Azure Code Signing Process and Setup Explained

Azure Code Signing is a process that ensures the integrity and authenticity of your code, and it's a requirement for publishing extensions to the Azure Marketplace.

You can use Azure Key Vault to store and manage your code signing certificates.

To set up Azure Code Signing, you'll need to create a new key vault and add a certificate to it.

Azure Code Signing uses a certificate called the "Azure Code Signing Certificate" which is used to sign your code.

Curious to learn more? Check out: Certificate Pinning Azure

To set up Azure code signing, you'll need to configure several components and mechanisms. Start by registering an application on Azure Active Directory, which will provide you with a Client ID and Secret.

You'll also need to create an access policy for your Key Vault, which will grant the application principal (Client ID + Secret) access to the vault. To do this, go to the Key Vault settings, select "Access Policies", and then "Add Access Policy." Define a new access policy with the following permissions:

Once you've configured your Key Vault, you can move on to setting up Azure DevOps. To do this, you'll need to download the .NET Core global tool, which includes the AzureSignTool. You can add this tool to your Azure DevOps build by including the following command:

In your Azure DevOps build, you'll also need to add variable groups for the client secret, code signing certificate name, client ID, and Key Vault URL. Mark these variables as sensitive by clicking the lock icon next to them.

To get started with Azure Code Signing, you'll need to implement it in three easy steps. This process is designed to be straightforward and efficient.

To begin, you'll need an Azure account, which is the foundation for implementing Azure Code Signing. Having a registered Application within your Azure tenant is also crucial for the process to work effectively.

Here are the basic requirements to implement Azure Code Signing:

Signtool.exe with AAX Wraptool.exe is a crucial step in the implementation process. It's used to wrap the AAX plugin with a digital signature.

The Signtool.exe is a command-line tool that comes with the Windows SDK. It's used to sign the AAX plugin with a digital certificate.

To use Signtool.exe with AAX Wraptool.exe, you'll need to have the Windows SDK installed on your computer. This will give you access to the Signtool.exe tool.

The AAX Wraptool.exe is a tool that's specifically designed to wrap the AAX plugin with a digital signature. It's a crucial step in the implementation process.

The output of the Signtool.exe with AAX Wraptool.exe command will be a signed AAX plugin that can be used in Pro Tools.

Here's an interesting read: Windows Azure down

To implement Azure Code Signing, you'll need an Azure account and an Application registered within your Azure tenant.

You'll also need an Azure Key Vault set up to store your code signing certificates.

An Azure account is required for the process to begin.

Here are the basic requirements for implementing Azure Code Signing:

Once you have these in place, you can grant your code signing app the right permissions.

To create an app, start by searching for Microsoft Entra ID in the Azure portal. This will allow you to create a new app registration.

Click "Add" and then "App registration" to begin the process. You can name your app whatever you like, but for this example, we'll use "codesigning-app".

Make sure to select "Accounts in this organizational directory only" as the option for who can use the application. This will ensure that only users within your organization can access the app.

You might enjoy: Azure App Insights vs Azure Monitor

Leave the Redirect URI as is, as it's not necessary to change it at this time. Click "Register" to complete the app registration process.

Once your app is created, click on the app resource to view its details. Note down the "Application (client) ID" for later use with signtool.

Next, navigate to the "Certificates & secrets" section of your app. Click on "Client secrets" and then "New client secret" to create a new secret.

Set the expiration date for the secret to the highest date possible, and then click "Add". Note down the "Value" of the secret, as you'll need it later for use with signtool.

Here's a summary of the steps to create an app:

Azure Key Vault is a secure way to store and manage sensitive data, including EV-certificates.

You can use Azure Key Vault to store EV-certificates, which provide higher security guarantees than normal certificates. EV-certificates require more thorough checks to ensure the identity of the certificate holder and must be stored securely, typically on a hardware USB token.

To obtain an EV-certificate stored in Azure Key Vault, you need to create a policy file describing the certificate you want to create. This policy file should include the keyProperties key, which defines the parameters of your RSA keypair and how it's stored, as well as the lifetimeActions key, which instructs AKV to send you an email three months before the certificate will expire.

To generate a new certificate in Azure Key Vault, you can use the following Azure CLI command: `az keyvault certificate create --policy cert-policy.json --name $CERT_NAME --vault-name $KEY_VAULT_NAME`. This will create the certificate in the key vault, but the certificate will be in a disabled state.

To enable the certificate, you need to generate and download a CSR, have it signed by a CA, and then upload the signed CSR back to the key vault. This is done by downloading the certificate info in JSON-format, extracting the CSR key using the jq tool, and then wrapping it in a -----BEGIN/END CERTIFICATE REQUEST----- block.

Azure Key Vault can be accessed using a service connection in Azure Pipelines, which allows you to use managed identity to authenticate. However, the --azure-key-vault-managed-identity command line option doesn't seem to work, so you need to use an access token instead.

To configure Key Vault to access the principal, you need to create an access policy with the following permissions: Key - Verify, Sign, Get, List; Secret - Get, List; Certificate - Get, List.

Discover more: Azure Password Policy

Integration and DevOps is where Azure Code Signing really shines. By embedding ACS directly into your CI/CD pipelines, every build can be automatically signed, ensuring a consistent layer of security and streamlining your development workflow.

You can also sign code as it’s deployed, adding an extra authentication layer and simplifying your processes. This is especially useful with Azure services.

To automate signing, you'll need to choose the right certificates and configure them properly. This involves adding variables for client secret, code signing certificate name, client ID, and key vault URL in your Azure DevOps build.

Using variables provides an added security advantage, as the logs containing signing data will only disclose the variable names instead of the original client ID, secret, and cert name.

Here are the key variables you'll need to configure:

By following these steps and configuring your Azure DevOps build correctly, you can ensure seamless integration and automation of Azure Code Signing.

Azure Code Signing has a pricing plan based on a reasonable monthly fee with a maximum quota of signatures per month. This quota is 5000 signatures per month, after which a per-signature cost gets activated.

If you require more signatures per month, a bigger tier is available, which is suitable for running extensive CI systems or similar use cases.

The smallest tier will likely work for most independent developers, as it provides a cost-effective solution for their needs.

Expand your knowledge: How Much Does Azure Cost

The pricing plan of Azure Trusted Signing is based on a reasonable monthly fee with a maximum quota of signatures per month.

For most independent developers, the smallest tier will probably work just fine.

There is also a bigger tier if you require much more signatures per month, for example if you're running extensive CI systems or such.

After reaching the maximum quota, a per-signature cost gets activated.

Microsoft has made Azure Code Signing mandatory for Endpoint Protection vendors on Windows platforms. This means that vendors need to comply with ACS requirements to ensure their solutions meet the necessary standards for code signing.

You might like: Azure Trusted Signing

Vendors such as Sophos must adhere to these requirements to provide enhanced security to end-users and protect against potential threats.

ACS requirements are crucial for vendors to ensure their solutions meet the necessary standards for code signing.

By complying with ACS requirements, vendors can provide a higher level of security to their end-users and protect against potential threats.