Azure Code Signing for plugin developers (guide)

@benediktadams I ran into the same error as you and Sergio pointed me back to @koaladsp-cecill tutorial. And I used @sudara tutorial as well.

After a little digging, I was able to sign AAX with a physical iLok running as Admin cmd line:

wraptool.exe sign --signtool c:\AAX_Tools\aax-signtool.bat --signid 1 --verbose --installedbinaries --account <youraccount> --password <yourpassord> --wcguid <yourwcguid> --in "<absolutePathToAAXPlugin>" –-out "<absolutePathToSignedAAXPlugin>"

In the .bat file I could not get the SIGNTOOL_PATH environment variable to work and hard coded the path in the bat file as: "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe"

Hope that works…

That’s correct, this assumes a AAX physical key, not AAX Cloud Signing. The wraptool “wrapper” might need a little bit of tweaking and I hope the hints will help you there.

ErrorSigningTarget, 38 doesn’t really tell much either, sorry!

Its interesting that PACE would link back to this tutorial which actually hacks around their own tool.

Yup, sure didn’t mean anything… so after 3 more hours of digging it suddenly started working and I have no clue what I changed… code looks the same like it did at 100 points during the last 3 days

Anyways, it seems like I can now report that I have AAX cloud signing working with Azure Trusted Signing and if anyone hits roadblocks with this, feel free to hit me up privately.

In the meantime, feel free to vote for my petition for a secured space on here, where we can actually talk about PACE and their NDA’ed stuff…

The PACE servers were down a few days ago… so it may have just been that

Everything’s back to operational

Rail

I’m aware of the outage and noticed the moment that PACE Cloud Signature login didn’t work anymore. Obviously I stopped testing then, my troubles all happened while the services were ok. Either way, I’m sorted now.

Re GitLab Pipeline Problem:

We’ve tried different combinations of runners (our own VirtualBox on Linux, gitlab shared windows runner) and shells (bash, pwsh (with Azure trusted-signing-module-0.3.18) but without success: “Access denied”

Eventually we solved it by creating a Windows Shell runner (running in a separate VirtualBox VM). With that the trusted-signing-module-0.3.18 works.

Here the gitlab ci script in case someone is interested:

  script:
    - "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12"

    - $modulePath = "${CI_PROJECT_DIR}\tools\trusted-signing-module-0.3.18.zip"
    - $installPath = "${CI_PROJECT_DIR}\TrustedSigning"
    - Expand-Archive -Path $modulePath -DestinationPath $installPath
    - Import-Module -Name $installPath

    - $params = @{}
    - $params["Endpoint"] = ${AZURE_ENDPOINT}
    - $params["CertificateProfileName"] = ${AZURE_CERT_PROFILE_NAME}
    - $params["CodeSigningAccountName"] = <CodeSigningAccountName>

    - $params["FilesFolder"] = "${CI_PROJECT_DIR}\<dirToBinaries>"
    - $params["FilesFolderFilter"] = "exe"

    - $params["FileDigest"] = "SHA256"
    - $params["TimestampRfc3161"] = "http://timestamp.acs.microsoft.com"
    - $params["TimestampDigest"] = "SHA256"

    - Invoke-TrustedSigning @params

Not sure whether setting Tls12 is still needed ¯_(ツ)_/¯

Yes, regular forum users have experience with the service you linked. They’re well known on here for regularly creating fake forum accounts and posting links to their service for advertising and SEO purposes. I think most of us agree that’s not a sign of a recommendable service.

Update: I’ve asked to Microsoft when they will remove the 3-year limit and they don’t know. Right now new companies cannot use this service, and I think is simply ridiculous, I’ve been able to get a signing certificate by Apple in a couple of days, while Microsoft needs 3 years of activity…

Well they approved me and I’m a single person company founded less than 3 years ago. Dunno what their process is, maybe they do a certain degree of vetting behind the scenes and make a case by case decision. I think there was another forum member who was also approved with <3 years.

Hey guys, thank you for the great documentation! Has anyone else encountered this issue

when signing aax locally, and was actually able to solve it?

First off, let me direct you to my Feature Request for

A place to talk PACE,

which was prompted by my horrible 3 day PACE support journey getting around this particular error - and it’s super dumb, PACE support didn’t help a single bit when the solution could be expressed in one sentence: Clean Build/Delete your AAX build and try again - you’ll have to come to your own conclusion for as to WHY this is the fix, because we can’t talk about PACE and their products

You have my vote I have also received a very vague answer from PACE that did not help at all. Thanks a lot for this incredibly easy fix! Almost feels like “did you try turning it off and on again?”.

Thanks @danielrudrich this was really helpful to get set up with trusted signing in GitLab CI - I could not get it to work with signtool.

