You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/trusted-signing/faq.yml
+10-10Lines changed: 10 additions & 10 deletions
Original file line number
Diff line number
Diff line change
@@ -36,13 +36,13 @@ sections:
36
36
- question: What if I fail identity validation?
37
37
answer: |
38
38
To identify why the Identity Validation failed:
39
-
- We recommend you check if you failed to verify the link within 7 days of receiving the link. This link is sent to the primary email address provided at the time of Identity Validation request creation.
39
+
- We recommend you check if you failed to verify the link within seven days of receiving the link. This link is sent to the primary email address provided at the time of Identity Validation request creation.
40
40
OR
41
-
- If the validation team is unable to make a determination based on the information provided (even after additional documentation is provided), we can't onboard you to Trusted Signing.
41
+
- If the validation team is unable to make a determination based on the information provided (even after extra documentation is provided), we can't onboard you to Trusted Signing.
42
42
We recommend you delete your Trusted Signing account so you don't get billed for unused resources.
43
43
- question: What is the cost of using Trusted Signing?
44
44
answer: |
45
-
For Public Preview Trusted Signing is free for now. You'll still be prompted to select a Basic or Premium SKU when you create your account.
45
+
For Public Preview Trusted Signing is free for now. You are prompted to select a Basic or Premium SKU when you create your account.
46
46
- question: What are my support options when onboarding to Trusted Signing?
47
47
answer: |
48
48
You can create a support ticket with the service on the Azure portal and be assisted by Azure customer support. Otherwise, we recommend you go to Microsoft Q&A or StackOverflow under the tag Trusted-Signing to ask questions.
@@ -53,24 +53,24 @@ sections:
53
53
Follow the persistent identity guidance in the [MSIX Persistent Identity](https://learn.microsoft.com/windows/msix/package/persistent-identity) article.
54
54
- question: Does deleting the certificate profile revoke the certificates?
55
55
answer: |
56
-
No. If you delete a certificate profile, any certificates that were previously issued or used under that profile will remain valid - they won't be revoked.
56
+
No. If you delete a certificate profile, any certificates that were previously issued or used under that profile remain valid - they aren't revoked.
57
57
- question: Does Trusted Signing allow me to use a custom CN?
58
58
answer: |
59
-
- For CN: Per the CA/B Forum baseline requirements for publicly trusted code signing certs, CN values must be the legal entity's validated name (e.g. Microsoft Corporation) so there is no flexibility in CN values.
60
-
- For O: At this time Trusted Signing does not support customization.
59
+
- For CN: Per the CA/B Forum baseline requirements for publicly trusted code signing certs, CN values must be the legal entity's validated name (for example, Microsoft Corporation) so there is no flexibility in CN values.
60
+
- For O: At, this time Trusted Signing does not support customization.
61
61
- question: What do I do if the new identity validation button on the Azure portal is greyed out?
62
62
answer: |
63
-
This means you do not have the Trusted Signing Identity Verifier role assigned to your account. Follow the [Assigning roles in Trusted Signing](https://learn.microsoft.com/azure/trusted-signing/tutorial-assign-roles) documentation to assign yourself the appropriate role.
63
+
This means you don't have the Trusted Signing Identity Verifier role assigned to your account. Follow the [Assigning roles in Trusted Signing](https://learn.microsoft.com/azure/trusted-signing/tutorial-assign-roles) documentation and assign yourself the appropriate role.
64
64
- name: Signing
65
65
questions:
66
66
- question: What is Trusted Signing’s HSM compliance level?
67
67
answer: |
68
68
FIPS 140-2 level 3 (mHSMs)
69
69
- question: How to include the appropriate EKU for our certificates into the ELAM driver resources?
70
70
answer: |
71
-
- For information regarding ELAM driver config for Protected Anti-Malware Services, refer to the following guidance: "Beginning in 2022, all user mode anti-malware service binaries must be signed by Microsoft's Trusted Signing signing service. The Trusted Signing issued Authenticode certificate for signing anti-malware binaries is updated every 30 days for security. To prevent the need to update the ELAM driver every time the certificate is updated, we recommend that anti-malware vendors include the Trusted Signing PCA certificate TBS hash in the CertHash portion of the ELAM driver resource file info. Additionally, the anti-malware vendor must include their unique Trusted Signing EKU identity in the EKU field of the resource file info. The EKU identity will begin with the prefix *1.3.6.1.4.1.311.97.*."
71
+
- For information regarding ELAM driver config for Protected Anti-Malware Services, refer to the following guidance: "Beginning in 2022, all user mode anti-malware service binaries must be signed by Microsoft's Trusted Signing signing service. The Trusted Signing issued Authenticode certificate for signing anti-malware binaries is updated every 30 days for security. To prevent the need to update the ELAM driver every time the certificate is updated, we recommend that anti-malware vendors include the Trusted Signing PCA certificate TBS hash in the CertHash portion of the ELAM driver resource file info. Additionally, the anti-malware vendor must include their unique Trusted Signing EKU identity in the EKU field of the resource file info. The EKU identity begins with the prefix *1.3.6.1.4.1.311.97.*."
72
72
- See the [PKI Repository](https://www.microsoft.com/pkiops/docs/repository.htm) page for the Microsoft ID Verified Code Signing PCA 2021 cert.
73
-
- question: What happens if we run binaries signed with Trusted Signing on a machine that doesn't have the Trusted Signing update (especially binaries that are INTEGRITYCHECK-ed)?
73
+
- question: What happens if we execute binaries signed with Trusted Signing on a machine that doesn't have the Trusted Signing update (especially binaries that are INTEGRITYCHECK-ed)?
74
74
answer: |
75
75
- If an INTEGRITYCHECK flag is set, the user's signature isn't validated at runtime and isn't run with INTEGRITYCHECK.
76
76
- To check if Trusted Signing update is installed or not, we recommend that you check against one of your packaged /IntegrityCheck-linked DLLs. A dummy one works, too. That way you can complete your check independently of the platform and the availability of our IntegrityCheck-linked binaries.
@@ -79,7 +79,7 @@ sections:
79
79
We're not extending any cross-signed certificates. , you must sign with the Trusted Signing service.
80
80
- question: How is Trusted Signing different than the signing customers do with Partner Center?
81
81
answer: |
82
-
Signing with the Partner Center is Kernel mode signing (no change here with the introduction of Trusted Signing). You'll need to sign your user mode binaries with Trusted Signing. For your apps that interact with the Windows Security Center (WSC) service, you must include the Code Integrity bit (/INTEGRITYCHECK). Without the Trusted Signing signature, you aren't able to register with the WSC, and Windows Defender will run in parallel.
82
+
Signing with the Partner Center is Kernel mode signing (no change here with the introduction of Trusted Signing). You need to sign your user mode binaries with Trusted Signing. For your apps that interact with the Windows Security Center (WSC) service, you must include the Code Integrity bit (/INTEGRITYCHECK). Without the Trusted Signing signature, you aren't able to register with the WSC, and Windows Defender will run in parallel.
83
83
- question: How do we get the Authenticode certificate?
84
84
answer: |
85
85
The Authenticode certificate used for signing with the profile is never given to you. All certificates are securely stored within the service and are only accessible at the time of signing. The public certificate is always included in any signed binary by the service.
0 commit comments