This content originally appeared on text/plain and was authored by ericlaw
I’ve written about signing your code using Authenticode a lot over the years, from a post in 2015 about my first hardware token to a 2024 post about signing using a Digicert HSM.
Recently, Azure opened their Trusted Signing Service preview program up for individual users and I decided to try it out. The documentation and features are still a bit rough, but I managed to get a binary cloud-signed in less than a day of futzing about.
For many individual developers Azure Trusted Signing will be the simplest and cheapest option, at $10/month. (Microsoft Employees get a $150/month Azure credit for their personal use, so trying it out cost me nothing.)
Note that I’ve never done anything with Azure or any other cloud computing service before– I’m a purely old-school client developer.
First, I visited my.visualstudio.com to activate my Microsoft Employee Azure Subscription credit for my personal Hotmail account. I then visited Azure.com in my Edge Personal Profile and created a new account. There is a bit of weirdness about adding 2FA using Microsoft Authenticator to the account, which I already had enabled– what appears to actually be happening is you’re actually creating a new .onmicrosoft.com “shadow” account for your personal account.
With my account set up, in Azure Portal’s search box, I search for “Trusted Signing”:
and I click Create:
I fill out a simple form, inventing a new resource group (SigningGroup, no idea what this is for), and a new Account Name (EriclawSignerAccount, you’ll need this later), and make the important choice of the $9.99/month tier:
My new signing account then appears:
Click it and the side-panel opens:
It’s very tempting to click Identity validation now (since I know I must need to do that before getting the certificate) but instead you must click Access control (IAM) and grant your account permissions to request identity validation:
In the search box, search for Trusted, select the first one (Trusted Signing Certificate Profile Signer, then select Next:
In the Members tab, click Select members and pick yourself from the sidebar.
Click Select and then Review and Assign to grant yourself the role. Then repeat the process for the Trusted Signing Identity Verifier role.
With your roles assigned, it’s time to verify your identity. Click the Identity Validation button change the dropdown from Organization to Individual, and click New Identity > Public:
(If you skipped a step, the “New Identity” button will remain disabled until you assign yourself to the role that allows you to use it.)
Fill in the form with your information. Ensure that it matches your legal ID (Driver’s License):
You’ll then be guided through a workflow involving the Microsoft Authenticator app on your phone and a 3rd party identity verification company. You’ll see a Success message once you correctly link your new Verified ID in the Authenticator app to the Azure Service, but confusingly, you’ll still see Action Required in the Azure dashboard for a few minutes:
Just be patient — after about 10 minutes, you’ll get an email saying the process is complete and Action Required will change to Completed:
Next, click Certificate Profile to create a new certificate:
Click Create > Public
Fill out a simple form selecting your verified identity and naming the profile (I used EricLawCert you’ll need this later):
In short order, your certificate is ready for use:
Now, using the certificate is somewhat complicated than a local certificate, but many folks are now doing fancy things like signing builds in the cloud and as a part of continuous integration processes etc.
I, however, am looking for a drop-in replacement of my old manual local signing process, however, so I follow the guide here to get the latest version of SignTool, as well as the required DLIB file (which you can just unzip rather than using NuGet if you want) that knows how to talk to the cloud. Select the default paths in the installer because otherwise the thing doesn’t work. Run signtool.bat, which will pull the correct dependencies and then tell you where it put the real signtool.exe:
Now, create a file that will point at your cloud certificate profile; I named mine cloudcert.json. Be sure to put in the correct cloud endpoint URL, the account and profile names you selected (all of which were chosen when setting up the certificate):
{
"Endpoint": "https://wcus.codesigning.azure.net",
"CodeSigningAccountName": "EricLawSignerAccount",
"CertificateProfileName": "EricLawCert",
"CorrelationId": "set-this-to-whatever"
}Then create a .bat file that points at the newly installed signtool.exe file, using the paths you chose to point at the DLIB, JSON, and file to be signed:
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "c:\tools\mstrustedSigningTools\dlib\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "c:\tools\mstrustedSigningTools\cloudcert.json" alert.exeRun your batch file. If it doesn’t work and shows a bunch of local certificates that have nothing to do with the cloud, the DLIB isn’t working. Double-check the path you specified in the command line.
Now, at this point, you’ll probably get another failure complaining about DPAPI:
Currently, the DLIB package bundles an outdated version of System.Security.Cryptography.ProtectedData.dll from 2019. Rename that file to something else and locate the current version of that DLL elsewhere on your system and copy it into the dlib\bin\x64 folder:
After you do so, run the script again and you’ll get to a browser login prompt. Exciting, but this next part is subtle!
You may see the account you think you want to use already in the login form. Don’t click it: If you do, you’ll get a weird error message saying that “External Users must be invited” or something of that nature. Instead, click Use another account:
Then click Sign-in Options:
Then click Sign in to an organization:
Specify your .onmicrosoft.com tenant name[1] here and click Next:
Only now do you log into your personal email account as normal, and after you do, you’ll get a success message in your browser and the signature will complete:
You can choose Properties on the Explorer context menu for the file to see your newly added signature:
Triumph!
You can now sign all file types that SignTool supports.
Resource Links
- https://learn.microsoft.com/en-us/azure/trusted-signing/quickstart
- https://learn.microsoft.com/en-us/azure/trusted-signing/faq
- https://learn.microsoft.com/en-us/azure/trusted-signing/tutorial-assign-roles
-Eric
[1] If you don’t know the right organization name, find it in the Users tool in the Azure portal:
This content originally appeared on text/plain and was authored by ericlaw