You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/trusted-signing/faq.yml
+26-27Lines changed: 26 additions & 27 deletions
Original file line number
Diff line number
Diff line change
@@ -23,8 +23,7 @@ sections:
23
23
The service is supported on all currently supported versions of:
24
24
25
25
General User Mode Code Integrity (UMCI) support for Trusted Signing:
26
-
* Signed binaries was added in the July 2021 Certificate Trust List (CTL) update delivered by Windows. In standard scenarios, upon first sight of an end-entity cert from a chain on the machine, the system pulls down the root CA cert into the trust root store on a system.
27
-
- question: How do I grant API access in Microsoft Entra ID to Trusted Signing?
26
+
* Signed binaries was added in the July 2021 Certificate Trust List (CTL) update delivered by Windows. In typical scenarios, when an end-entity certificate from a chain is encountered on a machine, the system retrieves the root CA certificate and adds it to the trust root store.
28
27
answer: |
29
28
Ask your tenant admin to provide you with an approval. For more information about permissions, see:
30
29
*[Overview of consent and permissions](https://learn.microsoft.com/entra/identity/enterprise-apps/user-admin-consent-overview)
@@ -42,10 +41,10 @@ sections:
42
41
We recommend you delete your Trusted Signing account so you don't get billed for unused resources.
43
42
- question: What is the cost of using Trusted Signing?
44
43
answer: |
45
-
For Public Preview Trusted Signing is free for now. You are prompted to select a Basic or Premium SKU when you create your account.
44
+
In Public Preview Trusted Signing is free for now. You're prompted to select a Basic or Premium SKU when you create your account.
46
45
- question: What are my support options when onboarding to Trusted Signing?
47
46
answer: |
48
-
You can create a support ticket with the service on the Azure portal and be assisted by Azure customer support. Otherwise, we recommend you go to Microsoft Q&A or StackOverflow under the tag Trusted-Signing to ask questions.
47
+
You can create a support ticket with the service on the Azure portal and are Azure customer support. Otherwise, we recommend you go to Microsoft Q&A or StackOverflow under the tag Trusted-Signing to ask questions.
49
48
- name: Certificate Profiles and Identity Validation
50
49
questions:
51
50
- question: What if my Trusted Signing subject name is different than my old cert and my MSIX's package name is now different?
@@ -56,14 +55,14 @@ sections:
56
55
No. If you delete a certificate profile, any certificates that were previously issued or used under that profile remain valid - they aren't revoked.
57
56
- question: Does Trusted Signing allow me to use a custom CN?
58
57
answer: |
59
-
- For CN: Per the CA/B Forum baseline requirements for publicly trusted code signing certs, CN values must be the legal entity's validated name (for example, Microsoft Corporation) so there is no flexibility in CN values.
60
-
- For O: At, this time Trusted Signing does not support customization.
58
+
- CN: Per the CA/B Forum baseline requirements for publicly trusted code signing certs, CN values must be the legal entity's validated name (for example, Microsoft Corporation) so there's no flexibility in CN values.
59
+
- O: At, this time the service doesn't support customization.
61
60
- question: What to do if the new identity validation button on the Azure portal is greyed out?
62
61
answer: |
63
62
This means you don't have the Trusted Signing Identity Verifier role assigned to your account. Follow the [Assigning roles in Trusted Signing](https://learn.microsoft.com/azure/trusted-signing/tutorial-assign-roles) documentation and assign yourself the appropriate role.
64
-
- question: Identity validation has expired?
63
+
- question: Identity validation expired?
65
64
answer: |
66
-
Failure to renew Identity Validation before the expiration date will stop certificate renewal, effectively halting the signing process associated with those specific certificate profiles. To continue signing with Trusted Signing service, you need to create another Identity Validation and associate that to the certificate profiles to continue signing.
