Custom Signing with HSM Support
AdminStudio supports custom signing of MSIX packages, including integration with secure Hardware Security Modules (HSM), such as Azure Key Vault and Azure HSM. This capability allows you to define a custom signing process by specifying the path to signing tools or scripts, such as AzureSignTool, along with any required arguments. It provides the flexibility to implement secure, automated signing workflows using private keys stored in HSMs, rather than relying on locally stored certificates, ensuring alignment with your organization's security and compliance requirements.
Custom signing—Use this option to configure a custom solution to digitally sign MSIX packages.
| • | Path—Specify the location of the signing tool or a script. Supported file types include: |
| • | .exe (Executable) |
| • | .bat (Batch Script) |
| • | .vbs (VBScript) |
| • | .ps1 (PowerShell Script) |
Examples:
<ProgramFilesFolder>\Windows Kits\10\bin\<WinSDKVer>\x86\signtool.exe
| • | Arguments—Specify the required command-line arguments for the Signtool or Custom script file. These arguments will be passed at runtime during signing process. |
Enter the valid command-line parameters for the specified Path field.
Examples:
sign /fd SHA256 /f <ProgramFilesFolder>\testCA.pfx /t http://timestamp.digicert.com /p 123 /v "[Filename]"
Important:
| • | The Publisher Name in the MSIX package must exactly match the Subject in the signing certificate. |
| • | Always include the "[Filename]" placeholder where the MSIX file path should appear. At runtime, this will be automatically replaced with the actual MSIX file path. |
Examples of Custom Signing with AzureSignTool + Azure Key Vault/HSM
The following are the examples of Custom Signing with AzureSignTool + Azure Key Vault/HSM.
| 1. | Using Executable in Path |
| • | Path |
Path to AzureSignTool.exe
| • | Argument |
sign -fd sha256 -kvu <Key Vault URL> -kvi <Client ID> -kvt <Tenant ID> -kvs <Client Secret> -kvc <Certificate Name> -tr <Timestamp URL> -td sha256 -v "[Filename]"
| 2. | Batch File (.bat) |
"<Signtool Path>" sign -fd sha256 -kvu <Key Vault URL> -kvi <Client ID> -kvt <Tenant ID> -kvs <Client Secret> -kvc <Certificate Name> -tr <Timestamp URL> -td sha256 -v "[Filename]"
Note:Use %1 to represent arguments in a batch file. Provide values in Arguments, wrapped in double quotes.
| 3. | VBScript (.vbs) |
| • | Accepts [Filename] directly. |
| • | WScript builds and runs the signing command dynamically. |
' Define variables
Dim shell, signCommand, fileToSign, timestampUrl, keyVaultUri, certificateName, clientId, tenantId, clientSecret
Set shell = CreateObject("WScript.Shell")
fileToSign = "[Filename]"
keyVaultUri = "<Key Vault URL>"
certificateName = "<Certificate Name>"
clientId = "<Client ID>"
tenantId = "<Tenant ID>"
clientSecret = "<Client Secret>"
timestampUrl = "<Timestamp URL>"
signCommand = "<Signtool Path> sign " & _
"-kvu """ & keyVaultUri & """ " & _
"-kvc """ & certificateName & """ " & _
"-kvi """ & clientId & """ " & _
"-kvt """ & tenantId & """ " & _
"-kvs """ & clientSecret & """ " & _
"-v """ & fileToSign & """ " & _
"-tr """ & timestampUrl & """"
Dim exitCode
exitCode = shell.Run(signCommand, 1, True)
WScript.Quit exitCode
Note:Use WScript.Arguments(0) for input parameters and pass values via Arguments in double quotes.
| 4. | PowerShell Script (.ps1) |
| • | Dynamically constructs the sign command using variables. |
| • | Runs the command using cmd.exe /c |
$azureSignToolPath = "<Signtool Path>"
$vaultUri = "<Key Vault URL>"
$clientId = "<Client ID>"
$tenantId = "<Tenant ID>"
$clientSecret = "<Client Secret>"
$certificateName = "<Certificate Name>"
$timestampUrl = "<Timestamp URL>"
$fileToSign = "[Filename]"
$signCommand = @"
"$azureSignToolPath" sign -fd sha256 -kvu $vaultUri -kvi $clientId -kvt $tenantId -kvs $clientSecret -kvc $certificateName -tr $timestampUrl -td sha256 -v "$fileToSign"
"@
try {
& cmd.exe /c $signCommand
if ($LASTEXITCODE -eq 0) {
Write-Output "File signed successfully."
} else {
Write-Error "Signing failed. Exit code: $LASTEXITCODE"
exit $LASTEXITCODE
}
} catch {
Write-Error "An error occurred: $_"
exit 1
}
Note:Use variables like $file, and pass values in Arguments enclosed in double quotes (e.g., "-file "value"").