{"id":25059616,"url":"https://github.com/starburst997/windows-code-sign","last_synced_at":"2025-10-10T09:51:42.196Z","repository":{"id":275090861,"uuid":"924296685","full_name":"starburst997/windows-code-sign","owner":"starburst997","description":"Code Signing for Windows as an Individual Developer","archived":false,"fork":false,"pushed_at":"2025-02-20T16:20:01.000Z","size":126,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-20T17:28:56.926Z","etag":null,"topics":["azure","code-sign","code-signing","codesign","codesigning","trusted-signing","tutorial"],"latest_commit_sha":null,"homepage":"https://jd.boiv.in/post/2025/01/29/code-signing.html","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/starburst997.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-29T18:52:21.000Z","updated_at":"2025-02-20T16:20:04.000Z","dependencies_parsed_at":"2025-02-20T17:24:36.621Z","dependency_job_id":null,"html_url":"https://github.com/starburst997/windows-code-sign","commit_stats":null,"previous_names":["starburst997/windows-code-sign-test","starburst997/windows-code-sign"],"tags_count":4,"template":true,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/starburst997%2Fwindows-code-sign","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/starburst997%2Fwindows-code-sign/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/starburst997%2Fwindows-code-sign/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/starburst997%2Fwindows-code-sign/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/starburst997","download_url":"https://codeload.github.com/starburst997/windows-code-sign/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246454547,"owners_count":20780162,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure","code-sign","code-signing","codesign","codesigning","trusted-signing","tutorial"],"created_at":"2025-02-06T15:35:43.529Z","updated_at":"2025-10-10T09:51:37.127Z","avatar_url":"https://github.com/starburst997.png","language":"C++","readme":"# windows-code-sign\n\nTesting code signing with a simple C++ app via Github Action and Azure's [Trusted Signing](https://techcommunity.microsoft.com/blog/microsoft-security-blog/trusted-signing-is-now-open-for-individual-developers-to-sign-up-in-public-previ/4273554) .\n\nThe following text is a copy of my blog post: [**Code Signing for Windows as an Individual Developer**](https://jd.boiv.in/post/2025/01/29/code-signing.html).\n\n\u003cbr/\u003e\n\n*(**TL;DR**: Get code signing working for Windows with immediate SmartScreen reputation via Github Action, check this repository to see how simple it can get once everything is setup)*\n\n*(Part one of my series on code-signing / distributing apps, check [Part 2 on Apple](https://github.com/starburst997/apple-code-sign))*\n\n\u003cbr/\u003e\n\n## Introduction\n\nFor the longest time, code signing on Windows required to buy certificates from rather sketchy companies ([Sectigo](https://www.sectigo.com/) / [DigiCert](https://www.digicert.com/) / etc...). This also required quite a lengthy process with terrible customer services to get verified (requiring in some case to [hire a Lawer or CA](https://www.sectigo.com/knowledge-base/detail/OV-Code-Signing-Validation-for-Organizations-and-Individuals/kA01N000000brb0)), exorbitant prices (500$+ / year) and the use of primitive technologies (forcing to [use internet explorer](https://signmycode.com/resources/generate-code-signing-certificate-using-internet-explorer-mode-in-microsoft-edge) to generate the private key).\n\nFinally, [Microsoft recently launched](https://techcommunity.microsoft.com/blog/microsoft-security-blog/trusted-signing-is-now-open-for-individual-developers-to-sign-up-in-public-previ/4273554) a service under [Azure](https://en.wikipedia.org/wiki/Microsoft_Azure) to help ease this process and get ready in just a few minutes with a relatively affordable price and easy verification for Individual Developer.\n\n*(this post is not sponsored, I was just quite relieved to see there was finally a viable solution)*\n\n\u003cbr/\u003e\n\n## What is Code Signing\n\nEver saw a [scary warning](https://en.wikipedia.org/wiki/Microsoft_SmartScreen) while downloading a EXE?\n\n\u003ctable align=\"center\"\u003e\u003ctr\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/warning_5.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/warning_5.png\" alt=\"Scary Warning 1\" title=\"Scary Warning 1\"/\u003e\u003c/a\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/warning_3.