A Step-by-step Guide to Code Signing using Azure Trusted Signing

Posted on by
Reply

This blog provides a step-by-step guide to code signing using Azure Trusted Signing.

Many moons ago (14 years and counting) I wrote my first guide to signing drivers on AppDeploy (now ITNinja) and transposed it to my own blog many years later. Back then I devised a way to generate development certificates for self-signing drivers.

But with the emergence of Azure Trusted Signing, I thought I’d knock up another quick step-by-step guide for code signing using production-ready code signing certificates! For a very modest £7.96 per month, it allows up to 5,000 signing requests on the basic tier.  So in theory, I think we could sign (and time stamp!) the code we require, and then cancel our subscription to save some significant wonga on code signing certificates!

I assume that you are familiar with Azure, and already have a subscription and resource group (or can create them if not!). And with that said:

  1. Search for “Trusted Signing Accounts” in the Azure portal.  Click “Create”, give it a name (make a note of this name for later on – I used AlkaneTrustedSigning), set the appropriate subscription, resource group, region and pricing tier relevant to your location and requirements.  Once created, inside this trusted signing account click on the Overview tab (it should be selected by default) and make a note of the Account URI – we will need this later too.  Mine is https://weu.codesigning.azure.net/ because I select West Europe (weu) during the creation process.
  2. Once created, inside your trusted signing account click “Access Control (IAM)”. Click Add > Role Assignment.  Search for Trusted Signing Identity Verifier, select it and click Next.  Since I am assigning access to myself (so I can code sign using my own Azure account etc) I leave as “User, group or service principal”, click “Select Members” and select my own account. Click Review and Assign.
  3. Repeat step 2, only this time the role to search for is Trusted Signing Certificate Profile Signer. Both of these roles are important otherwise the signing process will fail.
  4. You will then need to go through identity validation so that Microsoft can verify you’re a trusted source. You cannot proceed to the next step until your identity has been verified!  Inside your trusted signing account, under Objects click Identity Validations > New Identity > Public.  Complete the form and submit it to Microsoft.  They may require supporting documentation too, and the time for approval can typically take from an hour up to a few days.  Mine took an hour (phew), presumably because my website/domain and business are over 15 years old.
  5. We now need to create a Certificate Profile. Inside your trusted signing account, under Objects click certificate profiles.  Click create > Public Trust.  Give your certificate profile a name – we will need this for later!  I called mine AlkanePublicTrust.  Note that under “Verified CN and O” should be your verified identity from the previous step.
  6. Now we can start signing!  Download and install the Trusted Signing Client Tools MSI from here.  This includes signtool.exe, which we will use to perform code signing.
  7. Download the Microsoft Trusted Signing Client from here.  These binaries enable signtool.exe to launch a browser session that prompts for an Azure authentication token. You could install this directly using a Nuget command line, but I preferred to click “Download Package”, rename the .nupkg extension to .zip, navigate to the Bin folder and extract the x64 folder to my local machine inside a directory called C:\Alkane\Signing.
  8. In C:\Alkane\Signing, we also need to create a JSON file (I called it AlkanePublicTrust.json) for signtool.exe to use. This simply uses the values we created in step1 and step 5 (see the bold text) – replace  these  with  your  own. 
    {
  "Endpoint": "https://weu.codesigning.azure.net",
  "CodeSigningAccountName": "AlkaneTrustedSigning",
  "CertificateProfileName": "AlkanePublicTrust"
}
  9. Now we can finally sign our executable! The executable I want to sign is called C:\Alkane\Alkane.exe and we must use a timestamping server for reasons discussed here. 
    "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "C:\Alkane\Signing\x64\Azure.CodeSigning.Dlib.dll" /dmdf "C:\Alkane\Signing\AlkanePublicTrust.json" C:\Alkane\Alkane.exe

And that’s it!  Happy code signing!

Code Signing Certificates with Expiry Dates and Timestamping

Posted on by
Reply

When I set about signing a Java deployment rule set with a code signing certificate, I noticed that my certificate had an expiry date of 1 year from the current date.  My initial thoughts were that I didn’t want all these Java applications to suddenly stop working in a years time because my code signing certificate had expired!  So i began to investigate code signing certificates with expiry dates and timestamping.

Code signing certificates with expiry dates and timestamping

You can purchase code signing certificates from a variety online stores or alternatively create a code signing certificate using Active Directory Certificate Services (ADCS).  Once you have a code signing certificate you can follow our guide to signing un-signed drivers to add a digital signature to your file (whether it be a driver or not).

Why Do Code Signing Certificates Expire

When a code signing certificate expires, you can no longer sign any content with it.  The reason they expire is for security purposes.  If they didn’t ever expire and the certificate fell into the wrong hands, anybody could impersonate your company forever!

Will Signed Content Stop Working When My Certificate Expires?

If you haven’t added a timestamp during the signing process, the signed content will check the certificate expiration date against the current date and fail if the certificate has expired.

However adding a timestamp during the signing process provides verification that the signing took place when the certificate was valid, and your signed content will be valid indefinitely.  Timestamping is a mechanism that ensures your digital signature remains trusted long after your Code Signing certificate has expired.

Create a Code Signing Certificate

Posted on by
Reply

Ok, this post is shameless plagiarism from this post.  But I couldn’t risk losing sight of good content.  Thanks (and apologies) go to David Barrett!  Here we discuss how to create a code signing certificate using Active Directory certificate services.

Enable the Code Signing Certificate Template

  1. On the appropriate server (e.g. the CA root), open Certificate Services Manager.
  2. In the left pane, select Certificate Templates.
  3. Check for a Code Signing template – by default, this isn’t available.  If it isn’t, add it:
    1. From Action menu, select New -> Certificate Template to Issue.
    2. Select Code Signing, then click OK.

 Grant Permissions for User(s)

  1. From the Certificate Services Manager, right click Certificate Templates and select Manage.
  2. From the list of templates, right-click Code Signing and select Properties.
  3. Select the Security tab.
  4. Any users that should be allowed to create code signing certificates need to be granted Read and Enroll permissions, so add users and permissions as necessary.
  5. Apply changes.

Create a Code Signing Certificate

  1. On the development machine (logged in as a user who has been granted permissions to create a code signing certificate), open Microsoft Management Console.
  2. From File menu, select Add/Remove Snap-in…
  3. From Available snap-ins, select Certificates and then click Add.
  4. Select My user account, and then click Finish.
  5. OK out of the Add/Remove snap-in window.
  6. You will now see Certificates listed in the console view on the left.  Right-click Personal, select All Tasks, then Request New Certificate.
  7. Click Next on the first screen (Before You Begin).
  8. Click Next on the Select Certificate Enrolment Policy screen (Active Directory Enrolment Policy will be applied).
  9. In the Request Certificates screen, tick Code Signing, and then click Enrol.  A certificate will be created and placed in the user’s Personal store.