You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/trusted-signing/faq.yml
+11-19Lines changed: 11 additions & 19 deletions
Original file line number
Diff line number
Diff line change
@@ -21,18 +21,7 @@ sections:
21
21
answer: |
22
22
Refer to the [Trusted Signing Program Windows Support](https://support.microsoft.com/topic/kb5022661-windows-support-for-the-azure-code-signing-program-4b505a31-fa1e-4ea6-85dd-6630229e8ef4) page for details about Windows support for Trusted Signing.
23
23
The service is supported on all currently supported versions of:
24
-
* Windows 11 (Supported out of the box)
25
-
* Windows 10 - RS5 (Windows 10, Version 1809/ October 2018 Update) or newer
26
-
* Windows Server 2019, Windows Server 2016
27
-
Files signed by Trusted Signing’s Public Trust certificates are trusted on:
28
-
* Windows Server 2012 R2 (Command line only)
29
-
* Windows 8.1
30
-
* Windows 7 SP1 ESU - Must install May 2021 update rolls up
31
-
* Windows 10 1507
32
-
Not Supported
33
-
* Windows 7 SP1 non-ESU (Not supported by Microsoft)
34
-
* Windows OS version that were already end of life
35
-
24
+
36
25
General User Mode Code Integrity (UMCI) support for Trusted Signing:
37
26
* Signed binaries was added in the July 2021 Certificate Trust List (CTL) update delivered by Windows. In standard scenarios, upon first sight of an end-entity cert from a chain on the machine, the system pulls down the root CA cert into the trust root store on a system.
38
27
- question: How do I grant API access in Microsoft Entra ID to Trusted Signing?
@@ -52,28 +41,28 @@ sections:
52
41
For Public Preview Trusted Signing is free for now. You'll still be prompted to select a Basic or Premium SKU when you create your account.
53
42
- question: What are my support options when onboarding to Trusted Signing?
54
43
answer: |
55
-
If you're a managed customer on Azure, and have a support plan you can create a support ticket with the service on the Azure portal and be assisted by Azure customer support. Otherwise, we recommend you go to Microsoft Q&A or StackOverflow under the tag Trusted-Signing to ask questions.
44
+
You can create a support ticket with the service on the Azure portal and be assisted by Azure customer support. Otherwise, we recommend you go to Microsoft Q&A or StackOverflow under the tag Trusted-Signing to ask questions.
56
45
- name: Certificate Profiles and Identity Validation
57
46
questions:
58
47
- question: What if my Trusted Signing subject name is different than my old cert and my MSIX's package name is now different?
59
48
answer: |
60
49
Follow the persistent identity guidance in the [MSIX Persistent Identity](https://learn.microsoft.com/windows/msix/package/persistent-identity) article.
61
50
- question: Does deleting the certificate profile revoke the certificates?
62
51
answer: |
63
-
No. If you delete the certificate profile, any certificates that were previously issued or used under that profile will remain - they won't be revoked.
52
+
No. If you delete a certificate profile, any certificates that were previously issued or used under that profile will remain valid - they won't be revoked.
64
53
- question: Does Trusted Signing allow me to use a custom CN?
65
54
answer: |
66
-
Per the CA/B Forum baseline requirements for publicly trusted code signing certs, CN values must be the legal entity's validated name (e.g. Microsoft Corporation) so there isn't much flexibility in CN values. However, a `O` value allows for verified legal names, trade names, and DBAs (doing business as). For individuals, there are already requirements for verification of individuals in the baseline requirements that we meet.
55
+
Per the CA/B Forum baseline requirements for publicly trusted code signing certs, CN values must be the legal entity's validated name (e.g. Microsoft Corporation) so there isn't much flexibility in CN values.
67
56
- name: Signing
68
57
questions:
69
-
- question: What is Trusted Signing’s compliance level?
58
+
- question: What is Trusted Signing’s HSM compliance level?
70
59
answer: |
71
60
FIPS 140-2 level 3 (mHSMs)
72
61
- question: How to include the appropriate EKU for our certificates into the ELAM driver resources?
73
62
answer: |
74
63
- For information regarding ELAM driver config for Protected Anti-Malware Services, refer to the following guidance: "Beginning in 2022, all user mode anti-malware service binaries must be signed by Microsoft's Trusted Signing signing service. The Trusted Signing issued Authenticode certificate for signing anti-malware binaries is updated every 30 days for security. To prevent the need to update the ELAM driver every time the certificate is updated, we recommend that anti-malware vendors include the Trusted Signing PCA certificate TBS hash in the CertHash portion of the ELAM driver resource file info. Additionally, the anti-malware vendor must include their unique Trusted Signing EKU identity in the EKU field of the resource file info. The EKU identity will begin with the prefix *1.3.6.1.4.1.311.97.*."
75
64
- See the [PKI Repository](https://www.microsoft.com/pkiops/docs/repository.htm) page for the Microsoft ID Verified Code Signing PCA 2021 cert.
76
-
- question: What happens if we run Trusted Signing binaries on a signed on machine that doesn't have the Trusted Signing update (especially binaries that are INTEGRITYCHECK-ed)?
65
+
- question: What happens if we run binaries signed with Trusted Signing on a machine that doesn't have the Trusted Signing update (especially binaries that are INTEGRITYCHECK-ed)?
77
66
answer: |
78
67
- If an INTEGRITYCHECK flag is set, the user's signature isn't validated at runtime and isn't run with INTEGRITYCHECK.
79
68
- To check if Trusted Signing update is installed or not, we recommend that you check against one of your packaged /IntegrityCheck-linked DLLs. A dummy one works, too. That way you can complete your check independently of the platform and the availability of our IntegrityCheck-linked binaries.
@@ -124,7 +113,10 @@ sections:
124
113
- After creating the Client ID and Secret, navigate to the Resource Group (or Subscription) that has the Trusted Signing Certificate Profile Signer role and add this App to the role.
125
114
- question: What if my Trusted Signing account is suspended?
126
115
answer: |
127
-
We suspend accounts and or revoke signing certificates if the certificate is found to be misused or abused per our service's Terms of Use. We engage with you directly in such cases following the Code Signing Baseline Requirements (CSBRs) guidelines.
128
-
116
+
Trusted Signign will suspend accounts and or revoke signing certificates if the certificate is found to be misused or abused per our service's Terms of Use. We engage with you directly in such cases following the Code Signing Baseline Requirements (CSBRs) guidelines.
117
+
- question: What if I get Azure.Identity.CredentialUnavailableException?
118
+
answer: |
119
+
You should expect to see this error on environments outside of Azure [see here](https://github.com/Azure/azure-sdk-for-net/issues/29471). Recommendation is to "exclude ManagedIdentity" if you are outside of Azure.
0 commit comments