AAX plugin, Eden PACE wraptool, --signid <your dsig ID> , - what exactly is dsig ID?

I already EV signed my AAX plugin.
I created the Products and Wrap Configuration in PACE Central etc.

Do I need this -signid <your dsig ID> or can I --dsig off because its already EV signed?

wraptool sign --verbose --account [YourAccount] --wcguid [YourWrapConfigGUID] --in [PathToYourPlugin.aaxplugin] --out [PathToYourSignedPlugin.aaxplugin] --dsig off

If I shouldn’t --dsig off, where do I find this dsig ID?

I did look in Microsoft Management Console, but nothing jumped out at me from the personal Certificates section. I have a Sectigo EV certificate on an external USB token - its communicating via SafeNet Authentification Client.

The sign ID is the hash of your EV certificate. The PACE signature sits on top of the OS signature in your EV. And the wraptool will call the OS signtool anyway, so there is no reason to sign the aax beforehand yourself.

Those are my parameters:

--signtool "${SIGNTOOL_PROGRAM}" --signid "${WIN_CERT_HASH}" --extrasigningoptions "digest_sha256")

Usually pace information is covered under NDA, so I hope I didn’t tell anything more than the obvious here.
Your best bet is to email Sergio under the support email you find in the eden SDK. There is also a lot invaluable information in there.

got it
I found the hash for my EV buried in the Microsoft Management Console > Thumbprint.