This is likely not a bug but a mistake on my side, however I struggle to get this working with an RBAC enabled KeyVault via service connection, and wonder if there could be some details in the docs provided in the permissions necessary for RBAC, or some help if my issue is of totally different nature, since the error message is quiet strange.

I receive the error
File 'CertName' does not exist.
when running command

AzureSignTool sign -kvu "REDACTED" -kvi $Env:servicePrincipalId -kvt $Env:tenantId -kvs $Env:servicePrincipalKey -kvc CertName -tr "http://timestamp.digicert.com" -v D:\a\1/build/binaries/test.exe

I am running it via AzureCLI@2 Task like this:

- task: AzureCLI@2
  displayName: 'Sign'
  inputs:
    scriptType: ps
    scriptLocation: inlineScript
    azureSubscription: '${{ parameters.keyVaultServiceConnection }}'
    addSpnToEnvironment: true
    inlineScript: |
      AzureSignTool sign -kvu "${{ parameters.keyVaultUrl }}" -kvi $Env:servicePrincipalId -kvt $Env:tenantId -kvs $Env:servicePrincipalKey -kvc ${{ parameters.azureKeyVaultSigningCertificateName }} -tr "http://timestamp.digicert.com" -v $(binaries)

The certificate exists under the name "CertName" in the KeyVault. The service connection passed to "azureSubscription" does have access to the key vault (i even gave it Admin permissions on the vault in the end while testing).

So:

1. Is this error related to missing permissions on the certificate?
2. If yes, can anyone please explain which RBAC permissions are required to the vault (and possibly the certificate itself)? Maybe this could be added to the docs?

Thanks in advance!

edit:
After looking through the source I think the message is from here