTool, and several others.

[sopelt]

Thanks for the heads up @clairernovotny . Is there any kind of roadmap/status in terms of that migration? We have been happily using AzureSignTool for years to sign various artifacts ... the new project is very welcome if it furthers key vault for such scenarios but I am unsure if attempting to replace it in the various pipelines just now.

[uecasm]

@vcsjones I don't have any particular use case for it myself, but I imagine a useful implementation of this would be to add support for /ds alone (i.e. use the key vault to actually sign a digest produced by signtool /dg, in a format compatible with signtool /di). Perhaps this might allow some advanced scenarios not currently supported, such as multi-signing? (Though there's also less point in doing that these days, at least for SHA1 compatibility purposes.)

Though having said that, once you're splitting the operations up rather than doing an all-in-one, I imagine you could use Azure CLI for the signing step, since that's essentially the same thing AzureSignTool would be doing "under the hood" anyway. AzureSignTool remains a convenient way to do all three steps in one tool.