Signing Installers with Azure Trusted Signing in Paquet Builder¶
1. Introduction¶
Azure Trusted Signing is a cloud-based code signing solution by Microsoft that eliminates the need for local code signing certificates. Instead, it securely signs executables through Microsoft’s trusted signing service, providing enhanced security and ease of use.
Using Azure Trusted Signing in Paquet Builder ensures a streamlined and automated code signing process directly within your installer build workflow.
2. Why Choose Azure Trusted Signing?¶
Azure Trusted Signing offers several key benefits over traditional certificate-based signing:
✔️ Lower Cost: usual certificates can be expensive (hundreds of USD), while Azure Trusted Signing provides a pay-as-you-go model, making it more affordable.
✔️ No Need for USB Tokens: standard certificates require a hardware security module (HSM) or USB token for private key storage, which can be cumbersome. Azure Trusted Signing eliminates this requirement.
✔️ Cloud-Based Security: signing keys are managed entirely in the cloud, preventing theft or loss and reducing security risks.
✔️ Microsoft Trust & Compliance: as a Microsoft-backed solution, Azure Trusted Signing meets industry security standards while ensuring broad compatibility.
3. Prerequisites¶
Before signing with Azure Trusted Signing, you need:
- A Trusted Signing account with identity validation and a certificate profile.
- A role assignment: The Trusted Signing Certificate Profile Signer role must be assigned to you or your team.
- A compatible Windows version: Windows 11, Server 2016, or 10 (1809/October 2018 Update or newer)
📖 Official Microsoft Documentation on Prerequisites: Azure Trusted Signing Integration Guide
Info
📖 See our tutorial about how to Create an Azure Trusted Signing Account - Step-by-Step Guide
4. Required Installations¶
To use Azure Trusted Signing with Paquet Builder, install the following tools:
1️⃣ Trusted Signing Client Tools Installer¶
This tool enables the integration of Azure Trusted Signing with SignTool.
🔗 Download the MSI Installer:
👉 Trusted Signing Client Tools
2️⃣ Azure CLI for Windows¶
Azure CLI is required to authenticate your account with Azure Trusted Signing.
📖 Installation Guide:
👉 Install Azure CLI for Windows
🔗 Direct MSI (64-bit) Download:
👉 Azure CLI MSI Installer
💡 Why Install Azure CLI?
- Used for logging into Azure before signing packages.
- Required for managing Azure credentials securely.
- Allows automated authentication when using Azure services with Paquet Builder for code signing.
5. Configuring Azure Trusted Signing in Paquet Builder¶
Once everything is installed, you can configure Paquet Builder for Azure Trusted Signing:
1️⃣ Open Paquet Builder
2️⃣ Go to 🛠 Digitally Sign Package (see screenshot)
3️⃣ Select 🔽 Azure Trusted Signing
4️⃣ Enter the required fields:
- Trusted Signing Account Endpoint
Enter the Trusted Signing Account Endpoint corresponding to your Azure region. Use the following table to find the correct endpoint:
| Region | Region Class | Endpoint URI |
|---|---|---|
| East US | EastUS | https://eus.codesigning.azure.net |
| West US 3 [1] | WestUS3 | https://wus3.codesigning.azure.net |
| West Central US | WestCentralUS | https://wcus.codesigning.azure.net |
| West US 2 | WestUS2 | https://wus2.codesigning.azure.net |
| North Europe | NorthEurope | https://neu.codesigning.azure.net |
| West Europe | WestEurope | https://weu.codesigning.azure.net |
💡 Make sure to select the endpoint matching the region where your Azure Trusted Signing account was created.
- Trusted Signing Account Name (your Azure account name)
- Certificate Profile Name (your signing certificate profile)
5️⃣ Before signing, authenticate in Azure CLI:
Run the following command in PowerShell or Command Prompt:
az login
This will open a browser window to authenticate your Azure account.
Warning
Your Azure account must have the Trusted Signing Certificate Profile Signer role. You can verify that in the Access control (IAM) > Role assignments page of your Trusted Signing account.
👉 Once this is configured, Paquet Builder will automatically invoke the Microsoft SignTool utility to sign your installer EXE file. All signing operations are listed in the compilation log:
Configuring SignTool and Azure Trusted Signing Paths in Paquet Builder¶
To ensure that Paquet Builder can correctly sign your installer packages, you must configure the paths to SignTool.exe and its Azure Trusted Signing extension (dlib) in the Environment Options. Paquet Builder should automatically do that.
1️⃣ Setting the Path to SignTool.exe¶
- Navigate to Environment Options → Code Signing.
- Locate the SignTool.exe Path field.
- Click on the magnifying glass 🔍 to let Paquet Builder automatically detect the installed SignTool.exe.
- If the path is not found, enter it manually. The default installation location is:
C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe
💡 Ensure that the Windows SDK is installed so that SignTool.exe is available.
2️⃣ Setting the Path to Azure Trusted Signing dlib¶
If you are using Azure Trusted Signing, you must configure the Azure Trust Signing dlib Path field. The Azure.CodeSigning.Dlib.dll file is installed by the Trusted Signing Client Tools Installer (see above).
- Locate the Azure Trust Signing dlib Path field.
- Click on the magnifying glass 🔍 to let Paquet Builder automatically find the extension.
- If it is not found, enter the path manually:
C:\Users\LOGIN NAME\AppData\Local\Microsoft\MicrosoftTrustedSigningClientTools\Azure.CodeSigning.Dlib.dll
Replace LOGIN NAME with your actual Windows username.
Note
- If the paths are not detected automatically, you must enter them manually.
- Ensure that the Trusted Signing Client Tools are installed before configuring the dlib path.
- Once the correct paths are set, Paquet Builder will automatically invoke SignTool in the background when signing your packages.