You must have a code signing certificate that works with SignTool. There are two common approaches:
-
PFX File (Exported Locally)
-
Extracted from AWS Certificate Manager (ACM) Private CA or manually generated
-
Stored securely on the local signing agent (not recommended for high-security use cases)
-
-
Token-based or HSM-backed Certificate
-
Integrated with AWS CloudHSM
-
Accessed via middleware such as CNG, PKCS#11, or KSP provider
-
If using AWS KMS or CloudHSM, you may need to use a custom cryptographic provider that bridges the signing operation with SignTool.
