Merge pull request #272843 from mehasharma/meha-howtorenewbranch

Meha howtorenewbranch

Author: American-Dipper

articles/trusted-signing/TOC.yml

@@ -16,6 +16,8 @@
       href: how-to-sign-history.md
     - name: Revoke a certificate profile in Trusted Signing
       href: how-to-cert-revocation.md
+    - name: Renew Trusted Signing Identity Validation
+      href: how-to-renew-identity-validation.md
   - name: Quickstart
     items:
     - name: Quickstart onboarding

articles/trusted-signing/faq.yml

@@ -21,18 +21,7 @@ sections:
         answer: | 
           Refer to the [Trusted Signing Program Windows Support](https://support.microsoft.com/topic/kb5022661-windows-support-for-the-azure-code-signing-program-4b505a31-fa1e-4ea6-85dd-6630229e8ef4) page for details about Windows support for Trusted Signing.
           The service is supported on all currently supported versions of:
-          * Windows 11 (Supported out of the box) 
-          * Windows 10 - RS5 (Windows 10, Version 1809/ October 2018 Update) or newer 
-          * Windows Server 2019, Windows Server 2016  
-          Files signed by Trusted Signing’s Public Trust certificates are trusted on:  
-          * Windows Server 2012 R2 (Command line only) 
-          * Windows 8.1 
-          * Windows 7 SP1 ESU - Must install May 2021 update rolls up  
-          * Windows 10 1507  
-          Not Supported
-          * Windows 7 SP1 non-ESU (Not supported by Microsoft) 
-          * Windows OS version that were already end of life
-
+    
           General User Mode Code Integrity (UMCI) support for Trusted Signing:
           * Signed binaries was added in the July 2021 Certificate Trust List (CTL) update delivered by Windows. In standard scenarios, upon first sight of an end-entity cert from a chain on the machine, the system pulls down the root CA cert into the trust root store on a system.  
       - question: How do I grant API access in Microsoft Entra ID to Trusted Signing?
@@ -52,28 +41,28 @@ sections:
           For Public Preview Trusted Signing is free for now. You'll still be prompted to select a Basic or Premium SKU when you create your account.
       - question: What are my support options when onboarding to Trusted Signing?
         answer: | 
-          If you're a managed customer on Azure, and have a support plan you can create a support ticket with the service on the Azure portal and be assisted by Azure customer support. Otherwise, we recommend you go to Microsoft Q&A or StackOverflow under the tag Trusted-Signing to ask questions.  
+          You can create a support ticket with the service on the Azure portal and be assisted by Azure customer support. Otherwise, we recommend you go to Microsoft Q&A or StackOverflow under the tag Trusted-Signing to ask questions.  
   - name: Certificate Profiles and Identity Validation
     questions:
       - question: What if my Trusted Signing subject name is different than my old cert and my MSIX's package name is now different? 
         answer: |
           Follow the persistent identity guidance in the [MSIX Persistent Identity](https://learn.microsoft.com/windows/msix/package/persistent-identity) article.
       - question: Does deleting the certificate profile revoke the certificates? 
         answer: |
-          No. If you delete the certificate profile, any certificates that were previously issued or used under that profile will remain - they won't be revoked.
+          No. If you delete a certificate profile, any certificates that were previously issued or used under that profile will remain valid - they won't be revoked.
       - question: Does Trusted Signing allow me to use a custom CN? 
         answer: |
-          Per the CA/B Forum baseline requirements for publicly trusted code signing certs, CN values must be the legal entity's validated name (e.g. Microsoft Corporation) so there isn't much flexibility in CN values. However, a `O` value allows for verified legal names, trade names, and DBAs (doing business as). For individuals, there are already requirements for verification of individuals in the baseline requirements that we meet.
+          Per the CA/B Forum baseline requirements for publicly trusted code signing certs, CN values must be the legal entity's validated name (e.g. Microsoft Corporation) so there isn't much flexibility in CN values. 
   - name: Signing
     questions:
-      - question: What is Trusted Signing’s compliance level?
+      - question: What is Trusted Signing’s HSM compliance level?
         answer: |
           FIPS 140-2 level 3 (mHSMs)
       - question: How to include the appropriate EKU for our certificates into the ELAM driver resources? 
         answer: |
           - For information regarding ELAM driver config for Protected Anti-Malware Services, refer to the following guidance: "Beginning in 2022, all user mode anti-malware service binaries must be signed by Microsoft's Trusted Signing signing service. The Trusted Signing issued Authenticode certificate for signing anti-malware binaries is updated every 30 days for security. To prevent the need to update the ELAM driver every time the certificate is updated, we recommend that anti-malware vendors include the Trusted Signing PCA certificate TBS hash in the CertHash portion of the ELAM driver resource file info. Additionally, the anti-malware vendor must include their unique Trusted Signing EKU identity in the EKU field of the resource file info. The EKU identity will begin with the prefix *1.3.6.1.4.1.311.97.*."
           - See the [PKI Repository](https://www.microsoft.com/pkiops/docs/repository.htm) page for the Microsoft ID Verified Code Signing PCA 2021 cert.
-      - question: What happens if we run Trusted Signing binaries on a signed on machine that doesn't have the Trusted Signing update (especially binaries that are INTEGRITYCHECK-ed)?
+      - question: What happens if we run binaries signed with Trusted Signing on a machine that doesn't have the Trusted Signing update (especially binaries that are INTEGRITYCHECK-ed)?
         answer: |
           - If an INTEGRITYCHECK flag is set, the user's signature isn't validated at runtime and isn't run with INTEGRITYCHECK.  
           - To check if Trusted Signing update is installed or not, we recommend that you check against one of your packaged /IntegrityCheck-linked DLLs. A dummy one works, too. That way you can complete your check independently of the platform and the availability of our IntegrityCheck-linked binaries.
@@ -124,7 +113,10 @@ sections:
           - After creating the Client ID and Secret, navigate to the Resource Group (or Subscription) that has the Trusted Signing Certificate Profile Signer role and add this App to the role. 
       - question: What if my Trusted Signing account is suspended?
         answer: |
-          We suspend accounts and or revoke signing certificates if the certificate is found to be misused or abused per our service's Terms of Use. We engage with you directly in such cases following the Code Signing Baseline Requirements (CSBRs) guidelines. 
-
+          Trusted Signing will suspend accounts and or revoke signing certificates if the certificate is found to be misused or abused per our service's Terms of Use. We engage with you directly in such cases following the Code Signing Baseline Requirements (CSBRs) guidelines. 
+      - question: What if I get Azure.Identity.CredentialUnavailableException?
+        answer: |
+          You should expect to see this error on environments outside of Azure [see here](https://github.com/Azure/azure-sdk-for-net/issues/29471). Recommendation is to "exclude ManagedIdentity" if you are outside of Azure.
+  
 ##additionalContent: |
     ## Next steps