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/warning_3.png\" alt=\"Scary Warning 2\" title=\"Scary Warning 2\"/\u003e\u003c/a\u003e\n\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\nThis is because the application is **NOT** code signed. This is an awful experience for anyone trying to download something and as a developer, is gut wrenching to feel powerless to remove this barrier without caving in to the Certificates Mafia Monopoly.\n\n*(to be fair, if your app gets enough downloads, at some unknown point in times, [Microsoft will remove this warning](https://stackoverflow.com/a/66582477) but nothing is certains)*\n\n[Code Signing](https://en.wikipedia.org/wiki/Code_signing) is a great practice and ensure that the EXE hasn't been tampered with and comes from the developer who built it by using a cryptographic hash. If a code signed application is found to have malware, the certificate can be revoked and Windows won't allow it to be run. \n\nApple have been doing this too for a while but the process is [rather painless](https://docs.fastlane.tools/actions/match/) and affordable through their [Apple Developer Program](https://developer.apple.com/support/compare-memberships/) (*which anyone making iOS app already have anyway*).\n\nLinux doesn't have any of that *(in the context of scary popup from downloading binaries in the browser)*.\n\n\u003cbr/\u003e\n\n## Setup code signing in Azure\n\n\u003ctable align=\"center\"\u003e\u003ctr\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/azure.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/azure.png\" alt=\"Sign up for Azure\" title=\"Sign up for Azure\"/\u003e\u003c/a\u003e\n\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\n[Create an account](https://azure.microsoft.com/en-us/pricing/purchase-options/azure-account) (new account come with free credits) and sign in to the [Azure portal](https://portal.azure.com/).\n\n*Makes sure you use the link above and click **Try Azure for free** or **Pay as you go** and fill the forms, otherwise you might get connected to the Microsoft Services tenant instead of your own and will see authentication issues.*\n\nYou should have a default Subscription / Tenant (if not, you didn't fill the forms as stated above).\n\n\u003cbr/\u003e\n\n### Register the Trusted Signing resource provider\n\n\u003ctable align=\"center\"\u003e\u003ctr\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/provider_1.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/provider_1.png\" alt=\"Search for Subscriptions\" title=\"Search for Subscriptions\" /\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e1\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/provider_2.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/provider_2.png\" alt=\"Select Resource providers\" title=\"Select Resource providers\" /\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e2\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/provider_3.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/provider_3.png\" alt=\"Register CodeSigning\" title=\"Register CodeSigning\" /\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e3\u003c/p\u003e\n\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\n1. In the [Azure portal](https://portal.azure.com/), search for **Subscriptions** service, click on your subscription.\n\n2. Select **Resource providers** under **Settings** on the left panel.\n\n3. Search for **Microsoft.CodeSigning**, click on \"...\" and select **Register**.\n\n\u003cbr/\u003e\n\n### Create a Trusted Signing account\n\n\u003ctable align=\"center\"\u003e\u003ctr\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/account_1.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/account_1.png\" alt=\"Create account\" title=\"Create account\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e1\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/account_2.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/account_2.png\" alt=\"Fill info\" title=\"Fill info\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e2\u003c/p\u003e\n\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\n1. In the [Azure portal](https://portal.azure.com/), search for **Trusted Signing Accounts** service and **Create** one.\n\n2. Fill the form by selecting your **Subscription**, select **Create new** for **Resource group** (use any name you want). Pick an **Account name** (any name you want), a **Region** and finally a **Pricing tier**.\n\n\u003cbr/\u003e\n\n### Assign roles\n\n\u003ctable align=\"center\"\u003e\u003ctr\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/role_1.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/role_1.png\" alt=\"Select account\" title=\"Select account\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e1\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/role_2.