Can i use azure key vault to sign a jar file using jarsigner

Question

I have a certificate in azure key vault which i don't want to import to the signing machine. instead i want to use that certificate to sign a jar file by authenticating to azure key vault or some other way. Is there any way to achieve this. Thanks in advance

Answer 1

KeyVault is just a provider to store secrets, keys and certificates. It does not offer any options to execute anything on it.

If you want to use the certificate you need to retrieve it:

$cert = Get-AzKeyVaultCertificate -VaultName $vaultName -Name $certName
$secret = Get-AzKeyVaultSecret -VaultName $vaultName -Name $cert.Name
$secretByte = [Convert]::FromBase64String(($secret.SecretValue | ConvertFrom-SecureString -AsPlainText))
# Write to a file
[System.IO.File]::WriteAllBytes("cert.pfx", $secretByte)

You could however execute the signing task as part of an Azure DevOps Pipeline or inside an Azure Container Instance. So, the Certificate will not be stored on your local device. But at some point the certificate need to leave the KeyVault to be worked with.

Answer 2

You can use the Jsign JCA provider to use an Azure KeyVault key with jarsigner.

The syntax looks like this:

jarsigner -J-cp -Jjsign.jar -J--add-modules -Jjava.sql \
          -providerClass net.jsign.jca.JsignJcaProvider \
          -providerArg <vault-name> \
          -keystore NONE \
          -storetype AZUREKEYVAULT \
          -storepass <api-access-token> \
          application.jar <key-name>

(disclaimer: I'm the author of this project)