65
+
Failure to renew Identity Validation before the expiration date stops certificate renewal, effectively halting the signing process associated with those specific certificate profiles. To continue signing with Trusted Signing service, you need to create another Identity Validation and associate that to the certificate profiles to continue signing.
67
66
68
67
- name: Signing
69
68
questions:
@@ -75,7 +74,7 @@ sections:
75
74
FIPS 140-2 level 3 (mHSMs)
76
75
- question: How to include the appropriate EKU for our certificates into the ELAM driver resources?
77
76
answer: |
78
-
- For information regarding ELAM driver config for Protected Anti-Malware Services, refer to the following guidance: "Beginning in 2022, all user mode anti-malware service binaries must be signed by Microsoft's Trusted Signing signing service. The Trusted Signing issued Authenticode certificate for signing anti-malware binaries is updated every 30 days for security. To prevent the need to update the ELAM driver every time the certificate is updated, we recommend that anti-malware vendors include the Trusted Signing PCA certificate TBS hash in the CertHash portion of the ELAM driver resource file info. Additionally, the anti-malware vendor must include their unique Trusted Signing EKU identity in the EKU field of the resource file info. The EKU identity begins with the prefix *1.3.6.1.4.1.311.97.*."
77
+
- For information regarding ELAM driver config for Protected Anti-Malware Services, refer to the following guidance: "Beginning in 2022, all user mode anti-malware service binaries must be signed by Microsoft's Trusted Signing signing service. The Trusted Signing issued Authenticode certificate for signing anti-malware binaries is updated every 30 days for security. To prevent the need to update the ELAM driver every time the certificate is updated. We recommend that anti-malware vendors include the Trusted Signing PCA certificate TBS hash in the CertHash portion of the ELAM driver resource file info. Additionally, the anti-malware vendor must include their unique Trusted Signing EKU identity in the EKU field of the resource file info. The EKU identity begins with the prefix *1.3.6.1.4.1.311.97.*."
79
78
- See the [PKI Repository](https://www.microsoft.com/pkiops/docs/repository.htm) page for the Microsoft ID Verified Code Signing PCA 2021 cert.
80
79
- question: What happens if we execute binaries signed with Trusted Signing on a machine that doesn't have the Trusted Signing update (especially binaries that are INTEGRITYCHECK-ed)?
81
80
answer: |
@@ -86,11 +85,11 @@ sections:
86
85
We're not extending any cross-signed certificates. , you must sign with the Trusted Signing service.
87
86
- question: How is Trusted Signing different than the signing customers do with Partner Center?
88
87
answer: |
89
-
Signing with the Partner Center is Kernel mode signing (no change here with the introduction of Trusted Signing). You need to sign your user mode binaries with Trusted Signing. For your apps that interact with the Windows Security Center (WSC) service, you must include the Code Integrity bit (/INTEGRITYCHECK). Without the Trusted Signing signature, you aren't able to register with the WSC, and Windows Defender will run in parallel.
88
+
Signing with the Partner Center is Kernel mode signing (no change here with the introduction of Trusted Signing). You need to sign your user mode binaries with Trusted Signing. For your apps that interact with the Windows Security Center (WSC) service, you must include the Code Integrity bit (/INTEGRITYCHECK). Without the Trusted Signing signature, you aren't able to register with the WSC, and Windows Defender runs in parallel.
90
89
- question: How do we get the Authenticode certificate?
91
90
answer: |
92
91
The Authenticode certificate used for signing with the profile is never given to you. All certificates are securely stored within the service and are only accessible at the time of signing. The public certificate is always included in any signed binary by the service.
93
-
- question: What are the common steps I should complete if I get a SignTool error (for example, unexpected internal error has occurred)?
92
+
- question: What are the common steps I should complete if I get a SignTool error (for example, unexpected internal error occurred)?
94
93
answer: |
95
94
- Confirm the dlib and dll are in the correct path.
96
95
- Confirm the sign tool and dlib are both 64 bit.
