You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Required. Set expectations for what the content covers, so customers know the
27
+
content meets their needs. Should NOT begin with a verb.
28
+
29
+
-->
30
+
31
+
# Trusted Signing Resources and Roles
32
+
33
+
<!-- 2. Introductory paragraph
34
+
Required. Lead with a light intro that describes what the article covers. Answer the
35
+
fundamental “why would I want to know this?” question. Keep it short.
36
+
37
+
-->
38
+
39
+
Azure Code Signing is an Azure native resource with full support for common Azure concepts such as resources. As with any other Azure Resource, Azure Code signing also has its own set of resources and roles. Let’s introduce you to resources and roles specific to Azure Code Signing:
40
+
41
+
<!-- 3. H2s
42
+
Required. Give each H2 a heading that sets expectations for the content that follows.
43
+
Follow the H2 headings with a sentence about how the section contributes to the whole.
44
+
45
+
-->
46
+
47
+
## Resource Types
48
+
Trusted Signing has the following resource types:
49
+
50
+
* Code Signing Account – Logical container holding certificate profiles and considered the Trusted Signing resource.
51
+
* Certificate Profile – Template with the information that is used in the issued certificates, and a subresource to a Code Signing Account resource.
52
+
53
+
54
+
In the below example structure, you notice that an Azure Subscription has a resource group and under that resource group you can have one or many Code Signing Account resources with one or many Certificate Profiles. This ability to have multiple Code Signing Accounts and Certificate Profiles is useful as the service supports Public Trust, Private Trust, VBS Enclave, and Test signing.
55
+
56
+
title: Trusted Signing FAQs #Required; The page title is displayed in search results. Include "FAQ" or "Frequently asked questions".
4
+
description: Get answers to frequently asked questions (FAQs) for Trusted. #Required; Article description that's displayed in search results. Use 100 to 160 characters. Include "FAQ" or "Frequently asked questions".
5
+
author: microsoftshawarma #Required; your GitHub user alias, with correct capitalization.
6
+
ms.author: rakiasegev #Required; microsoft alias of author; optional team alias.
7
+
ms.service: azure-code-signing #Required; service per approved list. slug assigned by ACOM.
8
+
ms.topic: faq #Required
9
+
ms.date: 03/18/2024 #Required; mm/dd/yyyy format.
10
+
title: Trusted Signing FAQs #Required. This appears as the headline in the article as displayed.
11
+
summary: |
12
+
This page lists common questions and answers related to Trusted Signing.
13
+
14
+
# Remember that indentation is significant in YAML files.
15
+
# If there is any disallowed spacing, the build will fail.
16
+
17
+
sections:
18
+
- name: Onboarding
19
+
questions:
20
+
- question: What Windows versions does Trusted Signing support? # Question.
21
+
answer: |
22
+
Refer to the [Trusted Signing Program Windows Support](https://support.microsoft.com/topic/kb5022661-windows-support-for-the-azure-code-signing-program-4b505a31-fa1e-4ea6-85dd-6630229e8ef4) page for details about Windows support for Trusted Signing.
23
+
The service is supported on all currently supported versions of:
24
+
* Windows 11 (Supported out of the box)
25
+
* Windows 10 - RS5 (Windows 10, Version 1809/ October 2018 Update) or newer
26
+
* Windows Server 2019, Windows Server 2016
27
+
Files signed by Trusted Signing’s Public Trust certificates are trusted on:
28
+
* Windows Server 2012 R2 (Command line only)
29
+
* Windows 8.1
30
+
* Windows 7 SP1 ESU - Must install May 2021 update rolls up
31
+
* Windows 10 1507
32
+
Not Supported
33
+
* Windows 7 SP1 non-ESU (Not supported by Microsoft)
34
+
* Windows OS version that were already end of life
35
+
36
+
General User Mode Code Integrity (UMCI) support for Trusted Signing:
37
+
* Signed binaries was added in the July 2021 Certificate Trust List (CTL) update delivered by Windows. In standard scenarios, upon first sight of an end-entity cert from a chain on the machine, the system pulls down the root CA cert into the trust root store on a system.
38
+
- question: How do I grant API access in Microsoft Entra ID to Trusted Signing?
39
+
answer: |
40
+
Ask your tenant admin to provide you with an approval. For more information about permissions, see:
41
+
*[Overview of consent and permissions](https://learn.microsoft.com/entra/identity/enterprise-apps/user-admin-consent-overview)
42
+
*[Configure the admin consent workflow](https://learn.microsoft.com/entra/identity/enterprise-apps/configure-admin-consent-workflow)
43
+
*[Review permissions granted to applications](https://learn.microsoft.com/entra/identity/enterprise-apps/manage-application-permissions?pivots=portal.
44
+
- question: What if I don’t see Microsoft.CodeSigning in my resource provider?
45
+
answer: |
46
+
Register the Microsoft.CodeSigning app in the subscription resource provider page using the below screenshot as a guide: :::image type="content" source="media/trusted-signing-resource-provider.png" alt-text="Screenshot of registering Microsoft.CodeSigning resource provider." lightbox="media/trusted-signing-resource-provider.png":::
47
+
- question: What if I fail identity validation?
48
+
answer: |
49
+
If more documentation is required for identity validation, you're asked to provide those documents on the Azure portal. Otherwise, we recommend checking for an email sent to the listed address for email validation. However, if your organization fails identity validation we can't onboard you to Trusted Signing. We recommend you delete your Trusted Signing account so you don't get billed for unused resources.
50
+
- name: Certificate Profiles
51
+
questions:
52
+
- question: What if my Trusted Signing subject name is different than my old cert and my MSIX's package name is now different?
53
+
answer: |
54
+
Follow the persistent identity guidance in the [MSIX Persistent Identity](https://learn.microsoft.com/windows/msix/package/persistent-identity) article.
55
+
- question: Does deleting the certificate profile revoke the certificates?
56
+
answer: |
57
+
No. If you delete the certificate profile, any certificates that were previously issued or used under that profile will remain - they won't be revoked.
58
+
- question: Does Trusted Signing allow me to use a custom CN?
59
+
answer: |
60
+
Per the CA/B Forum baseline requirements for publicly trusted code signing certs, CN values must be the legal entity's validated name (e.g. Microsoft Corporation) so there isn't much flexibility in CN values. However, a `O` value allows for verified legal names, trade names, and DBAs (doing business as). For individuals, there are already requirements for verification of individuals in the baseline requirements that we meet.
61
+
- name: Signing
62
+
questions:
63
+
- question: What is Trusted Signing’s compliance level?
64
+
answer: |
65
+
FIPS 140-2 level 3 (mHSMs)
66
+
- question: How to include the appropriate EKU for our certificates into the ELAM driver resources?
67
+
answer: |
68
+
- For information regarding ELAM driver config for Protected Anti-Malware Services, refer to the following guidance: "Beginning in 2022, all user mode anti-malware service binaries must be signed by Microsoft's Azure Code Sign signing service. The Trusted Signing issued Authenticode certificate for signing anti-malware binaries is updated every 30 days for security. To prevent the need to update the ELAM driver every time the certificate is updated, we recommend that anti-malware vendors include the Azure Code Sign PCA certificate TBS hash in the CertHash portion of the ELAM driver resource file info. Additionally, the anti-malware vendor must include their unique Trusted Signing EKU identity in the EKU field of the resource file info. The EKU identity will begin with the prefix *1.3.6.1.4.1.311.97.*."
69
+
- See the [PKI Repository](https://www.microsoft.com/pkiops/docs/repository.htm) page for the Microsoft ID Verified Code Signing PCA 2021 cert.
70
+
- question: What happens if we run Trusted Signing binaries on a signed on machine that doesn't have the Trusted Signing update (especially binaries that are INTEGRITYCHECK-ed)?
71
+
answer: |
72
+
- If an INTEGRITYCHECK flag is set, the user's signature isn't validated at runtime and isn't run with INTEGRITYCHECK.
73
+
- To check if Trusted Signing update is installed or not, we recommend that you check against one of your packaged /IntegrityCheck-linked DLLs. A dummy one works, too. That way you can complete your check independently of the platform and the availability of our IntegrityCheck-linked binaries.
74
+
- question: My Sectigo cert is expiring, can I get a new one or do I have to use Trusted Signing?
75
+
answer: |
76
+
We're not extending any cross-signed certificates. , you must sign with the Trusted Signing service.
77
+
- question: How is Trusted Signing different than the signing customers do with Partner Center?
78
+
answer: |
79
+
Signing with the Partner Center is Kernel mode signing (no change here with the introduction of Trusted Signing). You'll need to sign your user mode binaries with Trusted Signing. For your apps that interact with the Windows Security Center (WSC) service, you must include the Code Integrity bit (/INTEGRITYCHECK). Without the Trusted Signing signature, you aren't able to register with the WSC, and Windows Defender will run in parallel.
