Versions:
AzureSignTool, developed by Kevin Jones, is a specialized command-line utility designed to perform Authenticode digital signing of Windows executables, libraries, installers and scripts by leveraging certificates stored in Microsoft Azure Key Vault. The software’s primary purpose is to replace traditional hardware-token or local-file-based signing workflows with a cloud-centric model, eliminating the need for physical smart-cards or on-premise Hardware Security Modules while still meeting the strict cryptographic requirements of Microsoft’s Trusted Root Certificate Program. Typical use cases include nightly build pipelines that automatically sign device drivers, MSI packages, ClickOnce deployments, PowerShell modules and NuGet artifacts; DevOps teams that need to share a single Key Vault–protected certificate across multiple agents without exporting private keys; and independent software vendors seeking to comply with Windows User Access Control and SmartScreen reputation thresholds. The tool implements RFC 3161 timestamping via public authorities such as Digicert or GlobalSign, supports SHA-256 and SHA-512 digest algorithms, and is compatible with both portable and kernel-mode driver signing. Version 7.0.0, the third major release published to NuGet and GitHub, introduces asynchronous renewal of Azure AD tokens, improved retry logic for large-file hashing, and alignment with the latest Key Vault service REST API, ensuring uninterrupted operation even when transient network issues occur. Because the utility is distributed under the permissive MIT license, it can be embedded into CI/CD templates for Azure DevOps, GitHub Actions, GitLab or Jenkins without licensing concerns. AzureSignTool is available for free on get.nero.com, with downloads provided via trusted Windows package sources such as winget, always delivering the latest version and supporting batch installation of multiple applications.
Tags: