# Azure Code Signer
Azure Code Signer is a command line tool that allows you to code sign files using a code signing certificate stored in Azure Key Vault. This tool is designed to work across multiple platforms, including Linux, macOS, and Windows.
## Features
- Authenticate with Azure Key Vault to retrieve code signing certificates
- Sign files using certificates from Azure Key Vault
- Generate detached signature files (.sig)
- Verify file signatures
- Cross-platform compatibility (Windows, macOS, Linux)
- Support for various certificate formats (PEM, DER, PKCS#12)
## Prerequisites
- Python 3.7 or higher
- An Azure account with access to Azure Key Vault
- A code signing certificate stored in Azure Key Vault
## Installation
### Using pip (recommended)
```bash
pip install azure-code-signer
```
### From source
```bash
git clone https://github.com/yourusername/azure-code-signer.git
cd azure-code-signer
pip install -e .
```
## Authentication with Azure
The tool uses Azure's DefaultAzureCredential for authentication, which tries multiple authentication methods in the following order:
1. Environment variables
2. Managed Identity
3. Visual Studio Code credentials
4. Azure CLI credentials
5. Interactive browser authentication
### Authentication via Environment Variables
To authenticate using environment variables, set the following:
```bash
# Required for service principal authentication
AZURE_TENANT_ID=your-tenant-id
AZURE_CLIENT_ID=your-client-id
AZURE_CLIENT_SECRET=your-client-secret
# Optional - to specify which subscription to use
AZURE_SUBSCRIPTION_ID=your-subscription-id
```
#### Setting Up a Service Principal
1. **Create a service principal in Azure**:
```bash
az ad sp create-for-rbac --name "AzureCodeSigner" --skip-assignment
```
This will output JSON containing your `appId` (client ID), `password` (client secret), and `tenant`.
2. **Grant Key Vault access to your service principal**:
```bash
az keyvault set-policy --name your-keyvault-name \
--object-id <service-principal-object-id> \
--certificate-permissions get list \
--secret-permissions get list
```
#### Setting Environment Variables
**Linux/macOS**:
```bash
export AZURE_TENANT_ID=your-tenant-id
export AZURE_CLIENT_ID=your-client-id
export AZURE_CLIENT_SECRET=your-client-secret
```
**Windows (Command Prompt)**:
```cmd
set AZURE_TENANT_ID=your-tenant-id
set AZURE_CLIENT_ID=your-client-id
set AZURE_CLIENT_SECRET=your-client-secret
```
**Windows (PowerShell)**:
```powershell
$env:AZURE_TENANT_ID = "your-tenant-id"
$env:AZURE_CLIENT_ID = "your-client-id"
$env:AZURE_CLIENT_SECRET = "your-client-secret"
```
### Authentication via Azure CLI
If you prefer interactive authentication, you can use Azure CLI:
```bash
# Login with Azure CLI
az login
# Set your subscription (if necessary)
az account set --subscription <subscription-id>
```
## Usage
### Basic usage
```bash
azure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file
```
### Command line arguments
| Argument | Description |
|----------|-------------|
| `--vault-url` | URL of your Azure Key Vault (required) |
| `--cert-name` | Name of the certificate in Key Vault (required) |
| `--file` | Path to the file to sign or verify (required) |
| `--output` | Path where to save the signature (default: file.sig) |
| `--verify` | Verify an existing signature instead of signing |
| `--verbose` | Enable verbose logging |
| `--pkcs12-password` | Password for PKCS#12 certificate if required |
### Signing a file
```bash
azure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file
```
This will create a detached signature file at `path/to/file.sig`.
### Verifying a signature
```bash
azure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file --verify
```
### Specifying a signature output path
```bash
azure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file --output path/to/custom-signature.sig
```
### Working with password-protected certificates
If your certificate in Azure Key Vault is password-protected:
```bash
azure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file --pkcs12-password your-password
```
## Certificate Formats
Azure Code Signer automatically handles various certificate formats:
- Certificates in Azure Key Vault (native format)
- PKCS#12 (PFX) format with or without password protection
- PEM format certificates and keys
- Base64-encoded certificates
- Raw certificate data with missing headers
The tool will attempt to detect and convert between formats as needed.
