ClickOnce EV code sign with USB HSM add support for EDCSA keys

Description

I am manually signing application manifest via mage.exe or mageui.exe. I have an EVCS from a CA issued on a USB HSM (Yubikey). signtool.exe has signed the executable correctly using the HSM. mage.exe is reporting “This certificate does not contain a private key” mageui.exe is asking for a Certificate file which I don’t have.

To Reproduce

Try and sign a manifest file using a USB HSM.

.\mage.exe -Sign "C:\my_app.exe.manifest" -csp "Microsoft Smart Card Key Storage Provider" -kc "9b5…" -CertHash "c15…"

Exceptions (if any)

“This certificate does not contain a private key”

Configuration

C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8.1 Tools>

Other information

I have a ticket open with Visual Studio here: https://developercommunity.visualstudio.com/t/ClickOnce-EV-Signing-with-HSM/10278648

I can use signtool to successfully use the HSM for EVCS. This works and I just need mage to do the same. I run the following in PowerShell which prompts for PIN and works perfectly:

cd "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64"
.\signtool.exe sign /fd sha256 /tr http://ts.ssl.com /td sha256 /n "UniqueStringInMyCertificate" "C:\My.exe"

Some others have reverse engineered mage to get this working: https://stackoverflow.com/questions/54752638/mage-exe-manifest-signing-with-certificate-stored-in-aws-cloudhsm

I am happy to help give more feedback/troubleshooting to help resolve this issue. It is affecting many of our clients (today has been awful) as its been sitting triaged for 3 weeks in the other forum and this looks like the appropriate repo for mage. Thanks