Re: How to sign my custom connector (PQX) with Azu...

aortega1313 · ‎11-27-2024

Hi Everyone,

I am looking for some help to know if there is a way to sign the PQX (custom connector) using Azure Key Vault and AzureSignTool.

Is there any existing way?

I know how to sign the connector with the MakePQX, but for now, it is not an alternative to use a PFX format for the certificate.

Thank you,

Regards.

luna22 · ‎10-30-2025

Hi, I looked into this earlier currently, AzureSignTool can be used with certificates stored in Azure Key Vault, so you don't need a PFX file. You just need to configure the key vault Credentials(tenant ID, client ID, secret) in AzureSignTool and reference your certificate name. This way, you can securely sign your PQX connector directly using the cert in Key Vault without exporting it. Hope it helps!

dwkay · ‎10-30-2025

Hi, see my previous comment below from February:

All of the suggestions so far is basically how to use AzureSignTool, but that doesn't help when it does not support pqx files. (https://github.com/dotnet/sign?tab=readme-ov-file#supported-file-types)

Anonymous · ‎12-01-2024

Hi @aortega1313

Based on your description, you can refer to the following link.

How to sign code built using Azure Pipelines using a certificate/key in Azure Key Vault? - Stack Ove...

It offer some suggestion about it.

Best Regards!

Yolo Zhu

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

dwkay · ‎02-04-2025

All of the suggestions so far is basically how to use AzureSignTool, but that doesn't help when it does not support pqx files. (https://github.com/dotnet/sign?tab=readme-ov-file#supported-file-types)

What alternative is there if pfx is no longer an option? Basically this issue (https://github.com/microsoft/vscode-powerquery-sdk/issues/339). How are people signing their custom connectors?

aortega1313 · ‎11-29-2024

Hi @FarhanJeelani!

Thanks for the help. I made the test but I'm receive the next error.

The file cannot be signed because it is not a recognized file type for signing or it is corrupt.

I'm using the next project with this command: https://github.com/vcsjones/AzureSignTool

AzureSignTool.exe sign -du "https://vcsjones.com" \
  -fd sha256 -kvu https://my-vault.vault.azure.net \
  -kvi 01234567-abcd-ef012-0000-0123456789ab \
  -kvt 01234567-abcd-ef012-0000-0123456789ab \
  -kvs <token> \
  -kvc my-key-name \
  -tr http://timestamp.digicert.com \
  -v \
  C:\connector.pqx

Should I use a different version or another project?

FarhanJeelani · ‎11-28-2024

Hi @aortega1313 ,

Yes, you can sign a Power Query Custom Connector (PQX) using Azure Key Vault and AzureSignTool. Here's how:

Store your certificate in Azure Key Vault and ensure it's accessible.
Grant your service principal or user the necessary permissions to access the certificate in Key Vault (e.g., Key Vault Sign permission).
Install AzureSignTool on your machine.
Use the AzureSignTool to sign the PQX file by pointing it to the certificate in Azure Key Vault with the following command:
```
AzureSignTool sign /fd sha256 /a /v /sha256 <certificate-thumbprint> /kvc <keyvault-name> <path-to-pqx>
```

This will sign your PQX file using the certificate stored in Azure Key Vault, without needing to use MakePQX for the certificate.

Please mark this as solution if it helps. Appreciate Kudos.

How to sign my custom connector (PQX) with Azure Key Vault

Helpful resources

Power BI Monthly Update - November 2025

Fabric Data Days

FabCon Atlanta 2026

FabCon is coming to Atlanta

How to sign my custom connector (PQX) with Azure Key Vault

Helpful resources

Power BI Monthly Update - November 2025

Fabric Data Days

FabCon Atlanta 2026