articles/trusted-signing/how-to-renew-identity-validation.md

@@ -0,0 +1,34 @@
+---
+title: Renew Trusted Signing Identity Validation
+description: How-to rerenew a Trusted Signing Identity Validation. 
+author: mehasharma 
+ms.author: mesharm 
+ms.service: trusted-signing 
+ms.topic: how-to 
+ms.date: 04/12/2024 
+---
+
+# Renew Trusted Signing Identity Validation 
+
+You can check the expiration date of your Identity Validation on the Identity Validation page. You can renew your Trusted Signing Identity Validation 60 days before the expiration. A notification is to the primary and secondary email addresses with the reminder to renew your Identity Validation.
+**Identity Validation can only be completed in the Azure portal – it can not be completed with Azure CLI.**
+
+>[!Note]
+>Failure to renew Identity Validation before the expiration date will stop certificate renewal, effectively halting the signing process associated with those specific certificate profiles.
+
+1. Navigate to your Trusted Signing account in the [Azure portal](https://portal.azure.com/).
+2. Confirm you have the **Trusted Signing Identity Verifier role**.
+    - To learn more about Role Based Access management (RBAC) access management, see [Assigning roles in Trusted Signing](tutorial-assign-roles.md).
+3. From either the Trusted Signing account overview page or from Objects, select **Identity Validation**.
+4. Select the Identity Validation request that needs to be renewed. Select **Renew** on the top. 
+
+:::image type="content" source="media/trusted-signing-renew-identity-validation.png" alt-text="Screenshot of trusted-signing-renew-identity-validation.png." lightbox="media/trusted-signing-renew-identity-validation.png":::
+
+5. If you encounter validation errors while renewing through the renew button or if Identity Validation is Expired, you need to create a new Identity Validation. 
+    - To learn more about creating new Identity Validation, see [Quickstart](quickstart.md). 
+6. After the Identity Validation status changes to Completed.
+7. To ensure you can continue with your existing metadata.json.
+    - Navigate back to the trusted signing account overview page or from Objects, select **Certificate Profile**.
+    - On the **Certificate Profiles**, delete the existing cert profile associated to the Identity Validation expiring soon:
+    - Create new cert profile with the same name.
+    - Select the Identity Validation from the pull-down. Once the certificate profile is created successfully, signing resumes requiring no configuration changes on your end.

