How do I fix Azure Trusted Service Account error while signing certificate

Question

I'm getting this error when trying to use SignTool to sign my msix file.

I've verified I have Trusted Signing Certificate Profile Signer role assigned in Azure.

I also verified the publisher name of the AppxManifest.xml in the msix matches my certificate profile.

CN=Publisher Name, O=Organization Name, L=City, S=Province, C=CA
https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations

& "C:\temp\test\microsoft.windows.sdk.buildtools.10.0.22621.3233.nupkg\bin\10.0.22621.0\x64\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "C:\temp\test\microsoft.trusted.signing.client.1.0.53.nupkg\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "C:\temp\test\metadata.json" "C:\temp\test\my-app_1.0.128.0_x64.msix"

Trusted Signing

Version: 1.0.53

"Metadata": {

"Endpoint": "https://wus2.codesigning.azure.net",

"CodeSigningAccountName": "

Answer 1

Thanks for posting your question in the Microsoft Q&A forum.

Here are some troubleshooting steps you can try:

• Double-check that the CodeSigningAccountName and CertificateProfileName values in your metadata.json file are correct and match your Trusted Signing account and certificate profile. ensure that you have the necessary permissions (Trusted Signing Certificate Profile Signer role) assigned to your account or group for the specified certificate profile.
• Confirm that the publisher name in the AppxManifest.xml file of your MSIX package matches the subject name of your Trusted Signing certificate profile exactly. any mismatch in the publisher name can cause the Trusted Signing service to deny the request.
• Check if the Endpoint value in your metadata.json file is correct and matches the region where your Trusted Signing account is located.

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

Answer 2

The issue was my authentication "InteractiveBrowserCredential" was not working for some reason. I had to disable all authentication options except Azure CLI and retry. https://learn.microsoft.com/en-us/cli/azure/install-azure-cli.

{

  "Endpoint": "https://eus.codesigning.azure.net",

  "CodeSigningAccountName": "account",

  "CertificateProfileName": "profile",

  "ExcludeCredentials": [

    "ManagedIdentityCredential",

    "EnvironmentCredential",

    "WorkloadIdentityCredential",

    "SharedTokenCacheCredential",

    "VisualStudioCredential",

    "VisualStudioCodeCredential",

    

    "AzurePowerShellCredential",

    "AzureDeveloperCliCredential",

    "InteractiveBrowserCredential"

  ]

}

Answer 3

@Eric Vogt

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "[The question author cannot accept their own answer. They can only accept answers by others] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#why-only-one-accepted-answer)**)", I'll repost your solution in case you'd like to "[Accept] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#accepted-answer-in-a-question-thread)**)" the answer.

 

Issue: How do I fix Azure Trusted Service Account error while signing certificate

Solution: The issue was with your authentication "InteractiveBrowserCredential" was not working for some reason. You had to disable all authentication options except Azure CLI.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.