@@ -102,14 +101,14 @@ sections:
102
101
Run the following command `curl http://timestamp.acs.microsoft.com`. If the StatusCode 200 is returned, it means the timestamper service is healthy and running.
103
102
- question: I’m getting errors when doing Private Trust signing. What should I do?
104
103
answer: |
105
-
If you get an internal error, check that the CN name you used matches with the cert name. The package name is checked so ensure to copy the entire Subject name that appears in the Azure portal to the manifest file when signing is submitted.
104
+
If you get an internal error, check that the CN name you used matches with the cert name. Verify the package name and copy the complete Subject name from the Azure portal to the manifest file during signing.
106
105
- question: I'm getting command succeeded for SignTool, but the file doesn't appear to be signed when I check the digital signature. What should I do?
107
106
answer: |
108
107
If the signature doesn't appear in the digital signature property, run this command: `.\signtool.exe verify /v /debug /pa fileName`. Not all file types have the signature tab in properties.
109
108
- question: How do I fix pop-up credentials in the Azure VM when running the SignTool + Dlib command?
110
109
answer: |
111
110
- [Create a user-assigned managed identity](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview).
112
-
- Then add the user-assigned managed identity to the VM by selecting the VM, going to "Identity" in the left navigation bar, clicking "User assigned" and the "Add" button to add the managed identity.
111
+
- Then add the user-assigned managed identity to the VM by selecting the VM, going to "Identity" in the left navigation bar, clicking "User assigned" and the "Add" button adds the managed identity.
113
112
- Finally, in the Resource Group (or Subscription) that has the role Trusted Signing Certificate Profile Signer, add the user-assigned managed identity to the role. Go to "Access control (IAM)" and "Role assignments" to assign the correct role.
114
113
- question: How do I fix pop-up credentials when using GCP?
115
114
answer: |
@@ -125,42 +124,42 @@ sections:
125
124
Trusted Signing will suspend accounts and or revoke signing certificates if the certificate is found to be misused or abused per our service's Terms of Use. We engage with you directly in such cases following the Code Signing Baseline Requirements (CSBRs) guidelines.
126
125
- question: What if I change the Subscription ID or Tenant ID?
127
126
answer: |
128
-
At the moment, Trusted Signing resources can't be migrated across Subscriptions or Tenants. Hence, any change to Tenant ID or Subscription ID will need fro you to create all the Trusted Signing resources again.
127
+
At the moment, Trusted Signing resources can't be migrated across Subscriptions or Tenants. Hence, any change to Tenant ID or Subscription ID need for you to create all the Trusted Signing resources again.
129
128
- question: Does Trusted Signing issue EV certificates?
130
129
answer: |
131
-
No, Trusted Signing does not issue EV certificates and there are no plans to issue these in the future.
130
+
No, Trusted Signing doesn't issue EV certificates and there are no plans to issue in the future.
132
131
- question: Does Trusted Signing issue EV certificates?
133
132
answer: |
134
-
No, Trusted Signing does not issue EV certificates and there are no plans to issue these in the future.
135
-
- question: Why does sign tool keep looping while signing MSIX packages
133
+
No, Trusted Signing doesn't issue EV certificates and there are no plans to issue in the future.
134
+
- question: Why does sign tool keep looping while signing MSIX packages?
136
135
answer: |
137
136
Looping multi times is expected behavior for MSIX signing, since MSIX signing signs each appx and manifest inside the package.
138
-
- question: Errors and the correspinding details to fix the issue
137
+
- question: Errors and the corresponding details to fix the issue.
139
138
answer: |
140
139
| Error | Details |
141
140
| :------------------- | :------------------- |
142
141
| 400 | This is an Azure authentication error. This error is due to caching of certificates. Add "ExcludeCredentials": ["SharedTokenCacheCredential"] to your JSON. To learn more, go to DefaultAzureCredential Class (Azure.Identity) |
143
-
| 401 | You are not authenticated. Try logging out and loggin back in. |
142
+
| 401 | You aren't authenticated. Try logging out and loggin back in. |
144
143
| 403 | 1. Check Trusted Signing role.
