How do I fix Azure Trusted Service Account error while signing certificate

Eric Vogt 5 Reputation points
2024-05-10T21:25:09.3733333+00:00

I'm getting this error when trying to use SignTool to sign my msix file.

I've verified I have Trusted Signing Certificate Profile Signer role assigned in Azure.

I also verified the publisher name of the AppxManifest.xml in the msix matches my certificate profile.

CN=Publisher Name, O=Organization Name, L=City, S=Province, C=CA
https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations

& "C:\temp\test\microsoft.windows.sdk.buildtools.10.0.22621.3233.nupkg\bin\10.0.22621.0\x64\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "C:\temp\test\microsoft.trusted.signing.client.1.0.53.nupkg\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "C:\temp\test\metadata.json" "C:\temp\test\my-app_1.0.128.0_x64.msix"

Trusted Signing

Version: 1.0.53

"Metadata": {

"Endpoint": "https://wus2.codesigning.azure.net",

"CodeSigningAccountName": "

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,852 questions
0 comments No comments
{count} vote

3 answers

Sort by: Most helpful
  1. hossein jalilian 4,285 Reputation points
    2024-05-11T00:41:40.39+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    Here are some troubleshooting steps you can try:

    • Double-check that the CodeSigningAccountName and CertificateProfileName values in your metadata.json file are correct and match your Trusted Signing account and certificate profile. ensure that you have the necessary permissions (Trusted Signing Certificate Profile Signer role) assigned to your account or group for the specified certificate profile.
    • Confirm that the publisher name in the AppxManifest.xml file of your MSIX package matches the subject name of your Trusted Signing certificate profile exactly. any mismatch in the publisher name can cause the Trusted Signing service to deny the request.
    • Check if the Endpoint value in your metadata.json file is correct and matches the region where your Trusted Signing account is located.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    1 person found this answer helpful.

  2. Eric Vogt 5 Reputation points
    2024-05-15T20:20:22.93+00:00

    The issue was my authentication "InteractiveBrowserCredential" was not working for some reason. I had to disable all authentication options except Azure CLI and retry. https://learn.microsoft.com/en-us/cli/azure/install-azure-cli.

    
    {
    
      "Endpoint": "https://eus.codesigning.azure.net",
    
      "CodeSigningAccountName": "account",
    
      "CertificateProfileName": "profile",
    
      "ExcludeCredentials": [
    
        "ManagedIdentityCredential",
    
        "EnvironmentCredential",
    
        "WorkloadIdentityCredential",
    
        "SharedTokenCacheCredential",
    
        "VisualStudioCredential",
    
        "VisualStudioCodeCredential",
    
        
    
        "AzurePowerShellCredential",
    
        "AzureDeveloperCliCredential",
    
        "InteractiveBrowserCredential"
    
      ]
    
    }
    
    
    0 comments No comments

  3. Sandeep G-MSFT 15,086 Reputation points Microsoft Employee
    2024-05-21T10:50:44.88+00:00

    @Eric Vogt

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "[The question author cannot accept their own answer. They can only accept answers by others] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#why-only-one-accepted-answer)**)", I'll repost your solution in case you'd like to "[Accept] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#accepted-answer-in-a-question-thread)**)" the answer.

     

    Issue: How do I fix Azure Trusted Service Account error while signing certificate

    Solution: The issue was with your authentication "InteractiveBrowserCredential" was not working for some reason. You had to disable all authentication options except Azure CLI.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments