jar signing using a non exportable certificate with private key n azure key vault

[kk99999]

When a certificate which is not exportable and has a private key is stored in Azure Key Vault and the Azure Sign Tool is used within an Azure DevOps pipeline—with addSpnToEnvironment set to true—Azure DevOps automatically injects the credentials (tenant ID, client ID, and client secret) into the environment as variables, allowing files to be signed without explicitly providing these credentials. Is there any api available that would allow to sign a jar file without providing any private key?

[github-actions]

@adarce @cheathamb36 @chlowell @dhanvikapila @dragav @FabianGonzalez-MS @FRL200 @jackrichins @kasturi3k @kurtzeborn @mancycakv @marekkarbarz @melissamserv @osmuller @psivaram @rahulalapati43 @seanbamsft @sebansal @vakuncha @vcolin7 @vickm

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[vcolin7]

@kk9999 what is the Azure Sign Tool? Is it a part of the Azure SDK for Java? I haven't heard of that before.

If you're asking if we have anything in Java that lets you sign a JAR, you might want to look into using the azure-security-keyvault-jca library. @saragluna and @rujche can provide more details on if it's possible to sign for your scenario.

Also, are you asking to be able to sign without providing a private key every time or at all?

[kk99999]

Azure Sign Tool is a command-line utility used to digitally sign files using certificates stored in Azure Key Vault, rather than using any local certificate stores. It can used for CI/CD pipelines (Azure DevOps) where you want to sign executables or dlls without exposing private keys(no need to specify client id, client secret and tenant id). https://github.com/vcsjones/AzureSignTool. With azure-security-keyvault-jca, can i sign jar files similarly without providing private key and use it in my CI/CD pipeline? If so could you please provide me details on how to use this?