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/role_2.png\" alt=\"Add role assignment\" title=\"Add role assignment\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e2\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/role_3.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/role_3.png\" alt=\"Select role\" title=\"Select role\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e3\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/role_4.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/role_4.png\" alt=\"Add member\" title=\"Add member\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e4\u003c/p\u003e\n\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\n1. In the [Azure portal](https://portal.azure.com/), search for **Trusted Signing Accounts** service and select the account you just created.\n\n2. On the left panel select **Access Control (IAM)** and pick **Add** / **Add role assignment**.\n\n3. Search for **Trusted Signing**, you'll see two roles (**Trusted Signing Certificate Profile Signer** and **Trusted Signing Identity Verifier**) you'll need to add both, one at a time.\n\n4. Select one role, go **Next**, click on **+ Select members**, select your user and click **Review + assign**.\n\n\u003cbr/\u003e\n\nRepeat for the second role.\n\n\u003cbr/\u003e\n\n### Create an identity validation request\n\n\u003ctable align=\"center\"\u003e\u003ctr\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/identity_1.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/identity_1.png\" alt=\"Create account\" title=\"Create account\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e1\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/identity_2.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/identity_2.png\" alt=\"Fill form\" title=\"Fill form\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e2\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/identity_3.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/identity_3.png\" alt=\"Au10tix\" title=\"Au10tix\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e3\u003c/p\u003e\n\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\n1. In the [Azure portal](https://portal.azure.com/), search for **Trusted Signing Accounts** service and select your account. \u003cbr/\u003e\u003cbr/\u003e\nOn the left panel, under **Settings** / **Objects** click **Identity validations**. On the top-left dropdown (**Organization**) switch to **Individual** and then click **New identity** / **Public**.\n\n2. Fill the form with your name, address, etc. and click **Create**.\n\n3. After a little while the status will change to **Action Required**, click on your name and click the link under **\"Please complete your verification here\"**.\n\u003cbr/\u003e\u003cbr/\u003e\nYou'll then start the verification process which requires a mobile phone, some government IDs (I used my driver license) and the [Microsoft Authenticator App](https://www.microsoft.com/en-ca/security/mobile-authenticator-app). I was pleasantly surprised by how easy and streamlined the process was. Simply follow the instructions, which is pretty much take selfie, take picture of ID and scan some QR code. Makes sure to use an ID where you can see your address.\n\u003cbr/\u003e\u003cbr/\u003e\nOnce this is done, it takes around 5-10 minutes before the status changes to **Completed**.\n\n\u003cbr/\u003e\n\n### Create a Certificate profile\n\n\u003ctable align=\"center\"\u003e\u003ctr\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/certicate_1.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/certicate_1.png\" alt=\"Create certificate\" title=\"Create certificate\" /\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e1\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/certicate_2.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/certicate_2.png\" alt=\"Fill form\" title=\"Fill form\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e2\u003c/p\u003e\n\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\n1. In the [Azure portal](https://portal.azure.com/), search for **Trusted Signing Accounts** service and select your account.\n\u003cbr/\u003e\u003cbr/\u003e\nOn the left panel, under **Settings** / **Objects** click **Certificate profiles**. Then click on **Create** / **Public Trust**.\n\n2. Pick a name for your certificate, including the address / post code is optional. Click **Create**.\n\n\u003cbr/\u003e\n\n*(don't worry about the expiration date, the certificate auto-renew every 24h)*\n\n\u003cbr/\u003e\n\n## Sign your app locally\n\nYou are now ready to sign your first application!