A Step-by-step Guide to Code Signing using Azure Trusted Signing

Posted on by
Reply

This blog provides a step-by-step guide to code signing using Azure Trusted Signing.

Many moons ago (14 years and counting) I wrote my first guide to signing drivers on AppDeploy (now ITNinja) and transposed it to my own blog many years later. Back then I devised a way to generate development certificates for self-signing drivers.

But with the emergence of Azure Trusted Signing, I thought I’d knock up another quick step-by-step guide for code signing using production-ready code signing certificates! For a very modest £7.96 per month, it allows up to 5,000 signing requests on the basic tier.  So in theory, I think we could sign (and time stamp!) the code we require, and then cancel our subscription to save some significant wonga on code signing certificates!

I assume that you are familiar with Azure, and already have a subscription and resource group (or can create them if not!). And with that said:

  1. Search for “Trusted Signing Accounts” in the Azure portal.  Click “Create”, give it a name (make a note of this name for later on – I used AlkaneTrustedSigning), set the appropriate subscription, resource group, region and pricing tier relevant to your location and requirements.  Once created, inside this trusted signing account click on the Overview tab (it should be selected by default) and make a note of the Account URI – we will need this later too.  Mine is https://weu.codesigning.azure.net/ because I select West Europe (weu) during the creation process.
  2. Once created, inside your trusted signing account click “Access Control (IAM)”. Click Add > Role Assignment.  Search for Trusted Signing Identity Verifier, select it and click Next.  Since I am assigning access to myself (so I can code sign using my own Azure account etc) I leave as “User, group or service principal”, click “Select Members” and select my own account. Click Review and Assign.
  3. Repeat step 2, only this time the role to search for is Trusted Signing Certificate Profile Signer. Both of these roles are important otherwise the signing process will fail.
  4. You will then need to go through identity validation so that Microsoft can verify you’re a trusted source. You cannot proceed to the next step until your identity has been verified!  Inside your trusted signing account, under Objects click Identity Validations > New Identity > Public.  Complete the form and submit it to Microsoft.  They may require supporting documentation too, and the time for approval can typically take from an hour up to a few days.  Mine took an hour (phew), presumably because my website/domain and business are over 15 years old.
  5. We now need to create a Certificate Profile. Inside your trusted signing account, under Objects click certificate profiles.  Click create > Public Trust.  Give your certificate profile a name – we will need this for later!  I called mine AlkanePublicTrust.  Note that under “Verified CN and O” should be your verified identity from the previous step.
  6. Now we can start signing!  Download and install the Trusted Signing Client Tools MSI from here.  This includes signtool.exe, which we will use to perform code signing.
  7. Download the Microsoft Trusted Signing Client from here.  These binaries enable signtool.exe to launch a browser session that prompts for an Azure authentication token. You could install this directly using a Nuget command line, but I preferred to click “Download Package”, rename the .nupkg extension to .zip, navigate to the Bin folder and extract the x64 folder to my local machine inside a directory called C:\Alkane\Signing.
  8. In C:\Alkane\Signing, we also need to create a JSON file (I called it AlkanePublicTrust.json) for signtool.exe to use. This simply uses the values we created in step1 and step 5 (see the bold text) – replace  these  with  your  own. 
    {
  "Endpoint": "https://weu.codesigning.azure.net",
  "CodeSigningAccountName": "AlkaneTrustedSigning",
  "CertificateProfileName": "AlkanePublicTrust"
}
  9. Now we can finally sign our executable! The executable I want to sign is called C:\Alkane\Alkane.exe and we must use a timestamping server for reasons discussed here. 
    "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "C:\Alkane\Signing\x64\Azure.CodeSigning.Dlib.dll" /dmdf "C:\Alkane\Signing\AlkanePublicTrust.json" C:\Alkane\Alkane.exe

And that’s it!  Happy code signing!