Microsoft strives to increase not only the security of the ecosystem, but also maintain our commitment to an open and inclusive ecosystem. Code signing is a part of that. It establishes the identity of the publisher of the application as well as the integrity that it has not been modified since publication. However, code signing is often difficult to do; whether that is obtaining a certificate, securing it, or operationalizing a secure service to integrate with build pipelines. Microsoft is committed to security, and we want to empower developers to have the toolsets to build and distribute applications securely. Azure Code Signing does just that. Azure Code Signing aims to democratize code signing for all developers.
What is Azure Code Signing?
Azure Code Signing is a fully managed end-to-end service for code signing. We leverage digest signing so your files never leave your environment. Getting started is easy - the service is managed as an Azure resource and functions through the familiar tenant and subscription management experiences. Simply go to the Code Signing Accounts resource, enter your organization information to initiate vetting. Once vetted you are all set to start signing with Azure Code Signing. We manage all the keys and certificates through our Certificate Authorities that are part of the Microsoft Trusted Root Program and meet WebTrust Certification.
You can easily integrate Azure Code Signing with your Windows Developer experiences (Visual Studio, GitHub, ADO, Windows SDK SignTool, etc) to provide a seamless application signing workflow as part of your build or release pipeline. Through the Azure experience you can utilize role-based access control and subscribe to your signing history events. Azure Code Signing uses short-lived certificates to sign your files. To make the signatures durable, it additionally provides a publicly trusted timestamping authority (http://timestamp.acs.microsoft.com) hosted by Microsoft.
What’s next for Azure Code Signing?
The service is currently in Private Preview supporting organizations with 3+ years of verifiable business history where code signed with Azure Code Signing is user mode trusted on Windows. We plan to launch into Public Preview in the next year and then work to increase our availability across the broad developer demographic. Over time, we will continue to expand supported signing scenarios to include supply chain artifact signing, private trust line of business signing, application control scenarios, inner loop test signing, as well as other signing scenarios across the ecosystem. Stay tuned for more updates on Azure Code Signing and our service offerings.