Good news,
We can finally sign our apps.
Some kind soul in the internal machinery removed whatever was gumming things up.
Yesterday I received an email to confirm my email address, the Identity validation went through and I created a certificate profile. So we're good.
A few notes for anyone who finds this post and is struggling with the same sort of problem:
- As far as getting support, we bit the bullet and upgraded our account to the $30/mo support level - which I think just means we can post to this forum. But it got the movement we needed so it was definitely worth it. (not that $30/months is huge but we figure why pay for things we don't need)
- The Azure world is large and complicated and all we needed was to be able to sign our desktop apps using Signtool.exe and avoid paying a ton for signing certs and secure dongles. By following the instructions here https://learn.microsoft.com/en-us/azure/trusted-signing/ AND here https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/ we were able to make it work. The Melatonin post was very useful for an outside perspective of the process and doing the "App Registration" process for setting up a Trusted Certificate Profile Signer. A few notes about that:
- The App Registration part has changed a bit in Azure and it wasn't until we found our way into the Entra ID area (renamed from Azure Active Directory), went into App Registrations, and clicked "new" did it look like Melatonin's screen shots, etc.
- When setting the role assignment to the App Registration "user", follow Melatonin's advice of typing the name of the account created in Entra. Otherwise it won't show up... very confusing..
- Be patient and just keep plugging away. You'll get it!
And to the good folks at Microsoft and Azure, please keep working to simplify this process. With the rising costs and pain of signing certs, thousands of developers are going to want to use Trusted signing w/ Signtool and getting set up is painful indeed. The vocabulary alone is overwhelming.
Clearly this is an enterprise-level toolset that has a million different possible variations for corporation permission levels, etc, etc. But don't forget that developers like to start small and simple. A quick path to set up a signing process will cover 80-90% of what people need to get going. Then they can explore the many possible variations of things they need.
Thanks for your help,
Steve