\n\n### Note some values\n\n\u003ctable align=\"center\"\u003e\u003ctr\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/local_1.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/local_1.png\" alt=\"Trusted Signing account\" title=\"Trusted Signing account\" /\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e1\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/local_2.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/local_2.png\" alt=\"Certificate profile\" title=\"Certificate profile\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e2\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/local_3.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/local_3.png\" alt=\"Tenant ID\" title=\"Tenant ID\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e3\u003c/p\u003e\n\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\n1. First, we need to takes note of a few variables, copy your **Trusted Signing account** name you used earlier (also take note of the **Location**)\n\n2. Find your **Certificate profile** name as well.\n\n3. You also need your **Tenant ID**, search for **Microsoft Entra ID** in the [Azure portal](https://portal.azure.com/) and copy the value.\n\n\u003cbr/\u003e\n\n### Install SignTool\n\nFor the next steps, I used [**PowerShell 7**](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.5), makes sure you are also up-to-date with [**dotnet**](https://dotnet.microsoft.com/en-us/download/dotnet) (8+).\n\nInstall the [**Trusted Signing Tools**](https://download.microsoft.com/download/6d9cb638-4d5f-438d-9f21-23f0f4405944/TrustedSigningClientTools.msi) / [**Azure CLI**](https://aka.ms/installazurecliwindowsx64) via winget (or via installer)\n\n```sh\nwinget install -e --id Microsoft.Azure.TrustedSigningClientTools\nwinget install -e --id Microsoft.AzureCLI\n```\n\nNow we need an additional file (*Azure.CodeSigning.Dlib.dll*) that is only available in the latest [**Microsoft.Trusted.Signing.Client**](https://www.nuget.org/packages/Microsoft.Trusted.Signing.Client) nuget (click on **Download package** on the right). \n\n(***.nupkg** are simply **.zip** files, so rename it and extract it somewhere, remember it's path*)\n\n\u003cbr/\u003e\n\n### Sign your EXE\n\nCreate a JSON file with the variables we noted above (save the path)\n\n```json\n{\n  \"Endpoint\": \"https://eus.codesigning.azure.net\",\n  \"CodeSigningAccountName\": \"\u003cTRUSTED_SIGNING_ACCOUNT_NAME\u003e\",\n  \"CertificateProfileName\": \"\u003cCERTIFICATE_PROFILE_NAME\u003e\"\n}\n```\n\nBased on the **Location** of your account, use the correct **Endpoint** url\n\n```sh\n\"East US\" = \"https://eus.codesigning.azure.net\"\n\"West US3\" = \"https://wus3.codesigning.azure.net\"\n\"West Central US\" = \"https://wcus.codesigning.azure.net\"\n\"West US 2\" = \"https://wus2.codesigning.azure.net\"\n\"North Europe\" = \"https://neu.codesigning.azure.net\"\n\"West Europe\" = \"https://weu.codesigning.azure.net\"\n```\n\nLogin to Azure using your Tenant ID\n\n```sh\naz login --tenant \u003cTENANT_ID\u003e\n```\n\nNow we can sign any EXE! Notice that the value `10.0.22621.0` might change in the future.\n\n```sh\n\u0026 \"C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.22621.0\\x64\\signtool.exe\" `\nsign /v /debug /fd SHA256 /tr \"http://timestamp.acs.microsoft.com\" /td SHA256 `\n/dlib \"\u003cPATH_TO_MICROSOFT_TRUSTED_SIGNING_CLIENT\u003e\\bin\\x64\\Azure.CodeSigning.Dlib.dll\" `\n/dmdf \"\u003cPATH_TO_JSON\u003e\" `\n\"\u003cPATH_TO_EXE\u003e\"\n```\n\nCongrats! You now have a code signed app! Upload it somewhere and use your browser to [download it](https://cdn.notessimo.com/misc/codesign/CodeSignCpp.exe), notice how there is no scary popup at all anymore!\n\n\u003cbr/\u003e\n\n## Sign your app with Github Action\n\nNow that everything works locally, we can easily automate the code signing steps using [Github Action](https://github.com/features/actions).\n\n### Create an App\n\n\u003ctable align=\"center\"\u003e\u003ctr\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/gh_1.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/gh_1.png\" alt=\"App registrations\" title=\"App registrations\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e1\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/gh_2.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/gh_2.png\" alt=\"Certificate profile\" title=\"Certificate profile\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e2\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/gh_5.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/gh_5.png\" alt=\"Copy Client ID\" title=\"Copy Client ID\" /\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e3\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/gh_4.