Azure Trusted Signing Authentication
The code signing process can be a real challenge for development teams. Fortunately, Microsoft offers a fully managed signing solution through their Trusted Signing service.
Advanced Installer now includes built-in support for Trusted Signing in all commercial editions. To start using it, you need to authenticate with Azure services first.
For more information regarding the Trusted Signing integration, check the article here.
How to Authenticate with Azure Services
When using Trust Signing support, Advanced Installer doesn’t handle the authentication with Azure services. Instead, Microsoft software on your machine ensures the best security by handling the authentication.
You must be logged in when performing digital signing at build time.
There are several methods for authenticating but the most commonly used are:
- Authenticate via Visual Studio Microsoft account (connected to your Azure subscription)
- Define Environment Variables with your credentials as documented by MS
- Authenticate via Azure CLI
- Browser Authentication
Once you are authenticated, the system generates and stores a token.
Advanced Installer then executes SignTool.exe, which detects the valid session through that token and signs the files included in your setup package.
In environments like GitHub, the authentication process differs because there is no login interface. Instead, you have to use secret variables. Find more information in this article.
How to use Trusted Signing in Advanced Installer
Now, let me show you how to use the Trusted Signing support in Advanced Installer. First, log in with Azure services using Azure CLI:
- Open a command-line interface.
- Use the ‘az login’ command to log in.
- A web browser will prompt you to enter the Azure credentials. Once logged in, the CLI will get the access token and authenticate your session.
After logging into your Azure account, you can use Signtool.exe directly from the command line, or any other tool that integrates SignTool to sign your binaries without having to specify any credentials.
You only need to specify the Azure endpoint, account name, and the certificate you want to be used for signing.
The signing process will fail if you don’t authenticate first. Depending on the return code received from Signtool and the error handling in the applications that integrate Trusted Signing, you might get various error messages. This is why you should have successfully signed in using one of the methods recommended by Microsoft before trying to sign your binaries.
Now, open Advanced Installer.
Let’s suppose you’ve already created and configured an MSIX package project and the remaining step is to digitally sign the package. Follow these steps:
- Go to the Digital Signature tab and enable signing.
- Check the ‘Use Trusted Signing’ option in the Software Publisher Certificate section.
- Populate the End Point, Account Name, and Certificate Name with the corresponding values.
Now we are set, so it’s time to build the project to generate the MSIX package.
Once generated, you can run it and install the application.
Conclusion
Using the built-in support for Trusted Signing in Advanced Installer requires you to log in with Azure services. You can choose from various authentication methods. Once logged in, Advanced Installer can trigger the SignTool to sign the files, ensuring a secure and efficient signing process.
Written by
Renato Ivanescu
Renato is a technical writer for Advanced Installer and an assistant professor at the University of Craiova. He is currently a PhD. student, and computers and information technology are his areas of interest. He loves innovation and takes on big challenges.