articles/trusted-signing/media/trusted-signing-renew-identity-validation.png

@@ -6,6 +6,7 @@ ms.author: mesharm
 ms.service: trusted-signing 
 ms.topic: quickstart 
 ms.date: 04/12/2024 
+ms.custom: references_regions 
 ---
 
 
@@ -47,16 +48,38 @@ A resource provider is a service that supplies Azure resources. Use the Azure po
 
 # [Azure CLI](#tab/registerrp-cli)
 
-You can register Trusted Signing resource provider with the commands below:
+1. If you're using a local installation, login to Azure CLI using the `az login` command.  
+
+2. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see [Sign in with the Azure CLI](/cli/azure/authenticate-azure-cli).
+
+3. When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the [Azure CLI](/cli/azure/azure-cli-extensions-overview).
+
+4. To see the versions of Azure CLI and dependent libraries that are installed, use the `az version` command.
+•   To upgrade to the latest version, use the following command:
+
+```bash
+az upgrade [--all {false, true}]
+   [--allow-preview {false, true}]
+    [--yes]
+```
+
+5. To set your default subscription ID, use the `az account set -s <subscriptionId>` command.
+
+6. You can register Trusted Signing resource provider with the command below:
 
 ```
 az provider register --namespace "Microsoft.CodeSigning"
 ```
 
-You can verify that registration is complete with the commands below: 
+7. You can verify that registration is complete with the command below: 
 
 ```
-az provider show --namespace "microsoft.ConfidentialLedger"
+az provider show --namespace "Microsoft.CodeSigning"
+```
+
+8. You can add the extension for Trusted Signing with the command below:
+```
+az extension add --name trustedsigning
 ```
 
 ---
@@ -72,13 +95,12 @@ The resources must be created in Azure regions where Trusted Signing is currentl
 | Region                               | Region Class Fields  | Endpoint URI Value                   |
 | :----------------------------------- | :------------------- |:-------------------------------------|
 | East US                              | EastUS               | `https://eus.codesigning.azure.net`  |
-| West US3<sup>[1](#myfootnote1)</sup> | WestUS3              | `https://wus3.codesigning.azure.net` |
+| West US                              | WestUS               | `https://wus.codesigning.azure.net`  |
 | West Central US                      | WestCentralUS        | `https://wcus.codesigning.azure.net` |
 | West US 2                            | WestUS2              | `https://wus2.codesigning.azure.net` |
 | North Europe                         | NorthEurope          | `https://neu.codesigning.azure.net`  |
 | West Europe                          | WestEurope           | `https://weu.codesigning.azure.net`  |
 
-<a name="myfootnote1">1</a>: WestUS3 coming soon!
 
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 2. From either the Azure portal menu or the Home page, select **Create a resource**.
@@ -110,42 +132,22 @@ The resources must be created in Azure regions where Trusted Signing is currentl
 | Region                               | Region Class Fields  | Endpoint URI Value                   |
 | :----------------------------------- | :------------------- |:-------------------------------------|
 | East US                              | EastUS               | `https://eus.codesigning.azure.net`  |
-| West US3<sup>[1](#myfootnote1)</sup> | WestUS3             | `https://wus3.codesigning.azure.net` |
+| West US                              | WestUS               | `https://wus.codesigning.azure.net`  |
 | West Central US                      | WestCentralUS        | `https://wcus.codesigning.azure.net` |
 | West US 2                            | WestUS2              | `https://wus2.codesigning.azure.net` |
 | North Europe                         | NorthEurope          | `https://neu.codesigning.azure.net`  |
 | West Europe                          | WestEurope           | `https://weu.codesigning.azure.net`  |
 
-<a name="myfootnote1">1</a>: WestUS3 coming soon!
 
