I Azure Trusted signing fast and reliable?

Ryan Wagner 20 Reputation points
2024-08-09T21:47:00.1933333+00:00

We do our builds of our exe's, dll's etc on a physical server computer running Visual Studio 2022.

We generate hundreds of files that need code signing using signtool.exe.

We just got our code signing certificate renewed and we have been signing files using a Yubikey 5 nano FIPS with Comodo/Sectigo certificate currently.

There are 2 problems with this approach.

1.) If there server computer is in a locked room and has the Yubikey inserted into it then developers cannot remote desktop from client computer (Windows OS) to the server computer to sign files. Signing must be done on the physical computer.

2.) Signing is much slower for us then when we signed with a pfx file and did not have to deal with a hardware key.

We were wondering if Azure Trusted Signing would solve these problems?

Can we still build all our exe's, dll's setup files etc on the server computer and have Azure code sign the files?

We are really concerned about how fast signing would be with Azure. We want to be able to sign multiple files in a second if possible. Does anyone know approximately how long it takes in seconds to sign a file in Azure? File would have to be countersigned to timestamp url as well of course. How would the performance compare to using a Yubikey 5 nano FIPS?

We only need sha256 for our signing...

Finally, would the exe's, dll's etc have to be uploaded to Azure? or can the files be signed right on the server computer.

How would we get started on code signing files with Azure?

Thanks,

Azure Trusted Signing
Azure Trusted Signing
Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the certificate signing process and helps partner developers more easily build and distribute applications.
73 questions
0 comments
Accepted answer
  1. Konstantinos Passadis 19,066 Reputation points MVP
    2024-08-09T23:01:03.3233333+00:00

    Hello @Ryan Wagner !

    Welcome to Microsoft QnA!

    I will try to address your question generic as it may be !

    Azure Key Vault can potentially solve your problems by allowing remote signing without physical access to the hardware key and providing a scalable, secure solution. The signing process would likely be faster than using a YubiKey, especially in remote scenarios. The files do not need to be uploaded to Azure; they can be signed locally on your server using Azure Key Vault's signing key.

    https://video2.skills-academy.com/en-us/azure/key-vault/managed-hsm/overview

    Azure Key Vault allows code signing to be done remotely without requiring physical access to the hardware key (YubiKey). Developers can remotely access the Key Vault to perform code-signing operations, meaning the physical server doesn’t need to be in an accessible location.

    • Performance: Azure Key Vault is designed for enterprise-grade scalability and performance, so it can handle multiple signing operations efficiently.
    • Batch Signing: Azure Key Vault does not natively support bulk signing in one call, so each file would still require an individual signing operation. However, since these operations can be executed programmatically, the signing process can be parallelized to some extent to improve throughput.
    • Comparison with YubiKey: While the exact time per file can vary, using Azure Key Vault should generally be faster than a YubiKey, especially when considering remote scenarios. The operations might still be slower than local signing with a PFX, but the trade-offs include enhanced security and the ability to sign from any machine with appropriate access.
    • Centralized key management: Manage critical, high-value keys across your organization in one place. With granular per key permissions, control access to each key on the 'least privileged access' principle.
    • Isolated access control: Managed HSM "local RBAC" access control model allows designated HSM cluster administrators to have complete control over the HSMs that even management group, subscription, or resource group administrators cannot override.
    • Private endpoints: Use private endpoints to securely and privately connect to Managed HSM from your application running in a virtual network.
    • FIPS 140-2 Level 3 validated HSMs: Protect your data and meet compliance requirements with FIPS (Federal Information Protection Standard) 140-2 Level 3 validated HSMs. Managed HSMs use Marvell LiquidSecurity HSM adapters.
    • Monitor and audit: fully integrated with Azure monitor. Get complete logs of all activity via Azure Monitor. Use Azure Log Analytics for analytics and alerts.
    • Data residency: Managed HSM doesn't store/process customer data outside the region the customer deploys the HSM instance in.

    i suggest to contact your prefered Microsoft Specialist and deep dive into the advantages of Key Vault , & Key Vault Premium SKU !

    --

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.