\n <\/p>\n

$\"WindowsEdgeLight$ <\/a>Mac Tahoe (in Beta as of the time of this writing) has this new characteristic known as Edge Mild that principally places a shiny image of an Edge Mild round your display and principally makes use of the facility of OLED to present you a digital ring mild. So I used to be like, why cannot we even have good issues? I wrote (vibed, with GitHub Copilot and Claude Sonnet 4.5<\/a>) a Home windows Edge Mild App (supply code at https:\/\/github.com\/shanselman\/WindowsEdgeLight<\/a> and you may get the most recent launch right here https:\/\/github.com\/shanselman\/WindowsEdgeLight\/releases<\/a> or the app will test for brand new releases and autoupdate with Updatum).<\/p>\n

Nevertheless, as is with all suss free executables on the web, whenever you run random stuff you may usually get the Window Defender ‘new cellphone, who dis’ warning which is frightening. After a number of downloads and no viruses or complaints, my executable will finally achieve popularity with the Home windows Defender Sensible Display service, however having a Code Signing Certificates is claimed to assist with that. Nevertheless, code signing certs are costly and a problem to handle and renew.<\/p>\n

Somebody informed me that Azure Trusted Signing<\/a> was considerably much less of a problem – it is much less, however it’s nonetheless non-trivial. I learn this put up from Rick (his weblog is gold and has been for years) earlier within the yr<\/a> and a few of it was tremendous helpful and different stuff has been made less complicated over time.<\/p>\n

I wrote 80% of this weblog put up, however since I simply spent an hour getting code signing to work and GitHub Copilot was going via and logging the whole lot I did, I did use Claude 4.5 to assist manage a few of this. I’ve reviewed all of it and re-written components I did not like, so any errors are mine.<\/p>\n

Azure Trusted Signing is Microsoft’s cloud-based code signing service that:<\/p>\n

No {hardware} tokens<\/strong> – The whole lot occurs within the cloud <\/li>\n

Computerized certificates administration<\/strong> – Certificates are issued and renewed routinely <\/li>\n

GitHub Actions integration<\/strong> – Signal throughout your CI\/CD pipeline. I used GH Actions. <\/li>\n

Kinda Affortable<\/strong> – About $10\/month for small initiatives. I would love it if this had been $10 a yr. That is cheaper than a yearly cert, however it’ll add up after some time so I am at all times in search of cheaper\/simpler choices. <\/li>\n

Trusted by Home windows<\/strong> – Makes use of the identical certificates authority as Microsoft’s personal apps, so it’s best to get your EXE trusted sooner<\/li>\n<\/ul>\nConditions<\/h2>\n
Earlier than beginning, you may want: <\/p>\n
\n
Azure subscription<\/strong> <\/li>\n
Azure CLI<\/strong> – Set up from right here<\/a> <\/li>\n
Identification validation paperwork<\/strong> – Driver’s license or passport for particular person builders. Observe that I am within the US, so your mileage could fluctuate however I principally arrange the account, scanned a QR code, took an image of my license, then did a selfie, then waited. <\/li>\n
Home windows PC<\/strong> – For native signing (elective) however I ended up utilizing the dotnet signal device. There are <\/li>\n
GitHub repository<\/strong> – For automated signing (elective)<\/li>\n<\/ol>\n
Half 1: Setting Up Azure Trusted Signing<\/h3>\n
Step 1: Register the Useful resource Supplier<\/h4>\n
