Forum Discussion

GrahamGB's avatar
GrahamGB
Iron Contributor
Jan 31, 2025
Solved

Signing MSIX packages with Azure Trusted Signing Accounts

I have a requirement to sign an MSIX package without access to a code signing certificate. I have successfully signed a powershell script using the Azure Trusted Signing Account: https://learn.mic...
  • GrahamGB's avatar
    GrahamGB
    Feb 18, 2025

    Have since identified that Trusted Signing Installer .msi doesn't install the correct configuration of dlib and compatible sign tool.

     

    Installing the latest sign tool 10.0.26610.3328 and dlib 1.0.68.0 using nuget packages overcomes the issue.

    Microsoft are updating documentation to reflect this, including ensuring that explicit paths to each component is set and calling signtool from the folder it resides in.

     

    & .\signtool.exe sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "<Path to Trusted Signing dlib bin folder>\x64\Azure.CodeSigning.Dlib.dll" /dmdf "<Path to metadata file>\metadata.json" <File to sign>

GrahamGB's avatar
GrahamGB
Iron Contributor
Feb 18, 2025

Have since identified that Trusted Signing Installer .msi doesn't install the correct configuration of dlib and compatible sign tool.

 

Installing the latest sign tool 10.0.26610.3328 and dlib 1.0.68.0 using nuget packages overcomes the issue.

Microsoft are updating documentation to reflect this, including ensuring that explicit paths to each component is set and calling signtool from the folder it resides in.

 

& .\signtool.exe sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "<Path to Trusted Signing dlib bin folder>\x64\Azure.CodeSigning.Dlib.dll" /dmdf "<Path to metadata file>\metadata.json" <File to sign>

  • luchete's avatar
    luchete
    Iron Contributor
    Feb 19, 2025

    Cool, I'm glad you've found a solution. This post will be useful for those in the same situation. Thanks for sharing!

Resources