Menu
We have a new Code Sign certificate. This time it is an EV Code Sign certificate from GlobalSign. The certificate is now only available in Azure Key Vault as RSA-HSM.
I did manage to sign dll's and executables using AzureSignTool where I also asked this question
Todo:
This question:
After reading into what VBA signing is, I figured out that Signing a VBA file is in fact done by SignedCms. Looking at the source from EPPlus I found that it is doing it that way.
Except that we do not have a private key directly, the azure key vault has. A piece of code can obtain it when it has access to the key vault, but only the RSA private key.
Perhaps this issue is related? dotnet/runtime#24707
Which is implemented into .net core 3.0 and newer dotnet/corefx#29219
736
I recently had to do exactly this and it was more painful than I had expected. It turns out that Azure Key Vault is currently the only cloud KMS that can do it. This is because VBA Macro signing requires at least one signature that uses MD5 and the other KMS providers (i.e., AWS KMS and Google KMS) only support SHA-256, SHA-384, and SHA-512 signature schemes. Azure Key Vault can do it because it supports RSNULL which means you can hash the data and apply the ASN.1 encoding client-side (in your cryptographic service provider) before sending it to Azure for signing.
Long story short, you need to implement the CNG interface to create a KSP that does the client-side hashing, ASN.1 encoding (since it is an RSA signature), and then sends the result to Azure for signing while specifying RSNULL as the signature algorithm. Alternatively, you can use a third party solution that does all this for you. We use this one, although there may be others out there as well.
101
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