First, I have to allow the Azure Trusted Signing service in my subscription. This may be achieved within the Portal, or on the CLI. <\/p>\n
# Login to Azure\naz login\n\n# Register the Microsoft.CodeSigning useful resource supplier\naz supplier register --namespace Microsoft.CodeSigning\n\n# Look forward to registration to finish (takes 2-3 minutes)\naz supplier present --namespace Microsoft.CodeSigning --query \"registrationState\"\n<\/code><\/pre>\nWait till the output reveals \"Registered\"<\/code>.\n<\/p>\nStep 2: Create a Trusted Signing Account<\/h3>\nNow create the precise signing account. You are able to do this by way of Azure Portal or CLI.\n<\/p>\n Choice A: Azure Portal (Simpler for first-timers)<\/strong>\n<\/p>\n\nGo to Azure Portal<\/a>\n<\/li>\n Seek for “Trusted Signing Accounts”\n<\/li>\n Click on Create<\/strong>\n<\/li>\n Fill in:\n\nSubscription<\/strong>: Your subscription\n<\/li>\n Useful resource Group<\/strong>: Create new or use present (e.g., “MyAppSigning”)\n<\/li>\n Account Identify<\/strong>: A singular title (e.g., “myapp-signing”)\n<\/li>\n Area<\/strong>: Select closest to you (e.g., “West US 2”)\n<\/li>\n SKU<\/strong>: Fundamental (ample for many apps)<\/li>\n<\/ul>\n<\/li>\nClick on Assessment + Create<\/strong>, then Create<\/strong><\/li>\n<\/ol>\nChoice B: Azure CLI (Quicker in case you are a CLI individual or wish to drive stick shift)<\/strong><\/p>\n# Create a useful resource group\naz group create --name MyAppSigning --location westus2\n\n# Create the Trusted Signing account\naz trustedsigning create \n --resource-group MyAppSigning \n --account-name myapp-signing \n --location westus2 \n --sku-name Fundamental\n<\/code><\/pre>\nEssential<\/strong>: Observe your area endpoint. Widespread ones are:\n<\/p>\n\nEast US: https:\/\/eus.codesigning.azure.web\/<\/code>\n<\/li>\n West US 2: https:\/\/wus2.codesigning.azure.web\/<\/code>\n<\/li>\nYour particular area: Test in Azure Portal underneath your account’s Overview web page<\/li>\n<\/ul>\nI completely flaked on this and messed round for 10 min earlier than I noticed that this URL issues and is particular to your account. Keep in mind this endpoint.<\/p>\nStep 3: Full Identification Validation<\/h3>\nThat is crucial step. Microsoft must confirm you are an actual individual\/group.\n<\/p>\n\nIn Azure Portal, go to your Trusted Signing Account\n<\/li>\n Click on Identification validation<\/strong> within the left menu\n<\/li>\n Click on Add id validation<\/strong>\n<\/li>\nSelect validation kind:\n\nParticular person<\/strong>: For solo builders (makes use of driver’s license\/passport)\n<\/li>\n Group<\/strong>: For firms (makes use of enterprise registration paperwork)<\/li>\n<\/ul>\n<\/li>\n For Particular person validation<\/strong>:\n\nAdd a transparent photograph of your government-issued ID\n<\/li>\n Present your full authorized title (should match ID precisely)\n<\/li>\n Present your electronic mail deal with<\/li>\n<\/ul>\n<\/li>\n Submit and look forward to approval<\/li>\n<\/ol>\nApproval Time<\/strong>:\n<\/p>\n \nParticular person: Often 1-3 enterprise days\n<\/li>\n Group: 3-5 enterprise days\n<\/li>\n Me: This took about 4 hours, so once more, YMMV. I used my private account and my private Azure (do not belief MSFT of us with limitless Azure credit, I pay for my very own) in order that they did not comprehend it was me. I went via the common line, not the Pre-check line LOL.<\/li>\n<\/ul>\nYou may obtain an electronic mail when authorised. You can’t signal any code till that is authorised.<\/strong>\n<\/p>\n Step 4: Create a Certificates Profile<\/h3>\nAs soon as your id is validated, create a certificates profile. That is what really points the signing certificates.\n<\/p>\n \nIn your Trusted Signing Account, click on Certificates profiles<\/strong>\n<\/li>\n Click on Add certificates profile<\/strong>\n<\/li>\n Fill in:\n\nProfile title<\/strong>: Descriptive title (e.g., “MyAppProfile”)\n<\/li>\n Profile kind<\/strong>: Select Public Belief<\/strong> (required to stop SmartScreen)\n<\/li>\n Identification validation<\/strong>: Choose your authorised id\n<\/li>\n Certificates kind<\/strong>: Code Signing<\/li>\n<\/ul>\n<\/li>\n Click on Add<\/strong><\/li>\n<\/ol>\nEssential<\/strong>: Solely “Public Belief” profiles forestall SmartScreen warnings. “Personal Belief” is for inner apps solely. This took me a second to appreciate additionally as it is not an intuitive title.\n<\/p>\n Step 5: Confirm Your Setup<\/h3>\n# Listing your Trusted Signing accounts\naz trustedsigning present \n --resource-group MyAppSigning \n --account-name myapp-signing\n\n# Ought to present standing: \"Succeeded\"\n<\/code><\/pre>\nWrite down these values<\/strong> – you may want them later:\n<\/p>\n \nAccount Identify<\/strong>: myapp-signing<\/code>\n<\/li>\n Certificates Profile Identify<\/strong>: MyAppProfile<\/code>\n<\/li>\n Endpoint URL<\/strong>: https:\/\/wus2.codesigning.azure.web\/<\/code> (or your area)\n<\/li>\n Subscription ID<\/strong>: Present in Azure Portal\n<\/li>\n Useful resource Group<\/strong>: MyAppSigning<\/code><\/li>\n<\/ul>\nHalf 2: Native Code Signing<\/h2>\nNow let’s signal an executable in your my machine. You do not NEED to do that, however I wished to attempt it domestically to keep away from a bunch of CI\/CD runs, and I wished to right-click the EXE and see the cert in Properties earlier than I took all of it to the cloud. The good half about this was that I did not have to mess with any certificates.\n<\/p>\n Step 1: Assign Your self the Signing Position<\/h3>\nYou want permission to really use the signing service.\n<\/p>\n Choice A: Azure Portal<\/strong>\n<\/p>\n \nGo to your Trusted Signing Account\n<\/li>\n Click on Entry management (IAM)<\/strong>\n<\/li>\n Click on Add<\/strong> \u2192 Add function task<\/strong>\n<\/li>\n Seek for and choose Trusted Signing Certificates Profile Signer. <\/strong>That is necessary. I looked for “code” and located nothing. Seek for “Trusted”\n<\/li>\n Click on Subsequent<\/strong>\n<\/li>\n Click on Choose members<\/strong> and discover your person account\n<\/li>\n Click on Choose<\/strong>, then Assessment + assign<\/strong><\/li>\n<\/ol>\nChoice B: Azure CLI<\/strong><\/p>\n # Get your person object ID\n$userId = az advert signed-in-user present --query id -o tsv\n\n# Assign the function\naz function task create \n --role \"Trusted Signing Certificates Profile Signer\" \n --assignee-object-id $userId \n --scope \/subscriptions\/YOUR_SUBSCRIPTION_ID\/resourceGroups\/MyAppSigning\/suppliers\/Microsoft.CodeSigning\/codeSigningAccounts\/myapp-signing\n<\/code><\/pre>\nSubstitute YOUR_SUBSCRIPTION_ID<\/code> together with your precise subscription ID.\n<\/p>\n Step 2: Login with the Appropriate Scope<\/h3>\nThat is essential – it is advisable login with the particular codesigning scope.<\/p>\n # Logout first to clear previous tokens\naz logout\n\n# Login with codesigning scope\naz login --use-device-code --scope \"https:\/\/codesigning.azure.web\/.default\"\n<\/code><\/pre>\nThis offers you a code to enter at https:\/\/microsoft.com\/devicelogin<\/a>. Observe the prompts.\n<\/p>\n Why gadget code movement?<\/strong> As a result of Azure CLI’s default authentication can battle with Visible Studio credentials in my expertise. System code movement is extra dependable for code signing.\n<\/p>\n Step 3: Obtain the Signal Instrument<\/h3>\nChoice A: Set up Globally (Really useful for normal use)<\/strong><\/p>\n# Set up as a world device (accessible in every single place)\ndotnet device set up --global --prerelease signal\n\n# Confirm set up\nsignal --version\n<\/code><\/pre>\nChoice B: Set up Domestically (Undertaking-specific)<\/strong><\/p>\n# Set up to present listing\ndotnet device set up --tool-path . --prerelease signal\n\n# Use with .signal.exe\n<\/code><\/pre>\nWhich ought to I exploit?<\/strong>\n<\/p>\n\nInternational<\/strong>: When you’ll signal a number of initiatives or signal continuously\n<\/li>\nNative<\/strong>: If you wish to preserve the device with a particular mission or don’t need it in your PATH<\/li>\n<\/ul>\nStep 4: Signal Your Executable<\/h3>\nObserve once more that code signing URL is particular to you. The tscp is your Trusted Signing Certificates Profile title and the tsa is your Trusted Signing Account title. I set *.exe to signal all of the EXEs within the folder and be aware that the -b base listing is an absolute path, not a relative one. For me it was d:githubWindowsEdgeLightpublish, and your mileage will fluctuate.<\/p>\n# Navigate to your mission folder\ncd C:MyProject\n\n# Signal the executable\n.signal.exe code trusted-signing `\n -b \"C:MyProjectpublish\" `\n -tse \"https:\/\/wus2.codesigning.azure.web\" `\n -tscp \"MyAppProfile\" `\n -tsa \"myapp-signing\" `\n *.exe `\n -v Info\n<\/code><\/pre>\nParameters defined:<\/strong>\n<\/p>\n\n-b<\/code>: Base listing containing information to signal\n<\/li>\n -tse<\/code>: Trusted Signing endpoint (your area)\n<\/li>\n -tscp<\/code>: Certificates profile title\n<\/li>\n -tsa<\/code>: Trusted Signing account title\n<\/li>\n *.exe<\/code>: Sample to match information to signal\n<\/li>\n-v<\/code>: Verbosity stage (Hint, Info, Warning, Error)<\/li>\n<\/ul>\nAnticipated output:<\/strong><\/p>\n data: Signing WindowsEdgeLight.exe succeeded.\nAccomplished in 2743 ms.\n<\/code><\/pre>\nStep 5: Confirm the Signature<\/h3>\nYou are able to do this in PowerShell:<\/p>\n # Test the signature\nGet-AuthenticodeSignature \".publishMyApp.exe\" | Format-Listing\n\n# Search for:\n# Standing: Legitimate\n# SignerCertificate: CN=Your Identify, O=Your Identify, ...\n# TimeStamperCertificate: Ought to be current\n<\/code><\/pre>\nProper-click the EXE<\/strong> \u2192 Properties<\/strong> \u2192 Digital Signatures<\/strong> tab:\n<\/p>\n \nYou need to see your signature\n<\/li>\n “This digital signature is OK”<\/li>\n<\/ul>\nWidespread Native Signing Points<\/h3>\nI hit all of those lol<\/p>\n Subject: “Please run ‘az login’ to arrange account”<\/strong>\n<\/p>\n \nTrigger<\/strong>: Not logged in with the best scope\n<\/li>\n Repair<\/strong>: Run az logout<\/code> then az login --use-device-code --scope \"https:\/\/codesigning.azure.web\/.default\"<\/code><\/li>\n<\/ul>\nSubject: “403 Forbidden”<\/strong>\n<\/p>\n \nTrigger<\/strong>: Mistaken endpoint, account title, or lacking permissions\n<\/li>\n Repair<\/strong>:\n\nConfirm endpoint matches your area (wus2, eus, and so on.)