In this instructional video, Ian Pinawin (Senior Technical Support Engineer, Revenera) demonstrates how to integrate InstallShield with Azure Key Vault.
Video Credit: Ian Pinawin, Senior Technical Support Engineer - Revenera
More Information
Note that in the manual call to azuresigntool.exe to digitally sign an arbitrary file (C:\setup.exe) in the example given in the video and shown below:
azuresigntool.exe sign -du "https://www.revenera.com" -fd sha256 –kvu https://myazurekeyvault1224.vault.azure.net -kvi <Client ID of the service principal or the user identity> -kvt <Tenant ID of the service principal or the user identity> -kvs <Secret (token) used to authenticate to Azure Key Vault> -kvc MyTestCertificate1224 -tr http://timestamp.digicert.com -td sha256 -v C:\setup.exe
C:\setup.exe is replaced by %1, and this command is placed in a Windows batch file, where %1 is the first argument passed to the batch file. When InstallShield uses the Custom signing type, it calls the batch file and passes the file to sign as an argument. InstallShield repeats this process for each file to be signed by azuresigntool.exe.
Installshield passes the name for the swidtag file to the batch file. But the file can contain a comma "," which leads to the problem, that the file name is splitted into two arguments. So, %1 only includes the first half of the filename. I recommend to use %* instead of %1 in the .bat file.
Second thing is that AzureSigntool and SignTool as well can't sign the swidtag file because it is an xml. In this case you need to sign the swidtag file with a different approach (like using .NET, Java, OpenSSl, Phyton,...)
