I’m sure many of you are aware of the increasingly tight restrictions on code signing in the last few years on Windows.
We’ve seen a bunch of different ways of doing code signing, from key files (no longer supported) to HSMs/dongles to remote HSMs such as Azure Key Vault, but the most recent addition comes in the form of a new Microsoft Azure service called Azure Code Signing which is super easy to use once you get it set up.
In a sense, it is very similar to how Let’s Encrypt works in terms of issuing certificates, meaning no more EV, OV or HSMs necessary.
ACS is a service that is currently still in preview, meaning there’s a program going on at Microsoft that you need to be enrolled into, but apparently it is on the cusp of being released publicly later this year.
That’s why I wanted to share this guide for fellow plugin developers. As an extra bonus it contains some tips to get AAX signing working with ACS as well.
If any of you are already enrolled, hopefully this guide can be useful for you to get code signing working right away.
For all others, it might be useful for you once ACS comes out of preview phase soonish. I’ll try to update it with the necessary files and links if that happens
I really hope this happens soon! My 3 years valid certificates about to become invalid, and the process just seems so much worse than it was before and at 5x the price to boot! I’m really hoping this is going to be similar to Apple Developer experience : pay Microsoft $99/yr and be able to sign stuff and it actually works without coming up against stupid “scary” dialogues in Windows because you didn’t pay 3x the price and jump though more hoops for your certificate.
I’m also part of the ACS private preview and have a blog post half-finished about signing with ACS, but have been holding off publishing until things go public… thanks for including AAX tips!
We’ve been using this in production for a while now though with Azure Key Vault as a backup in worst case.
The worst case being that the service would get pulled from Azure for whatever reason, but I see that as very unlikely with the correspondence we’ve had with the team managing the program and the expectation of a 2024 public release. I had started with a Azure Key Vault guide as well but abandoned it as soon as I realized Azure Code Signing was likely the way to go forward.
Indeed it’ll likely be a $99/yr type of deal and removing the need for all these certificate authorities and resellers imposing their own rules and systems, which I believe will help a lot of (smaller) developers out there.
Has anyone used the SSL.com cloud signing service for EV? I’ve got a release coming up soon and would like to get it setup before then. Otherwise I’d wait for this Azure release and use that.
It looks simple enough but would greatly appreciate if someone can vouch for it for use with JUCE plugins and standalone apps.
Forgive my ignorance, are there any ongoing costs (besides the potential costs of the codesiging) when I create an azure account?
I logged in with my microsoft account, but it looks like I can’t move further on withthout an azure account.
I’ve been using Azure Pipelines to do my Windows and Linux builds for years now, never had exceeded the free tier limits and therefore no charges ever.
That said, I don’t recall ever making an “Azure account”, only ever used my Hotmail Microsoft account, maybe things have changed in the meantime.
BTW how do you sign up for the ACS preview? I’ve opened an Azure account and I’ve tried to follow the steps of the tutorial but I’m hitting an error probably because I’m not there.
It’s in private preview at the moment. The product was invite only and they’ve stopped inviting people.
However, I just got an email saying it’s moving to public preview next, and they will be announcing pricing etc.
That info will drop in a meeting next week Tuesday, I’ll try to remember to update this thread with details.
According to the signing team, every single Microsoft binary is signed through the Azure service (as well as many of their large partners) and it’s been this way for a couple years now, so I think we can feel pretty safe about it!
Awesome news. Thank you all very much for sharing! I wasn’t aware and have been waiting for something like this to come along to remove the pain of Windows code-signing for us smaller devs.
Indeed, the ACS preview program apparently has closed and I also got the e-mail on the upcoming announcement so I reckon it won’t be long.
Azure Key Vault could still be stopgap solution for anyone with expiring certificates though, it can be set up in a similar way though I believe it relies on a third-party signtool.
Thanks for the update, I was just searching to see if there was new-news today.
Little bit of a bummer, was hoping for buzzer-beating availability prior to my new plug-in release, but this is still pretty exciting. I’ll never understand why it took this long for Microsoft to join Apple in the world of semi-reasonable code signing infrastructure. But better late than never!
Has anyone successfully created a codesigning account? I get this contradictory error message.
BTW My azure skills are zero
“No registered resource provider found for location ‘westeurope’ and API version ‘2020-12-14-preview’ for type ‘codeSigningAccounts’. The supported api-versions are ‘2024-02-05-preview’. The supported locations are ‘westcentralus, westus2, northeurope, westeurope, eastus, westus’.”"
Thanks, just to be sure, I mean the quoting problem described in section 2.3.4 of @koaladsp-cecill 's azure-code-signing-for-plugin-developers.md
:: wraptool seems to mangle signtool's args and doesn't properly quote-escape the final binary path,
:: and batch is not easy with string handling, so we use python to fix things up..