145
144
2. Check Trusted Signing account name and Trusted Signing Certificate profile name n your metadata.json.
146
145
3. Check dlib and dlib path
147
146
4. Install C++ Redistributables: Download link: https://docs.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170
148
147
5. Check .Net version, dlib version and Windows SDK
149
148
6. Check if Trusted Signing role is assigned to the identity trying to sign the file.
150
149
7. Check if the corresponding Identity Validation is in "Completed" state.
151
-
8. Verify if you access the Trusted Signing endpoint from this VM or machine?Try executing this on a differet VM or machine, could be a potential network issue.
152
-
9. For Private Trust scenarios 403: The user object Id to do the signing is different than the user object Id to call the Get-azCodeSigningRootCert. The appropriate objectId needs to have the role “Code Signing Certificate Profile Signer”. |
150
+
8. Verify if you access the Trusted Signing endpoint from this VM or machine?Try executing the action on a differet VM or machine. It can be a potential network issue.
151
+
9. For Private Trust scenarios 403: The user object Id to do the signing is different than the user object Id to call the Get-azCodeSigningRootCert. The appropriate objectId needs to have the role “Trusted Signing Certificate Profile Signer”. |
153
152
| 404 | Ensure no changes happened with respect your config or firewalls rules. |
154
-
| MsalUiRequiredException" | This usually occurs due to the local cache, the error resolves after the cache gets refreshed from Azure. |
153
+
| MsalUiRequiredException" | This usually occurs due to the local cache. The error resolves after the cache gets refreshed from Azure. |
155
154
| No certificates were found that met all the given criteria. | Check dlib path, dlib version, dlib name, filename, check sign tool version. This error means it is trying to pull certificates from your local machine and not using Trusted Signing certificates. |
156
-
| Error: SignerSign() failed." (-2147024846/0x80070032) | Ensure you are using the latest signtool version. |
157
-
| Error code (-2147024885/0x8007000b) | For MSIX signing, indicates that the publisher in the manifest doesn't match the cert subject. Can you please check the publisher in the manifest file? |
158
-
| No error codes, Signtool silently fails | Ensure the relevant .NET runtime is instaled. |
159
-
| Azure.Identity.CredentialUnavailableException | You should expect to see this error on environments outside of Azure see here. Recommendation is to "exclude ManagedIdentity" if you're outside of Azure.|
155
+
| Error: SignerSign() failed." (-2147024846/0x80070032) | Ensure you're using the latest signtool version. |
156
+
| Error code (-2147024885/0x8007000b) | For MSIX signing, indicates that the publisher in the manifest doesn't match the cert subject. Can you check the publisher in the manifest file? |
157
+
| No error codes, Signtool silently fails | Ensure the relevant .NET runtime is installed. |
158
+
| Azure.Identity.CredentialUnavailableException | You should expect to see the error on environments outside of Azure [see here](https://github.com/Azure/azure-sdk-for-net/issues/29471). Recommendation is to "exclude ManagedIdentity" if you're outside of Azure.|
160
159
- name: Unenroll from the Service
161
160
questions:
162
161
- question: How do you unenroll from Trusted Signing Service?
163
162
answer: |
164
-
To unenroll from Trusted Signing delete Trusted Signing account. This also deletes the associated Identity validation and Certificate profiles. This will stop certificate renewal, effectively halting the signing process associated with those specific certificate profiles. However, does not affect the certificates that were already used to sign your files.
163
+
Unenroll from Trusted Signing delete Trusted Signing account. The account deletion also deletes the associated Identity validation and Certificate profiles. This stops certificate renewal, effectively halting the signing process associated with those specific certificate profiles. However, doesn't affect the certificates that were already used to sign your files.
0 commit comments