\n<\/li>\n Confirm account title is actual (case-sensitive)\n<\/li>\n Confirm you may have “Trusted Signing Certificates Profile Signer” function<\/li>\n<\/ul>\n<\/li>\n<\/ul>\nSubject: “Person account doesn’t exist in tenant”<\/strong>\n<\/p>\n \nTrigger<\/strong>: Azure CLI making an attempt to make use of Visible Studio credentials\n<\/li>\n Repair<\/strong>: Use gadget code movement (see Step 2)<\/li>\n<\/ul>\nHalf 3: Automated Signing with GitHub Actions<\/h2>\nThat is the place the magic occurs. I wish to routinely signal each launch. I am utilizing GitVersion so I simply have to tag a commit and GitHub Actions will kick off a run. You possibly can go take a look at an actual run intimately at https:\/\/github.com\/shanselman\/WindowsEdgeLight\/actions\/runs\/19775054123<\/a>\n<\/p>\n Step 1: Create a Service Principal<\/h3>\nGitHub Actions wants its personal id to signal code. We’ll create a service principal (like a robotic account). That is VERY completely different than your native signing setup.\n<\/p>\n Essential<\/strong>: You want Proprietor<\/strong> or Person Entry Administrator<\/strong> function in your subscription to do that. If you do not have it, ask your Azure admin or a buddy.<\/p>\n# Create service principal with signing permissions\naz advert sp create-for-rbac \n --name \"MyAppGitHubActions\" \n --role \"Trusted Signing Certificates Profile Signer\" \n --scopes \/subscriptions\/YOUR_SUBSCRIPTION_ID\/resourceGroups\/MyAppSigning\/suppliers\/Microsoft.CodeSigning\/codeSigningAccounts\/myapp-signing \n --json-auth\n<\/code><\/pre>\nThis outputs JSON like this:<\/p>\n{\n \"clientId\": \"12345678-1234-1234-1234-123456789abc\",\n \"clientSecret\": \"super-secret-value-abc123\",\n \"tenantId\": \"87654321-4321-4321-4321-cba987654321\",\n \"subscriptionId\": \"abcdef12-3456-7890-abcd-ef1234567890\"\n}\n<\/code><\/pre>\nSAVE THESE VALUES IMMEDIATELY!<\/strong> You possibly can’t retrieve the clientSecret<\/code> once more. That is tremendous necessary.\n<\/p>\n Various: Azure Portal Technique<\/strong>\n<\/p>\n If CLI would not work:\n<\/p>\n\nAzure Portal<\/strong> \u2192 App registrations<\/strong> \u2192 New registration<\/strong>\n<\/li>\n Identify: “MyAppGitHubActions”\n<\/li>\n Click on Register<\/strong>\n<\/li>\n Copy the Utility (consumer) ID<\/strong> – that is AZURE_CLIENT_ID<\/code>\n<\/li>\n Copy the Listing (tenant) ID<\/strong> – that is AZURE_TENANT_ID<\/code>\n<\/li>\n Go to Certificates & secrets and techniques<\/strong> \u2192 New consumer secret<\/strong>\n<\/li>\n Description: “GitHub Actions”\n<\/li>\n Expiration: 24 months (max)\n<\/li>\n Click on Add<\/strong> and instantly copy the Worth<\/strong> – that is AZURE_CLIENT_SECRET<\/code>\n<\/li>\n Go to your Trusted Signing Account \u2192 Entry management (IAM)<\/strong>\n<\/li>\n Add function task<\/strong> \u2192 Trusted Signing Certificates Profile Signer<\/strong>\n<\/li>\n Choose members<\/strong> \u2192 Seek for “MyAppGitHubActions”\n<\/li>\nAssessment + assign<\/strong><\/li>\n<\/ol>\nStep 2: Add GitHub Secrets and techniques<\/h3>\nGo to your GitHub repository:\n<\/p>\n\nSettings<\/strong> \u2192 Secrets and techniques and variables<\/strong> \u2192 Actions<\/strong>\n<\/li>\nClick on New repository secret<\/strong> for every:<\/li>\n<\/ol>\n\nAZURE_CLIENT_ID <\/code>– From service principal output or App registration <\/li>\n AZURE_CLIENT_SECRET - <\/span><\/code>From service principal output or Certificates & secrets and techniques <\/li>\n AZURE_TENANT_ID <\/code>– From service principal output or App registration <\/li>\n AZURE_SUBSCRIPTION_ID <\/code>– Azure Portal \u2192 Subscriptions <\/li>\n<\/ul>\nSafety Observe<\/strong>: These secrets and techniques are encrypted and by no means seen in logs. Solely your workflow can entry them. You may by no means see them once more.