## Troubleshooting
### Enable verbose logging
For detailed debugging information:
```bash
azure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file --verbose
```
### Permission errors
Ensure your Azure account has the following permissions on the Key Vault:
- `get` permission for certificates
- `get` permission for secrets
### Certificate format issues
If you encounter errors like "Failed to load certificate and/or private key", check:
- Is the certificate in the expected format?
- Does it require a password? (Use `--pkcs12-password`)
- Does the service principal have access to both certificate and secret?
### Authentication errors
If authentication fails:
- Check that environment variables are correctly set and spelled
- Verify the service principal has appropriate permissions
- Try using Azure CLI authentication with `az login`
- Ensure your client secret hasn't expired
### Error: bytearray object cannot be converted to PyBytes
This error is typically resolved by newer versions of the tool. Update to the latest version:
```bash
pip install --upgrade azure-code-signer
```
## Security Considerations
- Never commit environment variables with secrets to source control
- Consider using a secure secrets manager to store service principal credentials
- For CI/CD pipelines, use the pipeline's built-in secrets management
- Limit the permissions of your service principal to only what's needed
- Rotate your client secrets regularly
## Azure Key Vault Setup
1. Create a Key Vault in Azure Portal
2. Import or generate a code signing certificate
3. Add a secret with the same name as your certificate
4. Grant your user or service principal access to the Key Vault
## Contributing
Contributions are welcome! Please open an issue or submit a pull request for any improvements or bug fixes.
## License
This project is licensed under the MIT License. See the LICENSE file for more details.
Raw data
{
"_id": null,
"home_page": null,
"name": "azure-code-signer",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": null,
"keywords": "azure, key-vault, code-signing, certificate, signature, security, digital-signature, cryptography",
"author": null,
"author_email": "Attie Retief <attie@attieretief.com>",
"download_url": "https://files.pythonhosted.org/packages/bb/2d/2300a7a321e4a582ebe36ccd8493501c12a4bc047f7bc99372566a2252cf/azure_code_signer-0.1.6.tar.gz",
"platform": null,
"description": "# Azure Code Signer\n\nAzure Code Signer is a command line tool that allows you to code sign files using a code signing certificate stored in Azure Key Vault. This tool is designed to work across multiple platforms, including Linux, macOS, and Windows.\n\n## Features\n\n- Authenticate with Azure Key Vault to retrieve code signing certificates\n- Sign files using certificates from Azure Key Vault\n- Generate detached signature files (.sig)\n- Verify file signatures\n- Cross-platform compatibility (Windows, macOS, Linux)\n- Support for various certificate formats (PEM, DER, PKCS#12)\n\n## Prerequisites\n\n- Python 3.7 or higher\n- An Azure account with access to Azure Key Vault\n- A code signing certificate stored in Azure Key Vault\n\n## Installation\n\n### Using pip (recommended)\n\n```bash\npip install azure-code-signer\n```\n\n### From source\n\n```bash\ngit clone https://github.com/yourusername/azure-code-signer.git\ncd azure-code-signer\npip install -e .\n```\n\n## Authentication with Azure\n\nThe tool uses Azure's DefaultAzureCredential for authentication, which tries multiple authentication methods in the following order:\n\n1. Environment variables\n2. Managed Identity\n3. Visual Studio Code credentials\n4. Azure CLI credentials\n5. Interactive browser authentication\n\n### Authentication via Environment Variables\n\nTo authenticate using environment variables, set the following:\n\n```bash\n# Required for service principal authentication\nAZURE_TENANT_ID=your-tenant-id\nAZURE_CLIENT_ID=your-client-id\nAZURE_CLIENT_SECRET=your-client-secret\n\n# Optional - to specify which subscription to use\nAZURE_SUBSCRIPTION_ID=your-subscription-id\n```\n\n#### Setting Up a Service Principal\n\n1. **Create a service principal in Azure**:\n ```bash\n az ad sp create-for-rbac --name \"AzureCodeSigner\" --skip-assignment\n ```\n This will output JSON containing your `appId` (client ID), `password` (client secret), and `tenant`.