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/gh_4.png\" alt=\"Create secret\" title=\"Create secret\" /\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e4\u003c/p\u003e\n\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\n1. In the [Azure portal](https://portal.azure.com/), search for **App registrations** service and click on **New registration**.\n\n2. Give it a name and select the **Single Tenant** option, click on **Register**.\n\n3. In your newly created app, note the **Application (client) ID**.\n\n4. Select **Manage** / **Certificates \u0026 secrets** and click on **New client secret**, give it a name \u0026 expiration date and note the **Value**. \n\n\u003cbr/\u003e\n\n*(sadly the \"no expiration\" option is not available anymore)*\n\n\u003cbr/\u003e\n\n### Assign roles\n\n\u003ctable align=\"center\"\u003e\u003ctr\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/role_1.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/role_1.png\" alt=\"Select account\" title=\"Select account\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e1\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/role_2.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/role_2.png\" alt=\"Add role assignment\" title=\"Add role assignment\" /\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e2\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/role_3.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/role_3.png\" alt=\"Select role\" title=\"Select role\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e3\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/gh_3.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/gh_3.png\" alt=\"Search for app\" title=\"Search for app\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e4\u003c/p\u003e\n\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\n1. We also need to add the **Trusted Signing Certificate Profile Signer** role to the app just like we did on our user.\n\u003cbr/\u003e\u003cbr/\u003e\nIn the [Azure portal](https://portal.azure.com/), search for **Trusted Signing Accounts** service and select your account.\n\n2. On the left panel select **Access Control (IAM)** and pick **Add** / **Add role assignment**.\n\n3. Search for **Trusted Signing Certificate Profile Signer**, go **Next**\n\n4. Click on **+ Select members**, search for your App name (it won't show up by default) and click **Review + assign**.\n\n\u003cbr/\u003e\n\n### Create GIT repository\n\n\u003ctable align=\"center\"\u003e\u003ctr\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/gh_7.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/gh_7.png\" alt=\"Create repository\" title=\"Create repository\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e1\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/gh_6.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/gh_6.png\" alt=\"Secrets\" title=\"Secrets\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e2\u003c/p\u003e\n\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\n1. Create your git repository on [Github](https://github.com/new), or clone my [sample repository](https://github.com/starburst997/windows-code-sign) which includes a basic C++ application.\n\n2. Add these 6 secrets to your repository (**Settings** / **Security** / **Secrets and variables** / **Actions**, click **New repository secret**).\n   - `AZURE_CLIENT_ID`: Your app client ID\n   - `AZURE_CLIENT_SECRET`: Your app secret value\n   - `AZURE_SIGNING_ACCOUNT`: Your Trusted Signing Accounts name\n   - `AZURE_SIGNING_CERTIFICATE`: Your Certificate profile name\n   - `AZURE_TENANT_ID`: Your Tenant ID\n   - `AZURE_ENDPOINT`: https://eus.codesigning.azure.net/\n\n*(Save those variables inside a Password Manager for re-use in future projects as they won't change)*\n\n\u003cbr/\u003e\n\n### Generate a Personal Access Token (PAT)\n\n\u003ctable align=\"center\"\u003e\u003ctr\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-02-02-code-signing-apple/pat_01.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-02-02-code-signing-apple/small/pat_01.png\" alt=\"Generate New Token (Classic)\" title=\"Generate New Token (Classic)\" /\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e1\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-02-02-code-signing-apple/pat_02.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-02-02-code-signing-apple/small/pat_02.png\" alt=\"Use repo score\" title=\"Use repo score\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e2\u003c/p\u003e\n\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\n*(Optional)* We also need to generate a **Personal Access Token** for Github if you want to test the sample **Release** workflow. \n\n1. Visit your [settings page](https://github.com/settings/tokens) and click on **Generate new token** and select **Generate new token (classic)**.