azurewindows-installertrusted-signing

Signing an msi with AzureSignTool seems to work but "it is not in the Trusted Root Certification Authorities store."

I'm trying to sign an app, packaged with Briefcase, using Azure Trusted Signing. Under Certificate Profiles in the Azure dashboard the certificate is marked as active, and signing the app doesn't give any error messages as far as I can tell:

info: AzureSignTool.SignCommand[0] => File: C:\Users\corre\EyePrecisionBasic\eyeprecisionbasic\dist\Eye Precision Basic-1.0.4.msi Signing file. info: AzureSignTool.SignCommand[0] => File: C:\Users\corre\EyePrecisionBasic\eyeprecisionbasic\dist\Eye Precision Basic-1.0.4.msi Signing completed successfully. info: AzureSignTool.SignCommand[0] Successful operations: 1 info: AzureSignTool.SignCommand[0] Failed operations: 0

After noticing that users were still getting "Unverified Publisher" warnings I started digging around. Under properties > Digital Signatures I see: "a certificate chain processed but terminated in a root certificate which is not trusted by the trust provider"

Under View Certificate > Certification Path, I only see my own name next to a symbol with a red x. No other path is listed. Time stamp is registered, everything else seems to be working, but the certificate isn't recognised. Azure doesn't provide any help, and my certificate seems to me to be otherwise approved in the Azure dashboard.

Can anybody point me in the right direction?

Solution

  • tl;dr: use signtool instead of AzureSignTool for Trusted Signing.

    AzureSignTool doesn't support Azure Trusted Signing, so the cert profile in Azure Trusted Signing isn't in play. The cert with your name in it sounds like a stub self-signing cert, which won't be trusted by default. There's an open work item in the AzureSignTool GitHub to support Trusted Signing at Trusted Signing support #300

    The primary way to sign with Azure Trusted Signing is to use signtool (see Set up SignTool to use Trusted Signing. AzureSignTool is modeled on signtool, and it has mostly the same usage patterns. The main value-add of AzureSignTool over signtool is support for Azure Key Vaults, which isn't relevant if you're using Trusted Signing.

    As Jaxel writes, you'll need to use have a public trust profile to be automatically trusted by Windows (see Trusted Signing trust models. If you use a private trust you'll need to install and trust the root on your system.