Cache the certificate used for signing?

[scottmcburney]

We have an AzDO pipeline that uses AzureSignTool to sign all the dlls and executables before being packaged by our installer. Our product is an entire "platform" with thousands of dlls, passing them in a text file using the ifl parameter..

We are often getting throttled by the azure keyvault, and have had to reduce mdop to 2, which in turn slows the signing process significantly.

{"error":{"code":"Throttled","message":"Request was not processed because too many requests were received. Reason: VaultOperationLimitReached"}}

My guess is that this is happening because AzureSignTool is retrieving the certificate from the keyvault for every file being signed. Would it be possible to cache the certificate and reuse it so that only a single access to the keyvault needs to be made?

[vcsjones]

The certificate is cached, or at least is should be. The actual public certificate is fetched exactly once when the configuration is materialized here:

AzureSignTool/src/AzureSignTool/SignCommand.cs

Line 258 in 9f30f7a

var materializedResult = await configurationDiscoverer.Materialize(configuration);

That public certificate is then fed in to the signing operations here:

AzureSignTool/src/AzureSignTool/SignCommand.cs

Line 285 in 9f30f7a

using (var signer = new AuthenticodeKeyVaultSigner(keyVault, materialized.PublicCertificate, FileDigestAlgorithm, timeStampConfiguration, certificates))

AzureSignTool is retrieving the certificate from the keyvault for every file being signed.

AzureSignTool does not do local signing. For every sign operation, we say "Hey Azure Key Vault, please sign this with the private key". This is so that

1. The private key never needs to leave Azure.
2. HSM-backed keys can't do local signing. The private key is non-extractable.

Two follow up questions:

Are you using a software or HSM backed key? I'm assuming HSM since I think that is required by CA/B at this point, but want to double check.
How many bits is your RSA key?

[scottmcburney]

sorry, its been a busy few months getting a product ready for release. I really don't know much about the key or certificate, it is managed by an entirely different group in our company. But this has been a problem for us in Azure DevOps pipelines. if we are running a pipeline that signs files, we have to make sure no other pipelines signing files are starting close to the same time. And the number of files we are signing is large (like on the order of 17,000+ files taking ~27 minutes). Other pipelines that sign small numbers of files are just fine. I guess this is just a limitation we have to live with.