\n\n2. **Grant Key Vault access to your service principal**:\n ```bash\n az keyvault set-policy --name your-keyvault-name \\\n --object-id <service-principal-object-id> \\\n --certificate-permissions get list \\\n --secret-permissions get list\n ```\n\n#### Setting Environment Variables\n\n**Linux/macOS**:\n```bash\nexport AZURE_TENANT_ID=your-tenant-id\nexport AZURE_CLIENT_ID=your-client-id\nexport AZURE_CLIENT_SECRET=your-client-secret\n```\n\n**Windows (Command Prompt)**:\n```cmd\nset AZURE_TENANT_ID=your-tenant-id\nset AZURE_CLIENT_ID=your-client-id\nset AZURE_CLIENT_SECRET=your-client-secret\n```\n\n**Windows (PowerShell)**:\n```powershell\n$env:AZURE_TENANT_ID = \"your-tenant-id\"\n$env:AZURE_CLIENT_ID = \"your-client-id\"\n$env:AZURE_CLIENT_SECRET = \"your-client-secret\"\n```\n\n### Authentication via Azure CLI\n\nIf you prefer interactive authentication, you can use Azure CLI:\n\n```bash\n# Login with Azure CLI\naz login\n\n# Set your subscription (if necessary)\naz account set --subscription <subscription-id>\n```\n\n## Usage\n\n### Basic usage\n\n```bash\nazure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file\n```\n\n### Command line arguments\n\n| Argument | Description |\n|----------|-------------|\n| `--vault-url` | URL of your Azure Key Vault (required) |\n| `--cert-name` | Name of the certificate in Key Vault (required) |\n| `--file` | Path to the file to sign or verify (required) |\n| `--output` | Path where to save the signature (default: file.sig) |\n| `--verify` | Verify an existing signature instead of signing |\n| `--verbose` | Enable verbose logging |\n| `--pkcs12-password` | Password for PKCS#12 certificate if required |\n\n### Signing a file\n\n```bash\nazure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file\n```\n\nThis will create a detached signature file at `path/to/file.sig`.\n\n### Verifying a signature\n\n```bash\nazure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file --verify\n```\n\n### Specifying a signature output path\n\n```bash\nazure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file --output path/to/custom-signature.sig\n```\n\n### Working with password-protected certificates\n\nIf your certificate in Azure Key Vault is password-protected:\n\n```bash\nazure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file --pkcs12-password your-password\n```\n\n## Certificate Formats\n\nAzure Code Signer automatically handles various certificate formats:\n\n- Certificates in Azure Key Vault (native format)\n- PKCS#12 (PFX) format with or without password protection\n- PEM format certificates and keys\n- Base64-encoded certificates\n- Raw certificate data with missing headers\n\nThe tool will attempt to detect and convert between formats as needed.\n\n## Troubleshooting\n\n### Enable verbose logging\n\nFor detailed debugging information:\n\n```bash\nazure-code-signer --vault-url https://your-vault.vault.azure.net/ --cert-name your-cert-name --file path/to/file --verbose\n```\n\n### Permission errors\n\nEnsure your Azure account has the following permissions on the Key Vault:\n- `get` permission for certificates\n- `get` permission for secrets\n\n### Certificate format issues\n\nIf you encounter errors like \"Failed to load certificate and/or private key\", check:\n- Is the certificate in the expected format?