Azure Code Signing for plugin developers (guide)

Good point.

As you can see we just worked around the PACE signtool issues. Frankly, I was a bit surprised that we had to resort to this in order to make things work. Then again, my experience is that is to be expected from toolchain and signing apps…

I’ve also updated the guide to include the newly published Microsoft “Trusted Signing Client” which was omitted (confidential) before here: KoalaDocs/azure-code-signing-for-plugin-developers.md at master · koaladsp/KoalaDocs · GitHub

3 Likes

I literally just ordered a 2 year code signing certificate from GlobalSign to arrive on a USB key and then saw this thread!

I think I can still cancel it. It looks like the ACS service will be about half the cost…

Im just in the same situation, but I think I will still order a new certificate from GlobalSign for now, because I need something reliable yet, official supported and I do not want to rely on workarounds like for the wraptool. It’s always hard if you are the pioneer. But I think it’s quite nice to have an alternative in the future.

1 Like

A GlobalSign token based cert can be converted to a HSM based one (without invalidating the token based one). This HSM based cert can be put into Azure Key Vault, and can then be used with AzureSignTool. With a bit of hacking you can get wraptool to to work with AzureSignTool following the guide of the original post.

1 Like

Hi guys, at the moment I’m digitally signing my VST3/AU/Standalone/Installer on macOS with my Apple Dev certificate, and the AAX on both macOS and Windows with the same certificate (I’ve exported it from my Mac to my PC and it works flawlessly).

When a user download the Windows installer it gets a warning from Windows that the developer is not trusted, so my questions are:

  • Do I need to sign the installer only or also every plugin inside (VST3/Standalone)?
  • Can I use my Apple Dev certificate as I did for my Windows AAX? If no, what kind of certificate do I need to buy?

Thank you!

  • Do I need to sign the installer only or also every plugin inside (VST3/Standalone)?

You need to sign the installer in order to be trusted.
Signing the plugins may not be necessary for every DAW, but I would definitely do it if you have a certificate

Hi guys, at the moment I’m digitally signing my VST3/AU/Standalone/Installer on macOS with my Apple Dev certificate, and the AAX on both macOS and Windows

  • Can I use my Apple Dev certificate as I did for my Windows AAX? If no, what kind of certificate do I need to buy?

You need an official code signing certificate which is trusted by Microsoft, Apple certificates will not work, thats why you receive a warning.

You can obtain certificates like that (Microsoft Authenticode) by companies like GlobalSign, Comodo, DigiCert etc.

There is a new method, described in this thread, to use a certificate directly issued by microsoft. This is a new offering and currently in Beta-phase.

1 Like

If you get a certificate (from GlobalSign, DigiCert, etc), make sure it is an EV one, on a USB key, otherwise you will still get warnings. They have doubled in price recently, so indeed check the new approach mentioned above.

1 Like

Thank you @chkn and @PeterRoos,

The Microsoft service is in private beta right? Because searching for ACS on the web does not lead to a public beta. @sudara do you have an insight about when it will become public? Thank you.

All certificates now use FIPS dongles… so you don’t need an EV certificate unless you are an organization and don’t want to display any window at startup

Rail

“early April” was what I heard. The docs and integrations are live, and the service on Azure looks prepped for launch and billing, but seems like the switch hasn’t quite yet been flipped. Any day now?..

1 Like

Update: now it’s called Azure “Trusted Signing”, so I guess we should refer to it as ATS (I hate acronyms :unamused:).

Does the rename mean it is now available? Weirdly enough the ATS sites say nothing about a beta or preview.