You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/trusted-signing/faq.yml
+12-11Lines changed: 12 additions & 11 deletions
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
3
3
metadata:
4
4
title: Trusted Signing FAQ
5
-
description: Get answers to frequently asked questions for Trusted Signing.
5
+
description: Get answers to frequently asked questions about Trusted Signing.
6
6
author: microsoftshawarma
7
7
ms.author: rakiasegev
8
8
ms.service: trusted-signing
@@ -27,6 +27,7 @@ sections:
27
27
- question: How do I grant API access to Trusted Signing in Microsoft Entra ID?
28
28
answer: |
29
29
Ask your tenant admin to provide you with an approval. For more information about permissions, see these articles:
30
+
30
31
- [Overview of consent and permissions](https://learn.microsoft.com/entra/identity/enterprise-apps/user-admin-consent-overview)
31
32
- [Configure the admin consent workflow](https://learn.microsoft.com/entra/identity/enterprise-apps/configure-admin-consent-workflow)
32
33
- [Review permissions granted to applications](https://learn.microsoft.com/entra/identity/enterprise-apps/manage-application-permissions?pivots=portal)
@@ -38,8 +39,8 @@ sections:
38
39
39
40
- question: What if I fail identity validation?
40
41
answer: |
41
-
- Organizations with a yearfounded date, less than 3 years cannot be onboarded at the moment and will fail Identity Validation.
42
-
- For Organizations, with year founded date more than 3 years: Ensure you did not miss an email verification link sent to the primary email address shared during Identity Validation request creation. The link expires in 7 days, so you need to create a new Identity Validation request.
42
+
- Organizations with a year-founded date of less than three years can't be onboarded at the this time. Identity validation fails.
43
+
- If your organization has a year-founded date of more than three years: Ensure thaht you didn't miss an email verification link that was sent to the primary email address that you shared when you created your identity validation request. The link expires after 7 days. If you missed the email or didn't select the link in the email within 7 days, create a new identity validation request.
43
44
- If the failure is not to due to missed email verification; then the Microsoft validation team wasn't able to make a determination about your request based on the information that you provided (even after you provided more documentation when we request it), we can't onboard you to Trusted Signing. In this scenario, we recommend that you delete your Trusted Signing account so that you aren't billed for unused resources.
44
45
- question: What if I need assistance with Identity Validation?
45
46
answer: |
@@ -82,7 +83,7 @@ sections:
82
83
FIPS 140-2 Level 3 (mHSMs).
83
84
- question: How do I include the appropriate EKU for our certificates in the ELAM driver resources?
84
85
answer: |
85
-
- For information about Early Launch Antimalware (ELAM) driver configuration for protecting anti-malware user-mode services, see the following guidance: "Beginning in 2022, all user mode anti-malware service binaries must be signed by Microsoft's Trusted Signing signing service. The Trusted Signing issued Authenticode certificate for signing anti-malware binaries is updated every 30 days for security. To prevent the need to update the ELAM driver every time the certificate is updated, we recommend that anti-malware vendors include the Trusted Signing PCA certificate TBS hash in the CertHash portion of the ELAM driver resource file info. Additionally, the anti-malware vendor must include their unique Trusted Signing EKU identity in the EKU field of the resource file info. The EKU identity will begin with the prefix *1.3.6.1.4.1.311.97.*".
86
+
- For information about Early Launch Antimalware (ELAM) driver configuration for protecting anti-malware user-mode services, see the following guidance: "Beginning in 2022, all user mode anti-malware service binaries must be signed by Microsoft's Trusted Signing signing service. The Trusted Signing issued Authenticode certificate for signing anti-malware binaries is updated every 30 days for security. To prevent the need to update the ELAM driver every time the certificate is updated, we recommend that anti-malware vendors include the Trusted Signing PCA certificate TBS hash in the CertHash portion of the ELAM driver resource file info. Additionally, the anti-malware vendor must include their unique Trusted Signing EKU identity in the EKU field of the resource file info. The EKU identity will begin with the prefix `1.3.6.1.4.1.311.97.*".
86
87
- See the [Microsoft PKI Services repository](https://www.microsoft.com/pkiops/docs/repository.htm) for the Microsoft ID Verified Code Signing PCA 2021 certificate.