80
+
- question: How do we get the Authenticode certificate?
81
+
answer: |
82
+
The Authenticode certificate used for signing with the profile is never given to you. All certificates are securely stored within the service and are only accessible at the time of signing. The public certificate is always included in any signed binary by the service.
83
+
- question: What are the common steps I should complete if I get a SignTool error (for example, unexpected internal error has occurred)?
84
+
answer: |
85
+
- Confirm the dlib and dll are in the correct path.
86
+
- Confirm the sign tool and dlib are both 64 bit.
87
+
- [Download](https://docs.microsoft.com/cpp/windows/latest-supported-vc-redist?view=msvc-170) and install C++ Redistributables.
88
+
- Search the specific issue on Bing or review the [SignTool overview](https://docs.microsoft.com/windows/win32/seccrypto/signtool) article.
89
+
- We recommend using this version of the [SignTool](https://developer.microsoft.com/windows/downloads/windows-sdk/) as opposed to directly from NuGet. We used the previous article to test if it works with our dlib (version 10.0.22621 recommended currently).
90
+
- question: What if I get a 403 Forbidden or an admin approval to access this resource error?
91
+
answer: |
92
+
This error is likely due to the Trusted Signing application not being allowed to run. Confirm that you have the "Trusted Signing Certificate Profile Signer" role: `({assignee} is your email) az role assignment list --assignee {assignee}`
93
+
- question: How do I check if the timestamper service is healthy?
94
+
answer: |
95
+
Run the following command `curl http://timestamp.acs.microsoft.com`. If the StatusCode 200 is returned, it means the timestamper service is healthy and running.
96
+
- question: What if I get a 400 error with `SharedTokenCacheCredential` authentication failed?
97
+
answer: |
98
+
This error is due to caching of certificates. Add `"ExcludeCredentials": ["SharedTokenCacheCredential"]` to your JSON. To learn more, go to [DefaultAzureCredential Class (Azure.Identity)](https://learn.microsoft.com/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet)
99
+
- question: I’m getting errors when doing Private Trust signing. What should I do?
100
+
answer: |
101
+
If you get an internal error, check that the CN name you used matches with the cert name. The package name is checked so ensure to copy the entire Subject name that appears in the Azure portal to the manifest file when signing is submitted.
102
+
- question: I'm getting command succeeded for SignTool, but the file doesn't appear to be signed when I check the digital signature. What should I do?
103
+
answer: |
104
+
If the signature doesn't appear in the digital signature property, run this command: `.\signtool.exe verify /v /debug /pa fileName`. Not all file types have the signature tab in properties.
105
+
- question: How do I fix pop-up credentials in the Azure VM when running the SignTool + Dlib command?
106
+
answer: |
107
+
- [Create a user-assigned managed identity](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview).
108
+
- Then add the user-assigned managed identity to the VM by selecting the VM, going to "Identity" in the left navigation bar, clicking "User assigned" and the "Add" button to add the managed identity.
109
+
- Finally, in the Resource Group (or Subscription) that has the role Trusted Signing Certificate Profile Signer, add the user-assigned managed identity to the role. Go to "Access control (IAM)" and "Role assignments" to assign the correct role.
110
+
- question: How do I fix pop-up credentials when using GCP?
111
+
answer: |
112
+
- Since GCP doesn't have Azure Managed Identity resource by default, an [Environment Credential](https://docs.microsoft.com/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet) needs to be set up.
113
+
Use the [EnvironmentCredential Class]https://docs.microsoft.com/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet) to set up the credential. The recommendation is:
114
+
```AZURE_TENANT_ID The Microsoft Entra tenant(directory) ID.
115
+
AZURE_CLIENT_ID The client(application) ID of an App Registration in the tenant.
116
+
AZURE_CLIENT_SECRET A client secret that was generated for the App Registration. ````
117
+
- To create a Client ID and Secret follow the guidance on [Creating a Service Principal](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal).
118
+
- After creating the Client ID and Secret, navigate to the Resource Group (or Subscription) that has the Trusted Signing Certificate Profile Signer role and add this App to the role.
119
+
- question: What if my Trusted Signing account is suspended?
120
+
answer: |
121
+
We suspend accounts and or revoke signing certificates if the certificate is found to be misused or abused per our service's Terms of Use. We engage with you directly in such cases following the Code Signing Baseline Requirements (CSBRs) guidelines.
0 commit comments