Introduction

Code signing is no longer an optional process – Windows, antivirus engines, and enterprise security tools all expect executables to be digitally signed. Previously, developers purchased an EV Code Signing Certificate, stored it on a USB token or HSM, and had to maintain it for years.

Azure Trusted Signing reimagines the process with cloud-based certificate issuance, short-lived certificates, automated identity verification, and fully integrated CI/CD workflows.

This overview discusses what Azure Trusted Signing is, why developers would use it, other options, costs, prerequisites, and a complete step-by-step setup – from setting up your account to signing your first EXE.

What is Azure Trusted Signing?

Azure Trusted Signing is Microsoft’s cloud-based code signing service to help developers sign executables, installers, scripts, and applications securely without managing long-term private keys.

Instead of the typical certificate files stored on a local machine, Azure Trusted Signing issues short-lived certificates as needed, reducing the risk of private keys being stolen and simplifying the certificate lifecycle management.

Recommended: Code Signing Certificate Validity Changes: A New Era of Trust and Automation

Azure Trusted Signing works directly with Azure Active Directory, giving you centralized identity-driven access controls, as well as the ability to support automated DevOps pipelines through the use of CLI and API tools.

This service is especially valuable for organizations that need scalable, compliant, and tamper-evident signing workflows.

Features such as identity validation, role-based access control, audit logging, and integration with Azure Key Vault and CI/CD tooling give Azure Trusted Signing a modern, secure model, replacing the era of storing private keys on developers’ machines.

Ultimately, the service ensures the published software is trusted by Windows and the rest of the large operating system ecosystems, reducing operational burden and risk to security and compliance.

Alternatives to Azure Trusted Signing

An alternative for Azure Trusted Signing is the option of buying a DigiCert code signing certificate and storing its private key securely in Azure Key Vault. Or we offer an Azure Key Vault Code Signing Certificate from DigiCert; you can directly purchase that.

By doing so, you have full control over your certificate, while simultaneously leveraging the HSM-backed security offered by Azure Key Vault.

Recommended: Managed HSM Vs. Azure Vault Key Difference

You can use the key as part of your CI/CD pipelines, enforce key access policies, and autonomously sign workloads. With this alternative, you have strong security, flexible implementation, and freedom from the managed signing service by Azure.

Recommended: How to Create Key Vault, CSR, and Import Code Signing Certificate in Azure KeyVault HSM?

Quickstart: What you’ll need

Before you begin, you need the following:

A Trusted Signing Account

Before you start, you need to create a Trusted Signing account from the Azure Portal. This account is the basis of your signing environment, and it identifies where your certificate profiles, policies, and permissions will exist.

You cannot generate or use Azure’s short-lived code signing certificates without first having this account.

Identity Validation

After this, Microsoft requires you to go through identity validation to ensure that your signatures will be publicly trusted.

You can validate for yourself, as an Individual, which is for the personal developer, or as an Organization which is strongly suggested for businesses, enterprises, and development teams. Validating either way allows Azure to issue trusted short-lived certificates on your behalf.

A Certificate Profile

Next, you must create a certificate profile, which is the template Azure will use to create your short-lived code signing certificates automatically. The profile defines the type of certificate, the usage policies for the certificate, and the signing algorithms in use.

On each signing action, Azure will create a new secure time-limited code signing certificate based on this profile that you can use to sign the EXE.

Required IAM Roles

To be able to perform signing actions, your Azure identity is required to have the appropriate IAM roles assigned.

At a minimum, two roles need to be assigned: the Trusted Signing Identity Verifier, which verifies that you can act on behalf of the signing account, and the Trusted Signing Certificate Profile Signer, which allows your identity to request signing certificates from the certificate profile.

If the required roles are not assigned, your signing actions will fail because you lack the proper permission scope.

Supported Operating Systems

Finally, you will need to have the signing tools running on a supported operating system, as Azure Trusted Signing tools only run in modern environments.

As it currently stands, the supported operating systems are functioning on Windows 10 version 1809 or later, Windows 11, and any version of Windows Server 2016 or newer.

If the tools are run on unsupported operating systems, then the tools may not work as expected, or the signing process may be entirely blocked.

Pricing & Eligibility

Step-by-Step Guide: Setting Up Azure Trusted Signing

Below is how to set everything up, based on the information from Microsoft’s official documentation and the technical workflows we reviewed and analyzed above.

• Go to Azure Portal
• Create a new account or log into an existing account.
• Create a subscription for Pay-As-You-Go.

• In Azure Portal, search for Trusted Signing Accounts

• Click Create

• Provide: Account name, Region and Pricing tier

• Complete creation
• Make note of the Account Endpoint URI using Copy (you will need that in later steps).

Azure requires explicit permission to be able to do any signing account operations.

You need to assign the following:

• Trusted Signing Identity Verifier – Reviewing and managing identity validation
• Trusted Signing Certificate Profile Signer – To authorize applications or users signing EXEs

You will assign after a trusted signing account → access control (IAM).

• In the Trusted Signing account, go to Identity Validations.

• Select Individual or Organization from the list.
• Provide the requested business documents.
• Then the wait for Microsoft to verify your identity may be hours to days. Depending on the level of verification.

Once approved, you can begin to make Certificate profiles.

• Go to Certificate Profiles

• Click Create Profile
• Choose Public Trust
• Select your verified identity
• Name the profile and save

This profile will generate short-lived certificates when you sign your EXE.

Install using WinGet (recommended):

winget install -e --id Microsoft.Azure.TrustedSigningClientTools

This installs:

• SignTool plugin
• .NET 8 runtime
• Azure CodeSigning dlib
• Visual C++ redistributable

Create metadata.json:

{
  "Endpoint": "https://weu.codesigning.azure.net",
  "CodeSigningAccountName": "YourAccountName",
  "CertificateProfileName": "YourCertificateProfile",
  "CorrelationId": "build-001"
}

Use your actual region endpoint (EastUS, WestEurope, etc.).

Use this command to sign the executable:

signtool.exe sign /v /debug /fd SHA256 ^
/tr "http://timestamp.acs.microsoft.com" /td SHA256 ^
/dlib "C:\Path\Azure.CodeSigning.Dlib.dll" ^
/dmdf "C:\Path\metadata.json" ^
YourFile.exe

Key Points:

• Utilize the correct  x64/x86 versions
• Timestamping is necessary (cert is only valid for 3 days)
• Timestamping guarantees the everlasting validity of the signature

After invocation, your EXE will be digitally signed and become Windows-trusted.

Conclusion

Azure Trusted Signing is a powerful way to modernize your software-signing process with scalable certificate management, automated trust policies, and easier CI/CD integration.

However, not every organization requires the complexity or commitments associated with ongoing Azure configuration. Simplicity, speed, and budget often drive developers, SMBs, and independent publishers seeking to code-sign software. This is a major point of distinction for SignMyCode. 

Whether you select Azure Trusted Signing or a traditional code signing certificate issued by a certificate authority (CA) that is stored in Azure Key Vault, you need a trusted CA, trusted issuance, and trusted support. SignMyCode delivers all of these real-time to your desktop via straightforward pricing, reliable support, and by utilizing trusted CA’s such as Sectigo, DigiCert, and Comodo, etc.

Code Signing with Azure Key Vault

Leverage the Cloud Based Software Security by Securely Store your Private Key and Code Signing Certificate to Microsoft Azure Key Vault.

Get Azure Key Vault Code Signing Certificate