Here is my modification of the script:

    - "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12"
    - |
      If(-not(Get-InstalledModule TrustedSigning -ErrorAction silentlycontinue))
      {
        Install-Module TrustedSigning -Confirm:$False -Force
      }
    - $params = @{}
    - $params["Endpoint"] = $AZURE_ENDPOINT
    - $params["CertificateProfileName"] = $AZURE_CERT_PROFILE_NAME
    - $params["CodeSigningAccountName"] = $AZURE_CODE_SIGNING_ACCOUNT_NAME

    - $params["FilesFolder"] = "<path\to\executables>" 
    - $params["FilesFolderFilter"] = "exe"
    - $params["FilesFolderRecurse"] = $true # Useful if you have a top level folder with multiple executables to sign

    - $params["FileDigest"] = "SHA256"
    - $params["TimestampRfc3161"] = "http://timestamp.acs.microsoft.com"
    - $params["TimestampDigest"] = "SHA256"

    - Invoke-TrustedSigning @params

Also regarding AAX signing, I ended up using my Apple Developer certificate for this which seems to work fine. See this thread: Code signing AAX with Apple cert on Windows?

Thanks for sharing this guide. I was able to switch to this in a few hours.

Verification failed at first, but it went through on a second try. I have a Swiss GmbH and was able to put the Swiss company identifier into the tax ID field. Validation went through after a few hours.

I lost some time with the signtool.exe. In the past, I had copied the file into a separate location. Only signtool.exe was required.
This does not work anymore when using it with the azure dll. The sign tool now needs additional dll’s for that call, which are also located in the signtool folder. The error message was misleading and it took some time to figure this out.

I’m also using the Apple certificate for the AAX signing. I never had any issues with that. I don’t think it is worth putting any effort into this.

Hey guys, thanks for this guide. I’ve set up everything and used the lines provided by @benediktadams to test signtool… however, it only finds multiple local certificates but it doesn’t seems to find the remote one in my Trusted Signing account. Any hint?

EDIT: Solved. It requires the Windows SDK 10.0.22621.755 or higher now
EDIT 2: The AAX signature script fails. I can’t find a way to make the tool to handle whitespace in the path. Fixed by quoting %root%\aax-signtool.py

Have any Sole Proprietors in the US been able to sign up for Trusted Signing?
I sent them my EIN document, but now they are asking for “Formation documents, such as articles of incorporation, partnership deed”, which I don’t have since I don’t have a corporation…
Does anyone know if there is any way around this? And I can’t seem to find a way to contact them directly. How can I actually talk to someone at Azure about this?

The AAX signature script still failing on some builds… always for a whitespace in the path. @koaladsp-cecill have you experienced similar issues?

Patched signtool: Input arguments: sign /sha1 "1" /t http://tsa.starfieldtech.com  "C:\Users\lcapo\AppData\Local\Temp\940ba16e-b9f0-4485-aa40-78542ee72dbe\Dr Phase_signed.dll"
Patched signtool: Filtered arguments: "C:\Users\lcapo\AppData\Local\Temp\940ba16e-b9f0-4485-aa40-78542ee72dbe\Dr Phase_signed.dll"
Patched signtool: File to sign: ""C:\Users\lcapo\AppData\Local\Temp\940ba16e-b9f0-4485-aa40-78542ee72dbe\Dr Phase_signed.dll""
Patched signtool: Executing: "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib C:\Users\lcapo\.nuget\packages\microsoft.trusted.signing.client\1.0.60\bin\x64\Azure.CodeSigning.Dlib.dll /dmdf C:\Users\lcapo\.nuget\packages\microsoft.trusted.signing.client\1.0.60\metadata.json ""C:\Users\lcapo\AppData\Local\Temp\940ba16e-b9f0-4485-aa40-78542ee72dbe\Dr Phase_signed.dll""
SignTool Error: File not found: "C:\Users\lcapo\AppData\Local\Temp\940ba16e-b9f0-4485-aa40-78542ee72dbe\Dr
SignTool Error: File not found: Phase_signed.dll"

I’m not savvy with batch files

You have two double quotes around your filenames, when you should only have one pair.

I had an EV Sectigo certificate last year, but now I’m planning to move to Azure.

I set up already my Azure account, a Resource Group, a Trusted signing account, I clicked on Identity Validation and set that up.

It actually said completed within a few minutes. Maybe they found my last EV from last year?

Anyway, next step, I move onto the Certificate Profile, and create a Public > Public Trust cert, and get this:

In my Identity Validation I do have a CN=xxxx and O=xxxx which look OK, and my Identity gives the impression that its completed. I think I have my Roles set up Ok in regard to “Trusted Signing…”

Do I need to start my $9.99 subscription to go further, or do more Identity validation ?