Add support for signing JAR files using Azure Key Vault in Azure Sign Tool

[kk99999]

We’re currently using Azure Key Vault to securely store code signing certificates. We are using Azure Sign Tool in CI/CD pipeline (Azure devops) to sign the files like exe and dlls without exposing the private key. However, our CI/CD pipeline also requires signing Java .jar files, and we’re unable to do so because tools like jarsigner and jsign require local access to the private key. Can Azure Sign Tool be enhanced to sign JAR files using certificates stored in Azure Key Vault? This would allow secure remote signing of Java artifacts without the need to download or exporting certificates from Azure Key Vault. This would help so much with automation in Azure environment.

[mattstrain]

We use Gitllab for builds but i'm sure in Azure DevOps you can do the same thing and don't need AzureSignTool to sign jars.

Provide your client secret in a secure variable somewhere like a Kubernetes secret (and rotate it frequently)

Then during your build run the following commands to sign and verify the signature

jarsigner -keystore NONE -storetype AzureKeyVault \
    "${PATH_TO_JAR_TO_SIGN}" "${CERT_NAME}" \
    -verbose -storepass "" \
    -providerName AzureKeyVault \
    -providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider \
    -J--module-path="${SOME_DIR}/azure-security-keyvault-jca.jar" \
    -J--add-modules="com.azure.security.keyvault.jca" \
    -J-Dazure.keyvault.uri=${KEYVAULT_URL} \
    -J-Dazure.keyvault.tenant-id=${TENANT} \
    -J-Dazure.keyvault.client-id=${CLIENT_ID} \
    -J-Dazure.keyvault.client-secret=${CODE_SIGN_CLIENT_SECRET} \
    -tsa http://timestamp.digicert.com \
    -tsadigestalg sha384 \
    -certchain "${SOME_DIR}/chain.pem" || { echo JarSign Failed ; exit 1; };

jarsigner -verify -verbose -J-Djava.security.debug=jar -certs "${PATH_TO_JAR_TO_SIGN}"

Note you will need azure-security-keyvault-jca.jar somewhere in the build tool (SOME_DIR) and maybe your cert chain too