A command line tool to code sign files using a code signing certificate stored in Azure Key Vault.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for attieretief from gravatar.com attieretief

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Attie Retief
  • Tags azure , key-vault , code-signing , certificate , signature , security , digital-signature , cryptography
  • Requires: Python >=3.7
Classifiers
Report project as malware

Project description

Azure Code Signer

Azure Code Signer is a command line tool that allows you to code sign files using a code signing certificate stored in Azure Key Vault. This tool is designed to work across multiple platforms, including Linux, macOS, and Windows.

Features

  • Authenticate with Azure Key Vault to retrieve code signing certificates
  • Sign files using certificates from Azure Key Vault
  • Generate detached signature files (.sig)
  • Verify file signatures
  • Cross-platform compatibility (Windows, macOS, Linux)
  • Support for various certificate formats (PEM, DER, PKCS#12)

Prerequisites

  • Python 3.7 or higher
  • An Azure account with access to Azure Key Vault
  • A code signing certificate stored in Azure Key Vault

Installation

Using pip (recommended)

pip install azure-code-signer

From source

git clone https://github.com/yourusername/azure-code-signer.git
cd azure-code-signer
pip install -e .

Authentication with Azure

The tool uses Azure's DefaultAzureCredential for authentication, which tries multiple authentication methods in the following order:

  1. Environment variables
  2. Managed Identity
  3. Visual Studio Code credentials
  4. Azure CLI credentials
  5. Interactive browser authentication

Authentication via Environment Variables

To authenticate using environment variables, set the following:

# Required for service principal authentication
AZURE_TENANT_ID=your-tenant-id
AZURE_CLIENT_ID=your-client-id
AZURE_CLIENT_SECRET=your-client-secret

# Optional - to specify which subscription to use
AZURE_SUBSCRIPTION_ID=your-subscription-id

Setting Up a Service Principal

  1. Create a service principal in Azure:

    az ad sp create-for-rbac --name "AzureCodeSigner" --skip-assignment

    This will output JSON containing your appId (client ID), password (client secret), and tenant.

  2. Grant Key Vault access to your service principal:

    az keyvault set-policy --name your-keyvault-name \
  --object-id <service-principal-object-id> \
  --certificate-permissions get list \
  --secret-permissions get list

Setting Environment Variables

Linux/macOS:

export AZURE_TENANT_ID=your-tenant-id
export AZURE_CLIENT_ID=your-client-id
export AZURE_CLIENT_SECRET=your-client-secret

Windows (Command Prompt):

set AZURE_TENANT_ID=your-tenant-id
set AZURE_CLIENT_ID=your-client-id
set AZURE_CLIENT_SECRET=your-client-secret

Windows (PowerShell):

$env:AZURE_TENANT_ID = "your-tenant-id"
$env:AZURE_CLIENT_ID = "your-client-id"
$env:AZURE_CLIENT_SECRET = "your-client-secret"

Authentication via Azure CLI

If you prefer interactive authentication, you can use Azure CLI:

# Login with Azure CLI
az login

# Set your subscription (if necessary)
az account set --subscription <subscription-id>

Usage

Basic usage

azure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file

Command line arguments

Argument Description
--vault-url URL of your Azure Key Vault (required)
--cert-name Name of the certificate in Key Vault (required)
--file Path to the file to sign or verify (required)
--output Path where to save the signature (default: file.sig)
--verify Verify an existing signature instead of signing
--verbose Enable verbose logging
--pkcs12-password Password for PKCS#12 certificate if required

Signing a file

azure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file

This will create a detached signature file at path/to/file.sig.

Verifying a signature

azure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file --verify

Specifying a signature output path

azure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file --output path/to/custom-signature.sig

Working with password-protected certificates

If your certificate in Azure Key Vault is password-protected:

azure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file --pkcs12-password your-password

Certificate Formats

Azure Code Signer automatically handles various certificate formats:

  • Certificates in Azure Key Vault (native format)
  • PKCS#12 (PFX) format with or without password protection
  • PEM format certificates and keys
  • Base64-encoded certificates
  • Raw certificate data with missing headers

The tool will attempt to detect and convert between formats as needed.

Troubleshooting

Enable verbose logging

For detailed debugging information:

azure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file --verbose

Permission errors

Ensure your Azure account has the following permissions on the Key Vault:

  • get permission for certificates
  • get permission for secrets

Certificate format issues

If you encounter errors like "Failed to load certificate and/or private key", check:

  • Is the certificate in the expected format?
  • Does it require a password? (Use --pkcs12-password)
  • Does the service principal have access to both certificate and secret?

Authentication errors

If authentication fails:

  • Check that environment variables are correctly set and spelled
  • Verify the service principal has appropriate permissions
  • Try using Azure CLI authentication with az login
  • Ensure your client secret hasn't expired

Error: bytearray object cannot be converted to PyBytes

This error is typically resolved by newer versions of the tool. Update to the latest version:

pip install --upgrade azure-code-signer

Security Considerations

  • Never commit environment variables with secrets to source control
  • Consider using a secure secrets manager to store service principal credentials
  • For CI/CD pipelines, use the pipeline's built-in secrets management
  • Limit the permissions of your service principal to only what's needed
  • Rotate your client secrets regularly

Azure Key Vault Setup

  1. Create a Key Vault in Azure Portal
  2. Import or generate a code signing certificate
  3. Add a secret with the same name as your certificate
  4. Grant your user or service principal access to the Key Vault

Contributing

Contributions are welcome! Please open an issue or submit a pull request for any improvements or bug fixes.

License

This project is licensed under the MIT License. See the LICENSE file for more details.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for attieretief from gravatar.com attieretief

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Attie Retief
  • Tags azure , key-vault , code-signing , certificate , signature , security , digital-signature , cryptography
  • Requires: Python >=3.7
Classifiers

Release history Release notifications | RSS feed

0.1.6

This version

0.1.5

0.1.4

0.1.2

0.1.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

azure_code_signer-0.1.5.tar.gz (8.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

azure_code_signer-0.1.5-py3-none-any.whl (10.2 kB view details)

Uploaded Python 3

File details

Details for the file azure_code_signer-0.1.5.tar.gz.

File metadata

  • Download URL: azure_code_signer-0.1.5.tar.gz
  • Upload date:
  • Size: 8.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for azure_code_signer-0.1.5.tar.gz
Algorithm Hash digest
SHA256 2e8849c0a070eddd0752ec677d37d6f696c731d9919a04ebbb4602d8e693e875
MD5 316670c8eefeddc778e92b7168c546f7
BLAKE2b-256 fb09b9699bc30204c6f1d5fcc1f74b9bf10fd2998e3b44ee2cae73973b5fdaa7

See more details on using hashes here.

Provenance

The following attestation bundles were made for azure_code_signer-0.1.5.tar.gz:

Publisher: publish-to-pypi.yml on attieretief/azure-code-signer

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file azure_code_signer-0.1.5-py3-none-any.whl.

File metadata

File hashes

Hashes for azure_code_signer-0.1.5-py3-none-any.whl
Algorithm Hash digest
SHA256 1e6b400694c76a4ab5b194b39e4c94d5618830fc7a59d28268c0f02e9906c95a
MD5 f4d045eea14eee7ee164378d9798766b
BLAKE2b-256 52fcf341e94072e44116bab817ab2cfe93bd4b40bbf47da5672be9820fdc13c4

See more details on using hashes here.

Provenance

The following attestation bundles were made for azure_code_signer-0.1.5-py3-none-any.whl:

Publisher: publish-to-pypi.yml on attieretief/azure-code-signer

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page