How to Set Up Azure Trusted Signing to Sign an EXE?
Home ยป How to Set Up Azure Trusted Signing to Sign an EXE?
Introduction
Code signing is no longer an optional process โ Windows, antivirus engines, and enterprise security tools all expect executables to be digitally signed.
How to Set Up Azure Trusted Signing to Sign an EXE?
Home ยป How to Set Up Azure Trusted Signing to Sign an EXE?
Introduction
Code signing is no longer an optional process โ Windows, antivirus engines, and enterprise security tools all expect executables to be digitally signed. Previously, developers purchased an EV Code Signing Certificate, stored it on a USB token or HSM, and had to maintain it for years.
Azure Trusted Signing reimagines the process with cloud-based certificate issuance, short-lived certificates, automated identity verification, and fully integrated CI/CD workflows.
This overview discusses what Azure Trusted Signing is, why developers would use it, other options, costs, prerequisites, and a complete step-by-step setup โ from setting up your account to signing your first EXE.
What is Azure Trusted Signing?
Azure Trusted Signing is Microsoftโs cloud-based code signing service to help developers sign executables, installers, scripts, and applications securely without managing long-term private keys.
Instead of the typical certificate files stored on a local machine, Azure Trusted Signing issues short-lived certificates as needed, reducing the risk of private keys being stolen and simplifying the certificate lifecycle management.
Recommended: Code Signing Certificate Validity Changes: A New Era of Trust and Automation
Azure Trusted Signing works directly with Azure Active Directory, giving you centralized identity-driven access controls, as well as the ability to support automated DevOps pipelines through the use of CLI and API tools.
This service is especially valuable for organizations that need scalable, compliant, and tamper-evident signing workflows.
Features such as identity validation, role-based access control, audit logging, and integration with Azure Key Vault and CI/CD tooling give Azure Trusted Signing a modern, secure model, replacing the era of storing private keys on developersโ machines.
Ultimately, the service ensures the published software is trusted by Windows and the rest of the large operating system ecosystems, reducing operational burden and risk to security and compliance.
Alternatives to Azure Trusted Signing
An alternative for Azure Trusted Signing is the option of buying a DigiCert code signing certificate and storing its private key securely in Azure Key Vault. Or we offer an Azure Key Vault Code Signing Certificate from DigiCert; you can directly purchase that.
By doing so, you have full control over your certificate, while simultaneously leveraging the HSM-backed security offered by Azure Key Vault.
Recommended: Managed HSM Vs. Azure Vault Key Difference
You can use the key as part of your CI/CD pipelines, enforce key access policies, and autonomously sign workloads. With this alternative, you have strong security, flexible implementation, and freedom from the managed signing service by Azure.
Recommended: How to Create Key Vault, CSR, and Import Code Signing Certificate in Azure KeyVault HSM?
Quickstart: What youโll need
Before you begin, you need the following:
A Trusted Signing Account
Before you start, you need to create a Trusted Signing account from the Azure Portal. This account is the basis of your signing environment, and it identifies where your certificate profiles, policies, and permissions will exist.
You cannot generate or use Azureโs short-lived code signing certificates without first having this account.
Identity Validation
After this, Microsoft requires you to go through identity validation to ensure that your signatures will be publicly trusted.
You can validate for yourself, as an Individual, which is for the personal developer, or as an Organization which is strongly suggested for businesses, enterprises, and development teams. Validating either way allows Azure to issue trusted short-lived certificates on your behalf.
A Certificate Profile
Next, you must create a certificate profile, which is the template Azure will use to create your short-lived code signing certificates automatically. The profile defines the type of certificate, the usage policies for the certificate, and the signing algorithms in use.
On each signing action, Azure will create a new secure time-limited code signing certificate based on this profile that you can use to sign the EXE.
Required IAM Roles
To be able to perform signing actions, your Azure identity is required to have the appropriate IAM roles assigned.
At a minimum, two roles need to be assigned: the Trusted Signing Identity Verifier, which verifies that you can act on behalf of the signing account, and the Trusted Signing Certificate Profile Signer, which allows your identity to request signing certificates from the certificate profile.
If the required roles are not assigned, your signing actions will fail because you lack the proper permission scope.
