VBA Macro Code Sign with Azure Key Vault - EV HSM Certificate

[ABNOTECHGuy]

Has anyone been able to successfully get the AzureSignTool to use the Office Subject Interface Packages to code-sign VBA Macro-enabled documents with a AzureKeyVault HSM EV Codesign certificate?

AzureSignTool seems to ignore the Office Subject Interface Packages.
https://www.microsoft.com/en-us/download/details.aspx?id=56617

[steve-west-m4a]

We would like to do this as well for xlsm files. We have gotten so far as to figure out we can't sign the whole xlsm file, rather we need to do this in 3 steps:

1. Use signtool to generate a digest file of the xlsm using the /dg parameter
2. Sign the digest file with the AzureKeyVault HSM EV Codesign certificate ****
3. Use signtool to ingest the resulting signed digest into the xlsm file using the /di flag

**** We are stuck at step 2. AzureSignTool does not seem to support the /ds flag. Here is the signtool documentation for signing a digest file:

/ds | Signs the digest only. The input file should be the digest generated by the /dg option. The output file is: .signed.

So does anyone know how to sign digest files with AzureKeyVault HSM certificates? Could we fork the existing repo and add this feature ourselves? What would be required?

Thanks,

Steve

[LyraHarring]

Yes, it is possible to sign VBA macro-enabled documents with an Azure Key Vault HSM EV Code Signing certificate, but AzureSignTool does not currently support the Office Subject Interface Packages directly. A common workaround is to first export the signed binary using AzureSignTool and then apply Microsoft’s signtool or Office-specific tools that respect the OSP. Another option is to use a local signing service that integrates with Azure Key Vault and can handle Office/VBA signatures. This way, your EV HSM certificate is still used securely while enabling proper VBA macro code signing.