87
88
- question: What happens if we run binaries that are signed by using Trusted Signing on a machine that doesn't have the Trusted Signing update (especially binaries that are flagged for /INTEGRITYCHECK)?
88
89
answer: |
@@ -100,10 +101,10 @@ sections:
100
101
- question: What are the common steps I should complete if I get a SignTool error (for example, an unexpected internal error occurs)?
101
102
answer: |
102
103
1. Confirm that the dlib and DLL files are in the correct path.
103
-
2. Confirm that the version of SignTool that's installed and the dlib are both 64-bit.
104
-
3. Download and install [C++ Redistributables](https://docs.microsoft.com/cpp/windows/latest-supported-vc-redist?view=msvc-170).
105
-
4. Search for the specific issue on Bing or review the [SignTool overview](https://docs.microsoft.com/windows/win32/seccrypto/signtool).
106
-
5. We recommend that you use [a specific version of SignTool](https://developer.microsoft.com/windows/downloads/windows-sdk/) instead of getting it directly from NuGet. In an earlier article, we tested the SignTool version and confirmed that it works with our dlib (version 10.0.22621 currently is recommended).
104
+
1. Confirm that the version of SignTool that's installed and the dlib are both 64-bit.
105
+
1. Download and install [C++ Redistributables](https://docs.microsoft.com/cpp/windows/latest-supported-vc-redist?view=msvc-170).
106
+
1. Search for the specific issue on Bing or review the [SignTool overview](https://docs.microsoft.com/windows/win32/seccrypto/signtool).
107
+
1. We recommend that you use [a specific version of SignTool](https://developer.microsoft.com/windows/downloads/windows-sdk/) instead of getting it directly from NuGet. In an earlier article, we tested the SignTool version and confirmed that it works with our dlib (version 10.0.22621 currently is recommended).
107
108
- question: How do I check whether the time stamp service is healthy?
108
109
answer: |
109
110
Run the following command: `curl http://timestamp.acs.microsoft.com`. If status code 200 is returned, the time stamp service is healthy and running.
@@ -118,8 +119,8 @@ sections:
118
119
1. Create a [user-assigned managed identity](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview).
119
120
1. Add the user-assigned managed identity to the virtual machine (VM):
120
121
1. Select the VM.
121
-
1. On the resource menu, select **Identity**, and then select **User assigned**.
122
-
1. On the command bar, select **Add** to add the managed identity.
122
+
1. On the left menu, select **Identity**, and then select **User assigned**.
123
+
1. Select **Add** to add the managed identity.
123
124
1. In the resource group (or subscription) that has the Trusted Signing Certificate Profile Signer role, add the user-assigned managed identity to the role. To assign the correct role, go to **Access control (IAM)** > **Role assignments**.
124
125
- question: How do I fix pop-up credentials when I use Google Cloud Platform?
125
126
answer: |
@@ -156,7 +157,7 @@ sections:
156
157
| No error codes, SignTool silently fails | Ensure that the relevant .NET runtime version is installed. |
157
158
| Azure.Identity.CredentialUnavailableException | You might see this error in [environments outside Azure](https://github.com/Azure/azure-sdk-for-net/issues/29471). If you are working outside of Azure, we recommend that you add "exclude ManagedIdentity". |
158
159
| 403 | - Check Trusted Signing role. <br> - Check Trusted Signing account name and Trusted Signing Certificate profile name in your metadata.json. <br> - Check dlib and dlib path. <br> - Install C++ Redistributables: Download link: https://docs.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170. <br> - Check .NET version, dlib version, and Windows SDK version. <br> - Check if Trusted Signing role is assigned to the identity trying to sign the file. <br> - Check if the corresponding Identity Validation is in "Completed" state.<br> - Verify if you access the Trusted Signing endpoint from this VM or machine?Try executing the action on a different VM or machine. It can be a potential network issue. <br> - For Private Trust scenarios 403: The user object ID to do the signing is different than the user object ID to call the Get-azCodeSigningRootCert. The appropriate object ID needs to have the role “Trusted Signing Certificate Profile Signer."|
159
-
- name: Cost Management and Billing
160
+
- name: Cost management and billing
160
161
questions:
161
162
- question: How do I view usage costs and billing information for Trusted Signing resources?
0 commit comments