Microsoft Trusted Signing service

[Angus Robertson 527]

Has anyone tried this service for signing applications, free until June 2024, then $9.99:

 

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/trusted-signing-is-in-public-preview/ba-p/4103457

 

Angus

 

[Fred Ahrens 57]

I tried it and it still feels very "previewish". After being able to create the signing account, getting my identity validated and creating a first certificate, I'm currently stuck at properly submitting my credentials while trying to sign an exe with SignTool.exe.

The available documentation still lacks a lot of important details and it's still too new to find suitable help at stackoverflow or similar.

 

It might work better if you use it via Azure DevOps or GitHub. But so far it still needs some finetuning - especially the documentation - before it can be used with SignTool.exe.

 

With the tool available at https://docs.rs/crate/trusted-signing-cli/0.2.0 I came the closest so far with simple signing an exe file - but still get errors I can't get any further explanation for.

[Fred Ahrens 57]

Got it working with the help of the documentation available at Code signing on Windows with Azure Trusted Signing · Melatonin 

 

Most related documents currently online (including Microsofts documentation) still have a major error in the description of the metadata.json format. Instead of using the "TrustedCodeSigningAccount" entry you will need the entry "CodeSignigAcccountName" and set it to the name of the Trusted Signing Account in Azure -, not your e-mail address you use for logging into Azure or other Microsoft services.

[Angus Robertson 527]

Thanks for all the useful comments, I'll try it myself when I have time later in the week.  

 

Got another eight months left before my code signing certificate expires, but looks like I can avoid dongle hell.  I've had an Azure account for years, although perhaps not the correct type of account. 

 

Angus

 

[Vincent Parrett 660]

This is interesting, particularly since I spent the last few months working on a code signing server product that takes the hassle out of using dongles  (working on the admin ui, signing part is all done) 😞

 

So code signing for USD$120 per year vs $299 - I bet digicert & co are peeved about this. Microsoft are about to take $100M(*) a year out of their pockets. 

 

* plucked that out of thin air, but given what they charge and how many software vendors there are, it's quite possibly more than that.

[Angus Robertson 527]

I'll be happy not needing to deal with Digicert, Sectigo and co, particularly with their massive price increases in recent years.  Let's Encrypt stopped most of their web certificate business.

 

Microsoft does have a history of looking after developers, for many years there was a web page that allowed buying heavily discounted certificates from the major vendors at the time, it disappeared a few years ago. 

 

Angus

 

[John R. 17]

This looks very interesting to me and a nice move for code signing. My current certificate is valid till the end of 2025 so I can only hope that this service will improve till then 🤞

[Vincent Parrett 660]

1 hour ago, Angus Robertson said:

I'll be happy not needing to deal with Digicert, Sectigo and co, particularly with their massive price increases in recent years.

Yeah I can see them losing code signing completely in the future. 

 

I did sign up for this - 10 hours so far and all I have had is a confirm email address - status us still "in progress"

[Angus Robertson 527]

Quote

10 hours so far and all I have had is a confirm email address

Probably handled manually in USA business hours until full launch.

 

Angus

 

[Fred Ahrens 57]

3 hours ago, Vincent Parrett said:

I did sign up for this - 10 hours so far and all I have had is a confirm email address - status us still "in progress"

Our Trusted Signing validation took about 30 minutes from creating the validation request until successful validation. But we are also Microsoft Partner for many years and this might have produced already enough interaction between Microsoft and us for giving them enough material for speedy validation.
If the related documentation is correct, Trusted Signing is still in preview and is currently open only to companies that are registered more than 3 years with an Azure account.

[Vincent Parrett 660]

Not sure exactly how old my Azure account its, must be at least 10 years though. Still "in progress" 

[Angus Robertson 527]

In the progress of getting this working, setting anything up in Azure is horrible, I've got OAuth2 stuff, now waiting for company identity validation.  I've had MSDN and partner accounts for 30 years, used to get a box of CDs each quarter before the internet. 

 

Worth mentioning that if you have a partner MAPS account and pay annually (UK £350) to get all the MS OS and apps, you get $100 of Azure credit each month, which I assume can be used for code signing.

 

Two minutes later, validation pass.

 

Angus

 

Edited May 2 by Angus Robertson

[Vincent Parrett 660]

10 hours ago, Angus Robertson said:

setting anything up in Azure is horrible

Yep, need a degree in nonsense to understand how anything works in azure. A few years ago we evaluated all the major cloud providers when considering moving everything to the cloud, trying to compare pricing etc - azure dropped out of the running pretty quickly as we all found it too confusing to use. Anytime you need to configure something, it sends you off on a bunch of side hussles to configure something else with zero explaination, and when something goes wrong it's very difficult to figure out what you need to do. Bloated, over architected monstrosity. 

[David Champion 46]

2 hours ago, Vincent Parrett said:

Yep, need a degree in nonsense to understand how anything works in azure. A few years ago we evaluated all the major cloud providers when considering moving everything to the cloud, trying to compare pricing etc - azure dropped out of the running pretty quickly as we all found it too confusing to use. Anytime you need to configure something, it sends you off on a bunch of side hussles to configure something else with zero explaination, and when something goes wrong it's very difficult to figure out what you need to do. Bloated, over architected monstrosity. 

Yes, you have it, "Side hussles".  

[Angus Robertson 527]

Setting up MTS/ATS for Windows is not trivial, Azure command line interface, new signing tool, Azure signing DLL, .net8 runtime, environmental variables, Azure commands, etc. 

 

Not helped by the Microsoft web site code and Json examples all using non-breaking spaces (xA0) which have to be replaced by real spaces to do anything useful.

 

Once installed, it attempts to sign my program, but fails with OAuth2 login using a browser, and with incorrect secrets, so many to choose from in Azure. 

 

So the documentation needs much clearer information of how Azure authentication should be set up for Windows apps.

 

Angus

 

 

 

 

[Fred Ahrens 57]

8 minutes ago, Angus Robertson said:

So the documentation needs much clearer information of how Azure authentication should be set up for Windows apps.

There are two places where you need to provide credential information:

 

You need to set Windows environment variables:

set AZURE_TENANT_ID=(enter your azure tenant ID here)
set AZURE_CLIENT_ID=(this is the client ID of the app you have set up for authentication)
set AZURE_CLIENT_SECRET =(thats the client secret value of the prepared app)

Best place would be in a batch file that also contains calls to SignTool etc.. Make sure you  strictly limit access to this batch file.

 

Then you need to create the metadata.json file to be used with SignTool and the Azure Trusted Signing DLL:

 

{
  "Endpoint": "correct URL for your area",
  "CertificateProfileName": "name of the certificate in your trusted signing account",
  "CodeSigningAccountName": "name of your Trusted Signing account, NOT your e-mail address or other user ID"
 }

If the details are set correct, you should be able to authorize against the Azure Trusted Signing service and sign your files with SignTool.

 

Setting more variables than the ones mentioned above may confuse the authorization process and may cause the internal selection of another authorization method (there are many) that might not work for your case.