\n<\/p>\n Step 3: Replace Your GitHub Workflow<\/h3>\nIt is a little complicated because it’s YAML, which is Devil’s markup, however it’s what we have now sunk to as a society.\n<\/p>\n Observe the dotnet-version under. Yours is likely to be 8 or 9, and so on. Additionally, I’m constructing each x64 and ARM variations and I’m utilizing GitVersion so if you would like a extra full construct.yml, you possibly can go right here https:\/\/github.com\/shanselman\/WindowsEdgeLight\/blob\/grasp\/.github\/workflows\/construct.yml<\/a> I’m additionally zipping mine up and prepping my releases so my free EXE lives in a ZIP file.\n<\/p>\n Add signing steps to your .github\/workflows\/construct.yml<\/code>:<\/p>\n title: Construct and Signal\n\non:\n push:\n tags:\n - 'v*'\n workflow_dispatch:\n\npermissions:\n contents: write\n\njobs:\n construct:\n runs-on: windows-latest\n \n steps:\n - title: Checkout code\n makes use of: actions\/checkout@v4\n with:\n fetch-depth: 0\n \n - title: Setup .NET\n makes use of: actions\/setup-dotnet@v4\n with:\n dotnet-version: '10.0.x'\n \n - title: Restore dependencies\n run: dotnet restore MyApp\/MyApp.csproj\n\n - title: Construct\n run: |\n dotnet publish MyApp\/MyApp.csproj `\n -c Launch `\n -r win-x64 `\n --self-contained\n\n # === SIGNING STEPS START HERE ===\n \n - title: Azure Login\n makes use of: azure\/login@v2\n with:\n creds: '{\"clientId\":\"${{ secrets and techniques.AZURE_CLIENT_ID }}\",\"clientSecret\":\"${{ secrets and techniques.AZURE_CLIENT_SECRET }}\",\"subscriptionId\":\"${{ secrets and techniques.AZURE_SUBSCRIPTION_ID }}\",\"tenantId\":\"${{ secrets and techniques.AZURE_TENANT_ID }}\"}'\n\n - title: Signal executables with Trusted Signing\n makes use of: azure\/trusted-signing-action@v0\n with:\n azure-tenant-id: ${{ secrets and techniques.AZURE_TENANT_ID }}\n azure-client-id: ${{ secrets and techniques.AZURE_CLIENT_ID }}\n azure-client-secret: ${{ secrets and techniques.AZURE_CLIENT_SECRET }}\n endpoint: https:\/\/wus2.codesigning.azure.web\/\n trusted-signing-account-name: myapp-signing\n certificate-profile-name: MyAppProfile\n files-folder: ${{ github.workspace }}MyAppbinReleasenet10.0-windowswin-x64publish\n files-folder-filter: exe\n files-folder-recurse: true\n file-digest: SHA256\n timestamp-rfc3161: http:\/\/timestamp.acs.microsoft.com\n timestamp-digest: SHA256\n \n # === SIGNING STEPS END HERE ===\n \n - title: Create Launch\n if: startsWith(github.ref, 'refs\/tags\/')\n makes use of: softprops\/action-gh-release@v2\n with:\n information: MyApp\/bin\/Launch\/net10.0-windows\/win-x64\/publish\/MyApp.exe\n env:\n GITHUB_TOKEN: ${{ secrets and techniques.GITHUB_TOKEN }}\n<\/code><\/pre>\nKey factors:<\/strong>\n<\/p>\n\nendpoint<\/code>: Use YOUR area’s endpoint (wus2, eus, and so on.)\n<\/li>\n trusted-signing-account-name<\/code>: Your account title (actual, case-sensitive)\n<\/li>\n certificate-profile-name<\/code>: Your certificates profile title (actual, case-sensitive)\n<\/li>\n files-folder<\/code>: Path to your compiled executables\n<\/li>\n files-folder-filter<\/code>: File sorts to signal (exe, dll, and so on.)