Trusted Signing Integration

Written by Bogdan Mitrache · April 19th, 2024

Digital Signing should be a formality for professionals. It’s been almost 30 years since the first software was digitally signed but we still have many users who don’t know how or why they should use a code signing certificate. We need it to protect their intellectual property and enhance the cybersecurity of their end-users.

Nobody should publish software without code signing it.

Why? Well, because code signing isn’t just a best practice—it’s a layer of security that serves multiple critical functions.

ImportantAdvanced Installer is the first application packaging tool in the industry that provides built-in support for Trusted Signing. It’s included in all the commercial editions and can be used starting now.

The much awaited Trusted Signing is finally here to help you simplify the process of acquiring, securing, and using your code signing certificates.

We worked with the Advanced Installer team in an effort aimed at improving the security and efficiency of software deployment processes for developers and IT professionals globally.

The integration of Trusted Signing into Advanced Installer makes it easier for tens of thousands of developers and IT professionals to sign their packages while relying on their existing Azure tenant to provide secure access management for their certificate profiles.

This integration doesn’t just streamline the code signing process; it sets a new standard for secure software distribution.

Ian McMillan
Principal Product Manager at Microsoft

NoteIf you’re new to code signing, check out our resources to help you get started with digital signing.

SSO should not be a luxury

We, at Advanced Installer, decided to integrate Azure Trusted Signing (also known as Azure Code Signing, while it was in private preview) in all commercial editions. To start using Trusted Signing you need to first configure it from your Azure subscription.

Because the certificates are managed via your Azure subscription, Advanced Installer can delegate the entire authentication to the OS and to Signtool.exe. Sensitive information is never saved in your projects. After the authentication with the Azure services is confirmed, our automation process orchestrates Signtool.exe to sign all the files included in your package, along with the final setup package.

Why another cloud solution?

Starting June 2023 all new code signing certificates must be stored on certified HSMs. This means you will either use a certified flash drive or a FIPS 140-2 Level 3 certified cloud like the one provided by the Trusted Signing team. We already know the Azure portal can provide us with the best identity and access management standards, enabling professional teams to easily manage access to their certificates.

Nevertheless, we tried flash drives too. They fit for single-use scenarios where you don’t need to share the certificate with other team members and you build your software locally. However, a cloud service for digital signing is the best option for teams that use GitHub Actions, Azure DevOps and other similar services.

Even if you use an internal continuous integration system like we do, a cloud based digital system is more secure because it helps you keep track of exactly what resources were signed, who signed them, and you can easily revoke a signature without affecting any of the files signed previously if a breach should occur.

Bringing code signing to open-source

Open-source software development and code signing have always been in a love-hate relationship.

Ensuring end-user security is a constant challenge when an OSS application can be compiled and redistributed by an attacker.

Adopting newer and more powerful packaging technologies, like MSIX, is again complicated because all MSIX packages need to be digitally signed. Complex acquisition or certification processes with certificate vendors, along with the high costs make it very hard for OSS maintainers to adopt code signing.

Trusted Signing is here to change this. ImageMagick, a known open-source software suite used for editing and manipulating digital images, is now releasing the first trusted signed MSIX-packaged version of its installer with the help of Advanced Installer.

Advanced Installer’s free license for open source projects, along with its GitHub Actions and Trusted Signing integration, enables ImageMagick to modernize its setup projects and starts the migration from his legacy packaging framework to Advanced Installer.

Written by
See author's page
Bogdan Mitrache

Bogdan is the product lead for Advanced Installer. He has over a decade of experience in application packaging and deployment, you can also find him speaking at conferences and contributing on industry related communities.