DEV Community

Cover image for Sign an EXE file with Azure Trusted Signing
Anna Shipman
Anna Shipman

Posted on

Sign an EXE file with Azure Trusted Signing

#azure #software #signing #devops

What you'll need

Before you begin, you need the following:

A Trusted Signing Account

Before you start, you need to create a Trusted Signing account from the Azure Portal. This account is the basis of your signing environment, and it identifies where your certificate profiles, policies, and permissions will exist.

You cannot generate or use Azure's short-lived code signing certificates without first having this account.

Identity Validation

After this, Microsoft requires you to go through identity validation to ensure that your signatures will be publicly trusted.

You can validate for yourself, as an Individual, which is for the personal developer, or as an Organization which is strongly suggested for businesses, enterprises, and development teams. Validating either way allows Azure to issue trusted short-lived certificates on your behalf.

A Certificate Profile

Next, you must create a certificate profile, which is the template Azure will use to create your short-lived code signing certificates automatically. The profile defines the type of certificate, the usage policies for the certificate, and the signing algorithms in use.

On each signing action, Azure will create a new secure time-limited code signing certificate based on this profile that you can use to sign the EXE.

Required IAM Roles

To be able to perform signing actions, your Azure identity is required to have the appropriate IAM roles assigned.

At a minimum, two roles need to be assigned: the Trusted Signing Identity Verifier, which verifies that you can act on behalf of the signing account, and the Trusted Signing Certificate Profile Signer, which allows your identity to request signing certificates from the certificate profile.

If the required roles are not assigned, your signing actions will fail because you lack the proper permission scope.

Supported Operating Systems

Finally, you will need to have the signing tools running on a supported operating system, as Azure Trusted Signing tools only run in modern environments.

As it currently stands, the supported operating systems are functioning on Windows 10 version 1809 or later, Windows 11, and any version of Windows Server 2016 or newer.

If the tools are run on unsupported operating systems, then the tools may not work as expected, or the signing process may be entirely blocked.

Also Read: How to Generate CSR, Keys and Import Code Signing Certificate in Azure KeyVault HSM?

Setting Up Azure Trusted Signing

Below is how to set everything up, based on the information from Microsoft's official documentation and the technical workflows we reviewed and analyzed above.

Step 1: Create an Azure Account & Subscription

  • Go to Azure Portal
  • Create a new account or log into an existing account.
  • Create a subscription for Pay-As-You-Go.

Step 2: Create a Trusted Signing Account

  • In Azure Portal, search for Trusted Signing Accounts
  • Click Create
  • Provide: Account name, Region and Pricing tier
  • Complete creation
  • Make note of the Account Endpoint URI using Copy (you will need that in later steps).

Step 3: Assign IAM Roles

Azure requires explicit permission to be able to do any signing account operations.

You need to assign the following:

  • Trusted Signing Identity Verifier – Reviewing and managing identity validation
  • Trusted Signing Certificate Profile Signer – To authorize applications or users signing EXEs

You will assign after a trusted signing account → access control (IAM).

Step 4: Validate Your Identity

  • In the Trusted Signing account, go to Identity Validations.
  • Select Individual or Organization from the list.
  • Provide the requested business documents.
  • Then the wait for Microsoft to verify your identity may be hours to days. Depending on the level of verification.

Once approved, you can begin to make Certificate profiles.

Step 5: Create a Certificate Profile

  • Go to Certificate Profiles
  • Click Create Profile
  • Choose Public Trust
  • Select your verified identity
  • Name the profile and save

This profile will generate short-lived certificates when you sign your EXE.

Signing Steps (After Setup)

Step 6: Install Trusted Signing Client Tools

Install using WinGet (recommended):

winget install -e --id Microsoft.Azure.TrustedSigningClientTools

This installs:

  • SignTool plugin
  • .NET 8 runtime
  • Azure CodeSigning dlib
  • Visual C++ redistributable

Also Read: Microsoft Azure DevOps MCP Server

Step 7: Create Metadata JSON (Required)

Create metadata.json:

{
  "Endpoint": "https://weu.codesigning.azure.net",
  "CodeSigningAccountName": "YourAccountName",
  "CertificateProfileName": "YourCertificateProfile",
  "CorrelationId": "build-001"
}

Use your actual region endpoint (EastUS, WestEurope, etc.).

Step 8: Sign Your EXE Using SignTool

Use this command to sign the executable:

signtool.exe sign /v /debug /fd SHA256 ^
/tr "http://timestamp.acs.microsoft.com" /td SHA256 ^
/dlib "C:\Path\Azure.CodeSigning.Dlib.dll" ^
/dmdf "C:\Path\metadata.json" ^
YourFile.exe

Source

Top comments (0)