\n<\/li>\nfiles-folder-recurse<\/code>: Signal information in subfolders<\/li>\n<\/ul>\nStep 4: Check the Workflow<\/h3>\nNow set off the workflow. You’ve gotten two choices:<\/p>\n Choice A: Guide Set off (Most secure for testing)<\/strong>\n<\/p>\n Because the workflow consists of workflow_dispatch:<\/code>, you possibly can set off it manually with out making a tag:<\/p>\n# Set off manually by way of GitHub CLI\ngh workflow run construct.yml\n\n# Or go to GitHub net UI:\n# Actions tab \u2192 \"Construct and Signal\" workflow \u2192 \"Run workflow\" button\n<\/code><\/pre>\nThat is best for testing as a result of:\n<\/p>\n\nNo tag required\n<\/li>\n Will not create a launch\n<\/li>\n Can check a number of instances\n<\/li>\nSimple to debug points<\/li>\n<\/ul>\nChoice B: Create a Tag (For precise releases)<\/strong><\/p>\n# Ensure you're in your fundamental department with no uncommitted modifications\ngit standing\n\n# Create and push a tag\ngit tag v1.0.0\ngit push origin v1.0.0\n<\/code><\/pre>\nUse this whenever you’re able to create an precise launch with signed binaries. That is what I’m doing on my facet.\n<\/p>\nStep 5: Monitor the Construct<\/h3>\nWatch the progress with GitHub CLI:<\/p>\n # See newest runs\ngh run record --limit 5\n\n# Watch a particular run\ngh run watch\n\n# View detailed standing\ngh run view --log\n<\/code><\/pre>\nOr go to: https:\/\/github.com\/YOUR_USERNAME\/YOUR_REPO\/actions<\/code>\n<\/p>\n Search for:<\/strong>\n<\/p>\n \nAzure Login – Ought to full in ~5 seconds\n<\/li>\n Signal executables with Trusted Signing – Ought to full in ~10-30 seconds\n<\/li>\n Create Launch – Your signed executable is now accessible in \/releases in your GitHib mission<\/li>\n<\/ul>\nWidespread GitHub Actions Points<\/h3>\nI hit a number of of those, natch.<\/p>\n Subject: “403 Forbidden” throughout signing<\/strong>\n<\/p>\n \nTrigger<\/strong>: Service principal would not have permissions\n<\/li>\n Repair<\/strong>:\n\nGo to Azure Portal \u2192 Trusted Signing Account \u2192 Entry management (IAM)\n<\/li>\n Confirm “MyAppGitHubActions” has “Trusted Signing Certificates Profile Signer” function\n<\/li>\n If not, add it manually<\/li>\n<\/ol>\n<\/li>\n<\/ul>\nSubject: “No information matched the sample”<\/strong>\n<\/p>\n \nTrigger<\/strong>: Mistaken files-folder<\/code> path or construct artifacts in incorrect location\n<\/li>\n Repair<\/strong>:\n\nAdd a debug step earlier than signing: - run: Get-ChildItem -Recurse<\/code>\n<\/li>\n Discover the place your EXE is definitely situated\n<\/li>\n Replace files-folder<\/code> to match<\/li>\n<\/ol>\n<\/li>\n<\/ul>\nSubject: Secrets and techniques not working<\/strong>\n<\/p>\n \nTrigger<\/strong>: Typo in secret title or worth not saved\n<\/li>\n Repair<\/strong>:\n\nConfirm secret names EXACTLY match (case-sensitive)\n<\/li>\n Re-create secrets and techniques if uncertain\n<\/li>\n Be certain no additional areas in values<\/li>\n<\/ol>\n<\/li>\n<\/ul>\nSubject: “DefaultAzureCredential authentication failed”<\/strong>\n<\/p>\n \nTrigger<\/strong>: Often incorrect tenant ID or consumer ID\n<\/li>\n Repair<\/strong>: Confirm all 4 secrets and techniques are right from service principal output<\/li>\n<\/ul>\nHalf 4: Understanding the Certificates<\/h2>\n Certificates Lifecycle<\/h3>\nAzure Trusted Signing makes use of short-lived certificates<\/strong> (usually 3 days). This freaked me out however they are saying that is really a safety characteristic: <\/p>\n \nIf a certificates is compromised, it expires shortly\n<\/li>\n You by no means handle certificates information or passwords\n<\/li>\n Computerized renewal – you do not have to do something<\/li>\n<\/ul>\nHowever will not my signature break after 3 days?