Supported Operating Systems
Finally, you will need to have the signing tools running on a supported operating system, as Azure Trusted Signing tools only run in modern environments.
As it currently stands, the supported operating systems are functioning on Windows 10 version 1809 or later, Windows 11, and any version of Windows Server 2016 or newer.
If the tools are run on unsupported operating systems, then the tools may not work as expected, or the signing process may be entirely blocked.
Pricing & Eligibility
Model Type
Basic
Premium
Base price (monthly)
$9.99
$99.99
Quota (signatures/month)
5,000
100,000
Price after quota is reached
$0.005/signature
$0.005/signature
Includes
Public/Private Signing 1 of each Certificate Profile type
Public/Private Signing 10 of each Certificate Profile type
Step-by-Step Guide: Setting Up Azure Trusted Signing
Below is how to set everything up, based on the information from Microsoftโs official documentation and the technical workflows we reviewed and analyzed above.
Go to Azure Portal
Create a new account or log into an existing account.
Create a subscription for Pay-As-You-Go.
In Azure Portal, search for Trusted Signing Accounts
Click Create
Provide: Account name, Region and Pricing tier
Complete creation
Make note of the Account Endpoint URI using Copy (you will need that in later steps).
Azure requires explicit permission to be able to do any signing account operations.
You need to assign the following:
Trusted Signing Identity Verifier โ Reviewing and managing identity validation
Trusted Signing Certificate Profile Signer โ To authorize applications or users signing EXEs
You will assign after a trusted signing account โ access control (IAM).
In the Trusted Signing account, go to Identity Validations.
Select Individual or Organization from the list.
Provide the requested business documents.
Then the wait for Microsoft to verify your identity may be hours to days. Depending on the level of verification.
Once approved, you can begin to make Certificate profiles.
Go to Certificate Profiles
Click Create Profile
Choose Public Trust
Select your verified identity
Name the profile and save
This profile will generate short-lived certificates when you sign your EXE.
Install using WinGet (recommended):
winget install -e –id Microsoft.Azure.TrustedSigningClientTools
This installs:
SignTool plugin
.NET 8 runtime
Azure CodeSigning dlib
Visual C++ redistributable
Create metadata.json:
{
ย “Endpoint”: “https://weu.codesigning.azure.net”,
ย “CodeSigningAccountName”: “YourAccountName”,
ย “CertificateProfileName”: “YourCertificateProfile”,
ย “CorrelationId”: “build-001”
}
Use your actual region endpoint (EastUS, WestEurope, etc.).
Use this command to sign the executable:
signtool.exe sign /v /debug /fd SHA256 ^
/tr “http://timestamp.acs.microsoft.com” /td SHA256 ^
/dlib “C:PathAzure.CodeSigning.Dlib.dll” ^
/dmdf “C:Pathmetadata.json” ^
YourFile.exe
Key Points:
Utilize the correctย x64/x86 versions
Timestamping is necessary (cert is only valid for 3 days)
Timestamping guarantees the everlasting validity of the signature
After invocation, your EXE will be digitally signed and become Windows-trusted.
Conclusion
Azure Trusted Signing is a powerful way to modernize your software-signing process with scalable certificate management, automated trust policies, and easier CI/CD integration.
However, not every organization requires the complexity or commitments associated with ongoing Azure configuration. Simplicity, speed, and budget often drive developers, SMBs, and independent publishers seeking to code-sign software. This is a major point of distinction for SignMyCode.ย
Whether you select Azure Trusted Signing or a traditional code signing certificate issued by a certificate authority (CA) that is stored in Azure Key Vault, you need a trusted CA, trusted issuance, and trusted support. SignMyCode delivers all of these real-time to your desktop via straightforward pricing, reliable support, and by utilizing trusted CAโs such as Sectigo, DigiCert, and Comodo, etc.
Code Signing with Azure Key Vault
Leverage the Cloud Based Software Security by Securely Store your Private Key and Code Signing Certificate to Microsoft Azure Key Vault.
Get Azure Key Vault Code Signing Certificate
Janki Mehta
Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.
*** This is a Security Bloggers Network syndicated blog from SignMyCode โ Resources authored by Janki Mehta. Read the original post at: https://signmycode.com/resources/how-to-set-up-azure-trusted-signing-to-sign-an-exe
About Author