\n\n2. We need all the **repo** scope enabled. Set **no expiration**. Click **Generate token** and save the value.\n\nSave this secret in the github repository for your project:\n\n- `GH_PAT`: The value of your newly generated token\n\n\u003cbr/\u003e\n\n### Create worflow file\n\nCreate a workflow file in your repository ([**.github/workflows/windows.yml**](https://github.com/starburst997/windows-code-sign/blob/main/.github/workflows/windows.yml))\n\n```yaml\nname: Build Windows\n\non: \n  #push\n  workflow_dispatch:\n\njobs:\n  build:\n    name: Build Windows\n    runs-on: windows-latest\n    steps:\n      - uses: actions/checkout@v4\n      \n      - name: Add msbuild to PATH\n        uses: microsoft/setup-msbuild@v2\n\n      - name: Build app for release\n        working-directory: CodeSignCpp\n        run: msbuild /property:Configuration=Release /property:Platform=x64\n\n      - name: Sign files with Trusted Signing\n        uses: azure/trusted-signing-action@v0.5.1\n        with:\n          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}\n          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}\n          azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}\n          endpoint: ${{ secrets.AZURE_ENDPOINT }}\n          trusted-signing-account-name: ${{ secrets.AZURE_SIGNING_ACCOUNT }}\n          certificate-profile-name: ${{ secrets.AZURE_SIGNING_CERTIFICATE }}\n          files-folder: ${{ github.workspace }}\\CodeSignCpp\\bin\\Release-x64\n          files-folder-filter: exe,dll\n          file-digest: SHA256\n          timestamp-rfc3161: http://timestamp.acs.microsoft.com\n          timestamp-digest: SHA256\n\n      - uses: actions/upload-artifact@v4\n        with:\n          name: build-windows\n          path: CodeSignCpp/bin/Release-x64\n```\n\nThanks to the [azure/trusted-signing-action](https://github.com/azure/trusted-signing-action) action, all the heavy works is done, leaving us with a pretty simple workflow.\n\n\u003cbr/\u003e\n\n### Run the action\n\n\u003ctable align=\"center\"\u003e\u003ctr\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/gh_8.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/gh_8.png\" alt=\"Start action\" title=\"Start action\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e1\u003c/p\u003e\n\u003c/td\u003e\u003ctd\u003e\n\u003ca href=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/gh_9.png\" target=\"_blank\"\u003e\u003cimg src=\"https://jd.boiv.in/assets/posts/2025-01-29-code-signing/small/gh_9.png\" alt=\"Download artifact\" title=\"Download artifact\"/\u003e\u003c/a\u003e\u003cp align=\"center\"\u003e2\u003c/p\u003e\n\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\n1. You can then start the action by going to the **Actions** tabs, selecting your action (**Build Windows**) and click on **Run workflow**.\n\n2. Once the action has finished running, you can see the uploaded artifact and download your signed application!\n\n\u003cbr/\u003e\n\nSee the result for yourself: [Signed](https://cdn.notessimo.com/misc/codesign/CodeSignCpp.exe) / [Unsigned](https://cdn.notessimo.com/misc/codesign/CodeSignCpp-unsigned.exe)\n\nImmediate [SmartScreen](https://en.wikipedia.org/wiki/Microsoft_SmartScreen) reputation as well! Which is something that even some of the expensive code signing certificates don't supply.\n\n\u003cbr/\u003e\n\n## Conclusion\n\nI am really glad Microsoft finally made it easy and affordable to code sign EXE on Windows, hopefully they will keep the price low for individual developer. Now, any new project I do, I can simply copy / paste the secrets into the new repository, copy the workflow file and be setup with code signing in just a few seconds.\n\n\u003cbr/\u003e\n\nCode-signing / distributing app series:\n- Part 1: [Code Signing for Windows as an Individual Developer](https://github.com/starburst997/windows-code-sign)\n- Part 2: [Code Signing for Apple without a mac](https://github.com/starburst997/apple-code-sign)\n- Part 3: [Code Signing for Android via Github Actions](https://github.com/starburst997/android-code-sign)\n- Part 4: [Build and publish your Unity Game using Github Actions](https://github.com/starburst997/windows-code-sign)\n\n\u003cbr/\u003e\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstarburst997%2Fwindows-code-sign","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstarburst997%2Fwindows-code-sign","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstarburst997%2Fwindows-code-sign/lists"}