We use ZXPSignCMD tool for signing an Adobe CEP extension. We have a mandate to update all the company’s signings to D-KMS (Key Management System), a HSM (Hardware Security Module) backed service (see New private key storage requirement for Code Signing certificates).
In the documentation of the tool CEP-Resources/ZXPSignCMD/SigningTechNote_CC.pdf at master · Adobe-CEP/CEP-Resources · GitHub we don’t see any reference on HSM support.
Are any plans on updating the tool to support this?
1 Like
I moved this post because a customer recently pointed to finding it. There’s no category in the UXP forum that this particularly fits.
To answer the question; not only are there no plans for HSM support, there are no plans to update the ZXPSignCmd tool at all. (At least at the time I’m writing this.)
Hello, please suggest then how to sign the extensions with the new certificates. IIRC we can even sign with self signed certificates even for production. Is that true?
Thanks,
Only self-signing is currently supported.
This could change in the future, but not soon, and I don’t have a timeline.
Updating this thread: As of May 2025 you no longer need to self-sign: CEP-Resources/ZXPSignCMD/4.1.3 at master · Adobe-CEP/CEP-Resources · GitHub
Paid certificates should now work, however, HSM is not currently supported.
What does “no longer need to self-sign” mean? Are you stating that the signature itself is no longer required at all?
Ah - no - that isn’t what I’m saying.
For signing CEP panels you still need to use ZXPSignCmd. You have a choice of either using a self-signed certificate or a paid certificate. There was a period of several months when using a paid certificate stopped working, and self-signing was the only option.
Eventually self-signing broke as well and we had to put out a new version of ZXPSignCmd, and now paid certificates are once again an option. That is to say, both self-signing and paid certificates are working again.
However, we don’t support HSM.
Thank you for your response. So, it’s essentially the same way as before.