I'm using Azure Trusted Signing with SignTool, following this guide: https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations
My local development machine is able to sign binaries OK, but when I try to run it on the Azure build server, I can't get past a 403 (Forbidden) error. How do I determine the cause of this error?
I can confirm:
https://eus.codesigning.azure.netError on Azure build server:
>"C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "C:\Users\Public\Documents\MicrosoftTrustedSigningClientTools\Azure.CodeSigning.Dlib.dll" /dmdf "C:\Users\Public\Documents\rti-trusted-signing.json" /d "Installer" "Setup.msi"
Trusted Signing
Version: 1.0.68
"Metadata": {
"Endpoint": "https://eus.codesigning.azure.net/",
"CodeSigningAccountName": "trusted-signing",
"CertificateProfileName": "code-certificate",
"ExcludeCredentials": []
}
Submitting digest for signing...
Unhandled managed exception
Azure.RequestFailedException: Service request failed.
Status: 403 (Forbidden)
Headers:
Date: Mon, 20 Oct 2025 18:29:26 GMT
Connection: keep-alive
Strict-Transport-Security: REDACTED
x-azure-ref: REDACTED
X-Cache: REDACTED
Content-Length: 0
at Azure.CodeSigning.CertificateProfileRestClient.SignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
at Azure.CodeSigning.CertificateProfileClient.StartSignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
at Azure.CodeSigning.Dlib.Core.DigestSigner.SignAsync(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle, CancellationToken cancellationToken)
at Azure.CodeSigning.Dlib.Core.DigestSigner.Sign(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle)
at AuthenticodeDigestSignExWithFileHandleManaged(_CRYPTOAPI_BLOB* pMetadataBlob, UInt32 digestAlgId, Byte* pbToBeSignedDigest, UInt32 cbToBeSignedDigest, Void* hFile, _CRYPTOAPI_BLOB* pSignedDigest, _CERT_CONTEXT** ppSignerCert, Void* hCertChainStore)
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
SignTool working on my development machine:
>signtool.exe sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "%AzureTrustedSigningDlib%" /dmdf "azure-trusted-signing.json" /d "Installer" "Setup.msi"
Trusted Signing
Version: 1.0.68
"Metadata": {
"Endpoint": "https://eus.codesigning.azure.net/",
"CodeSigningAccountName": "trusted-signing",
"CertificateProfileName": "code-certificate",
"ExcludeCredentials": []
}
Submitting digest for signing...
OperationId 70719d50-5a31-48a1-b063-09425d82212e: InProgress
Signing completed with status 'Succeeded' in 0.7371434s
I excluded the credential types below and the authentication started working on our Azure build server.
{
"Endpoint": "https://eus.codesigning.azure.net",
"CodeSigningAccountName": "account",
"CertificateProfileName": "profile",
"ExcludeCredentials": [
"ManagedIdentityCredential",
"EnvironmentCredential",
"WorkloadIdentityCredential",
"SharedTokenCacheCredential",
"VisualStudioCredential",
"VisualStudioCodeCredential",
"AzurePowerShellCredential",
"AzureDeveloperCliCredential"
]
}
Also switched to using Azure CLI credentials (so we can authenticate at the beginning of the build process instead of waiting for the build to start signing the code).
Learned most of this thanks to another Stack Overflow answer: https://stackoverflow.com/a/78486322/4503969