This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 26%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
We have a CI pipeline that uses signtool with Azure Trusted Signing to sign binaries and it just randomly broke last week. None of the configurations were changed and it suddenly randomly decided to fail with a 403 error.
Maybe related: https://learn.microsoft.com/en-us/answers/questions/2282310/how-to-troubeshoot-403-error-when-using-trusted-si
We have already reverified that the required variables are correct and present (again, the pipeline just randomly broke with no changes in Azure or on the pipeline end).
[
{
"cloudName": "AzureCloud",
"homeTenantId": "***",
"id": "***",
"isDefault": true,
"managedByTenants": [],
"name": "Azure subscription",
"state": "Enabled",
"tenantId": "***",
"user": {
"name": "***",
"type": "servicePrincipal"
}
}
]
Trusted Signing
Version: 1.0.60
"Metadata": {
"Endpoint": "***",
"CodeSigningAccountName": "***",
"CertificateProfileName": "***",
"ExcludeCredentials": []
}
Submitting digest for signing...
Unhandled managed exception
Azure.RequestFailedException: Service request failed.
Status: 403 (Forbidden)
Headers:
Date: Tue, 10 Jun 2025 10:20:17 GMT
Connection: keep-alive
Strict-Transport-Security: REDACTED
x-azure-ref: REDACTED
X-Cache: REDACTED
Content-Length: 0
at Azure.CodeSigning.CertificateProfileRestClient.SignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
at Azure.CodeSigning.CertificateProfileClient.StartSignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
at Azure.CodeSigning.Dlib.Core.DigestSigner.SignAsync(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle, CancellationToken cancellationToken)
at Azure.CodeSigning.Dlib.Core.DigestSigner.Sign(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle)
at AuthenticodeDigestSignExWithFileHandleManaged(_CRYPTOAPI_BLOB* pMetadataBlob, UInt32 digestAlgId, Byte* pbToBeSignedDigest, UInt32 cbToBeSignedDigest, Void* hFile, _CRYPTOAPI_BLOB* pSignedDigest, _CERT_CONTEXT** ppSignerCert, Void* hCertChainStore)
Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
SignTool Error: An unexpected internal error has occurred.
The application signing was not successful.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 52%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
https://learn.microsoft.com/en-us/azure/trusted-signing/faq#common-error-codes-and-mitigations
Error code (-2147467259/0x80004005)If you use Service Principal + certificate based authentication, check your Environment Variables listed under the table for "Service principal with certificate".
But I am not using "Service Principal with Certificate" authentication. I am using "Service Principal with Secret" method, the environment variables for that are also exposed properly, here is the relevant step in our Github Actions that does this, it uses the official Azure/trusted-signing-action to do the signing.
- name: Sign with Azure Trusted Signing Action
uses: azure/trusted-signing-action@v0
with:
azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
endpoint: ${{ secrets.AZURE_ENDPOINT }}
trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }}
certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }}
files-folder: ${{ github.workspace }}\test-signing\target\release
files-folder-filter: exe
file-digest: SHA256
timestamp-rfc3161: http://timestamp.acs.microsoft.com
timestamp-digest: SHA256
There are a couple of other weird stuff I see in the dashboard as well, for example, in our certificate profiles page, when checking out the certificates (ignore the revoke that was an experimental one), the above 3 certificates are marked active even though the expiry date has long gone (this screenshot is from June 12 2025), why is that ?
Along with that, running: az trustedsigning certificate-profile show --account-name "<ACCOUNT NAME>" -n "<NAME>" --resource-group <RESOURCE GROUP> --verbose
I get this error (this was ran in the Azure Web Console):
The command failed with an unexpected error. Here is the traceback: "Conflict key when apply client flatten: status in {'createdDate': '6/1/2025 4:22:41 PM', 'expiryDate': '6/4/2025 4:22:41 PM', 'revocation': {'effectiveAt': '2025-06-01T16:22:41Z', 'reason': 'Unspecified', 'remarks': 'test', 'requestedAt': '2025-06-10T09:34:01.017Z', 'status': 'Succeeded'}, 'serialNumber': '***', 'status': 'Revoked', 'subjectName': '***'}" Traceback (most recent call last): File "/usr/lib64/az/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke cmd_result = self.invocation.execute(args) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 666, in execute raise ex File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 734, in _run_jobs_serially results.append(self._run_job(expanded_arg, cmd_copy)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 703, in _run_job result = cmd_copy(params) ^^^^^^^^^^^^^^^^ File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/aaz/_command.py", line 155, in __call__ return self._handler(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/andrew/.azure/cliextensions/trustedsigning/azext_trustedsigning/aaz/latest/trustedsigning/certificate_profile/_show.py", line 35, in _handler return self._output() ^^^^^^^^^^^^^^ File "/home/andrew/.azure/cliextensions/trustedsigning/azext_trustedsigning/aaz/latest/trustedsigning/certificate_profile/_show.py", line 85, in _output result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/aaz/_command.py", line 233, in deserialize_output return value.to_serialized_data(processor=processor) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/aaz/_field_value.py", line 136, in to_serialized_data v = self[name].to_serialized_data(processor=processor, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/aaz/_field_value.py", line 136, in to_serialized_data v = self[name].to_serialized_data(processor=processor, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/aaz/_field_value.py", line 385, in to_serialized_data v = v.to_serialized_data( ^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/aaz/_field_value.py", line 147, in to_serialized_data result = processor(self._schema, result) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/aaz/_command.py", line 227, in processor raise KeyError(f"Conflict key when apply client flatten: {k} in {result}") KeyError: "Conflict key when apply client flatten: status in {'createdDate': '6/1/2025 4:22:41 PM', 'expiryDate': '6/4/2025 4:22:41 PM', 'revocation': {'effectiveAt': '2025-06-01T16:22:41Z', 'reason': 'Unspecified', 'remarks': 'test', 'requestedAt': '2025-06-10T09:34:01.017Z', 'status': 'Succeeded'}, 'serialNumber': '***', 'status': 'Revoked', 'subjectName': '****', 'thumbprint': '****'}"
Since this just randomly started breaking one day (we changed 0 configs from our end, this just randomly stopped working one day), we are assuming this is something you guys at Azure messed up. Please look into this. Happy to provide more info if requested.
Let us take a look.