 Complete the following steps to create a Trusted Signing account with Azure CLI:
 
-1. If you're using a local installation, login to Azure CLI using the `az login` command.  
-
-2. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see [Sign in with the Azure CLI](/cli/azure/authenticate-azure-cli).
-
-3. When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the [Azure CLI](/cli/azure/azure-cli-extensions-overview).
-
-4. To see the versions of Azure CLI and dependent libraries that are installed, use the `az version` command.
-•   To upgrade to the latest version, use the following command:
-
-```bash
-az upgrade [--all {false, true}]
-   [--allow-preview {false, true}]
-    [--yes]
-```
-
-5. To set your default subscription ID, use the `az account set -s <subscriptionId>` command.
-
-6. Create a resource group using the following command:
+1. Create a resource group using the following command (Skip this step if you plan to use an existing resource group):
 
 ```
 az group create --name MyResourceGroup --location EastUS
 ```
 
-- To list accounts under the resource group, use the `trustedsigning list -g MyResourceGroup` command.
-
-7. Create a unique Trusted Signing account using the following command. (See the below Certificate Profile naming constraints for naming requirements.)
+2. Create a unique Trusted Signing account using the following command. (See the below Certificate Profile naming constraints for naming requirements.)
 
 ```
 trustedsigning create -n MyAccount -l eastus -g MyResourceGroup --sku Basic
@@ -156,7 +158,10 @@ Or
 ```
 trustedsigning create -n MyAccount -l eastus -g MyResourceGroup --sku Premium
 ```
-8. Verify your Trusted Signing account using the `trustedsigning show -g MyResourceGroup -n MyAccount` command.
+3. Verify your Trusted Signing account using the `trustedsigning show -g MyResourceGroup -n MyAccount` command.
+
+>[!Note]
+>If you are using older version of CLI from Trusted Signing Private Preview, your account is defaulted to Basic SKU. To use Premium either upgrade CLI to latest version or use Azure portal to create account.
 
 **Trusted Signing account naming constraints**:
 
@@ -167,9 +172,13 @@ trustedsigning create -n MyAccount -l eastus -g MyResourceGroup --sku Premium
 
 **Helpful commands**:
 
-- Show help commands and detailed options:  `trustedsigning -h`
-- Show the details of an account: `trustedsigning show -n MyAccount  -g MyResourceGroup`
-- Update tags:  `trustedsigning update -n MyAccount -g MyResourceGroup --tags "key1=value1 key2=value2"`
+| Command                                                                                  | Description                               |  
+|:-----------------------------------------------------------------------------------------|:------------------------------------------|
+| `trustedsigning -h`                                                                      | Show help commands and detailed options   |
+| `trustedsigning show -n MyAccount  -g MyResourceGroup`                                   | Show the details of an account            |
+| `trustedsigning update -n MyAccount -g MyResourceGroup --tags "key1=value1 key2=value2"` | Update tags                               |
+| `trustedsigning list -g MyResourceGroup`                                                 | To list accounts under the resource group |
+
 
 ---
 
@@ -286,9 +295,11 @@ trustedsigning certificate-profile show -g myRG --account-name MyAccount -n  MyP
 
 **Helpful commands**:
 
-- Show help for sample commands and detailed parameter descriptions:   `trustedsigning certificate-profile create -–help`
-- List certificate profile under a Trusted Signing account:  `trustedsigning certificate-profile list -g MyResourceGroup --account-name MyAccount`
-- Get details of a profile:  `trustedsigning certificate-profile show -g MyResourceGroup --account-name MyAccount -n MyProfile`
+| Command                               | Description  | 
+| :----------------------------------- | :------------------- |
+| `trustedsigning certificate-profile create -–help`                            | Show help for sample commands and detailed parameter descriptions              |
+| `trustedsigning certificate-profile list -g MyResourceGroup --account-name MyAccount`                            |List certificate profile under a Trusted Signing account          |
+| `trustedsigning certificate-profile show -g MyResourceGroup --account-name MyAccount -n MyProfile`                            | Get details of a profile              |
 
 ---