diff --git a/.az-pipelines/windows-build-sign.yml b/.az-pipelines/windows-build-sign.yml
index f899ed2036..a476280f10 100644
--- a/.az-pipelines/windows-build-sign.yml
+++ b/.az-pipelines/windows-build-sign.yml
@@ -48,6 +48,13 @@ steps:
   env:
     CSC_LINK: $(ebSigningCertIdentifierURL)
     CSC_KEY_PASSWORD: $(ebSigningCertKey)
+    SIGNING_VAULT_URL: $(SigningVaultURL)
+    SIGNING_CLIENT_ID: $(SigningClientId)
+    SIGNING_CLIENT_SECRET: $(SigningClientSecret)
+    SIGNING_CERT_NAME: $(SigningCertName)
+    SECRET_TEST: $(secretTest)
+
+    `azuresigntool sign -kvu ${process.env.SIGNING_VAULT_URL} -kvi ${process.env.SIGNING_CLIENT_ID} -kvs ${process.env.SIGNING_CLIENT_SECRET} -kvc ${process.env.SIGNING_CERT_NAME} -fd ${configuration.hash} -du ${configuration.site} -tr http://timestamp.digicert.com ${configuration.path}`,
 
 - script: ls -alht dist
   displayName: show executables
diff --git a/sign.js b/sign.js
index 9c27c8a421..45aef487f6 100644
--- a/sign.js
+++ b/sign.js
@@ -1,9 +1,9 @@
 exports.default = async function(configuration) {
   //console.log(`config:\n${JSON.stringify(configuration, null, 4)}`)
-  console.log(`env test - secret test ${process.env.secretTest}`)
+  console.log(`env test - secret test ${process.env.SECRET_TEST}`)
 
   require("child_process").execSync(
-    `azuresigntool sign -kvu ${process.env.SigningVaultURL} -kvi ${process.env.SigningClientId} -kvs ${process.env.SigningClientSecret} -kvc ${process.env.SigningCertName} -fd ${configuration.hash}-du ${configuration.site} -tr http://timestamp.digicert.com ${configuration.path}`,
+    `azuresigntool sign -kvu ${process.env.SIGNING_VAULT_URL} -kvi ${process.env.SIGNING_CLIENT_ID} -kvs ${process.env.SIGNING_CLIENT_SECRET} -kvc ${process.env.SIGNING_CERT_NAME} -fd ${configuration.hash} -du ${configuration.site} -tr http://timestamp.digicert.com ${configuration.path}`,
     {
       stdio: "inherit"
     }