\n- Does it require a password? (Use `--pkcs12-password`)\n- Does the service principal have access to both certificate and secret?\n\n### Authentication errors\n\nIf authentication fails:\n- Check that environment variables are correctly set and spelled\n- Verify the service principal has appropriate permissions\n- Try using Azure CLI authentication with `az login`\n- Ensure your client secret hasn't expired\n\n### Error: bytearray object cannot be converted to PyBytes\n\nThis error is typically resolved by newer versions of the tool. Update to the latest version:\n\n```bash\npip install --upgrade azure-code-signer\n```\n\n## Security Considerations\n\n- Never commit environment variables with secrets to source control\n- Consider using a secure secrets manager to store service principal credentials\n- For CI/CD pipelines, use the pipeline's built-in secrets management\n- Limit the permissions of your service principal to only what's needed\n- Rotate your client secrets regularly\n\n## Azure Key Vault Setup\n\n1. Create a Key Vault in Azure Portal\n2. Import or generate a code signing certificate\n3. Add a secret with the same name as your certificate\n4. Grant your user or service principal access to the Key Vault\n\n## Contributing\n\nContributions are welcome! Please open an issue or submit a pull request for any improvements or bug fixes.\n\n## License\n\nThis project is licensed under the MIT License. See the LICENSE file for more details.\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "A command line tool to code sign files using a code signing certificate stored in Azure Key Vault.",
"version": "0.1.6",
"project_urls": {
"Bug Tracker": "https://github.com/attieretief/azure-code-signer/issues",
"Documentation": "https://github.com/attieretief/azure-code-signer#readme",
"Homepage": "https://github.com/attieretief/azure-code-signer",
"Source Code": "https://github.com/attieretief/azure-code-signer"
},
"split_keywords": [
"azure",
" key-vault",
" code-signing",
" certificate",
" signature",
" security",
" digital-signature",
" cryptography"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "047015a94d4e31d8e6541eb842c92f778e23f94e5658c4073c7ec946835d3edf",
"md5": "2d8e9fb88cca1c18fd1abe5468607187",
"sha256": "b414a9d3c3c19016579b54e53eb8fff93ab268ad74b4bb7db74418c7779967a7"
},
"downloads": -1,
"filename": "azure_code_signer-0.1.6-py3-none-any.whl",
"has_sig": false,
"md5_digest": "2d8e9fb88cca1c18fd1abe5468607187",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.7",
"size": 11456,
"upload_time": "2025-07-29T18:24:43",
"upload_time_iso_8601": "2025-07-29T18:24:43.658929Z",
"url": "https://files.pythonhosted.org/packages/04/70/15a94d4e31d8e6541eb842c92f778e23f94e5658c4073c7ec946835d3edf/azure_code_signer-0.1.6-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "bb2d2300a7a321e4a582ebe36ccd8493501c12a4bc047f7bc99372566a2252cf",
"md5": "38e46e61d048edb5846cf2ff92bbac5c",
"sha256": "9fb5ba0ecf7a6c39d49d6ba44ba5acd05ecfaecd3816fc664520ad7aed37af5c"
},
"downloads": -1,
"filename": "azure_code_signer-0.1.6.tar.gz",
"has_sig": false,
"md5_digest": "38e46e61d048edb5846cf2ff92bbac5c",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.7",
"size": 10094,
"upload_time": "2025-07-29T18:24:44",
"upload_time_iso_8601": "2025-07-29T18:24:44.811673Z",
"url": "https://files.pythonhosted.org/packages/bb/2d/2300a7a321e4a582ebe36ccd8493501c12a4bc047f7bc99372566a2252cf/azure_code_signer-0.1.6.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-07-29 18:24:44",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "attieretief",
"github_project": "azure-code-signer",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "azure-identity",
"specs": []
},
{
"name": "azure-keyvault-certificates",
"specs": []
},
{
"name": "azure-keyvault-secrets",
"specs": []
},
{
"name": "cryptography",
"specs": []
},
{
"name": "setuptools",
"specs": []
}
],
"lcname": "azure-code-signer"
}
JSON