<\/strong>\n<\/p>\n No, plainly’s what timestamping<\/strong> is for. Whenever you signal a file:\n<\/p>\n \nAzure points a 3-day certificates\n<\/li>\n The file is signed with that certificates\n<\/li>\n A timestamp server information “this file was signed on DATE”\n<\/li>\n Even after the certificates expires, the signature stays legitimate as a result of the timestamp proves it was signed when the certificates was legitimate<\/li>\n<\/ol>\nThat is why each native and GitHub Actions signing embrace:<\/p>\n timestamp-rfc3161: http:\/\/timestamp.acs.microsoft.com\n<\/code><\/pre>\nWhat the Certificates Comprises<\/h3>\nYour signed executable has a certificates with:\n<\/p>\n \nTopic<\/strong>: Your title (e.g., “CN=John Doe, O=John Doe, L=Seattle, S=Washington, C=US”)\n<\/li>\n Issuer<\/strong>: Microsoft ID Verified CS EOC CA 01\n<\/li>\n Legitimate Dates<\/strong>: 3-day window\n<\/li>\n Key Dimension<\/strong>: 3072-bit RSA (very safe)\n<\/li>\n Enhanced Key Utilization<\/strong>: Code Signing<\/li>\n<\/ul>\nConfirm Certificates on Any Machine<\/h3>\n# Utilizing PowerShell\nGet-AuthenticodeSignature \"MyApp.exe\" | Choose-Object -ExpandProperty SignerCertificate | Format-Listing\n\n# Utilizing Home windows UI\n# Proper-click EXE \u2192 Properties \u2192 Digital Signatures tab \u2192 Particulars \u2192 View Certificates\n<\/code><\/pre>\nThis entire factor took me about an hour to 75 minutes. It was detailed, however not deeply tough. Misspellings, case-sensitivity, and some account points with Position-Primarily based Entry Management did gradual me down. Hope this helps!<\/p>\n Used Sources<\/h3>\nWritten in November 2025 primarily based on real-world implementation for WindowsEdgeLight. Your setup may fluctuate barely relying on Azure area and account kind. Issues change, be stoic.<\/em><\/p>\n \n \n \n <\/p>\n \n\nAbout Scott<\/h4>\n\nScott Hanselman is a former professor, former Chief Architect in finance, now speaker, advisor, father, diabetic, and Microsoft worker. He’s a failed stand-up comedian, a cornrower, and a e book creator.<\/p>\n <\/a> \n <\/a> \n <\/a> \n About<\/a> \u00a0 Publication<\/a>\n <\/div><\/div>\n \n\n Internet hosting By<\/strong> \n <\/a>\n <\/div><\/div><\/div>\n \n \n \n \n \n \n \n \n <\/p><\/div>\n\n","protected":false},"excerpt":{"rendered":" Mac Tahoe (in Beta as of the time of this writing) has this new characteristic known as Edge Mild that principally places a shiny image of an Edge Mild round your display and principally makes use of the facility of OLED to present you a digital ring mild. So I used to be […]<\/p>\n","protected":false},"author":2,"featured_media":9326,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[2469,6714,1126,6716,6715,933,633,3822,4828,1059],"class_list":["post-9324","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-software","tag-actions","tag-automatically","tag-azure","tag-dotnet","tag-exe","tag-github","tag-sign","tag-signing","tag-trusted","tag-windows"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/9324","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9324"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/9324\/revisions"}],"predecessor-version":[{"id":9325,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/9324\/revisions\/9325"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/9326"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9324"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9324"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

Half 1: Setting Up Azure Trusted Signing<\/h3>\n

Half 4: Understanding the Certificates<\/h2>\n