Share via

403 Forbidden Error when using Signtool with Trusted Signing

Mike Clonts 45 Reputation points
2025-11-24T01:15:00.4566667+00:00

Trying to use Azure Trusted Signing to sign my .exe file.

ID validated, Created a certificate profile, Assigned playbideuchre_outlook.com#EXT#@playbideuchreoutlook.onmicrosoft.com with role of Trusted Signing Certificate Profile Signer with following metadata json:

	{
  "Endpoint": "https://wus2.codesigning.azure.net",
  "CodeSigningAccountName": "AlumniConsultingServices",
  "CertificateProfileName": "Play-Bid-Euchre-Certificate-Profile",
  "ExcludeCredentials": ["ManagedIdentityCredential", "WorkloadIdentityCredential"]
}

Unfortunately getting this 403 Forbidden Error:

C:\Users\clont\Documents\PBE Desktop Version>az account show
{
  "environmentName": "AzureCloud",
  "homeTenantId": "8ed82196-51fe-4d84-bb8d-0115bbd4b999",
  "id": "dc0ad107-3700-4df5-a3e6-ac927b3e5d5e",
  "isDefault": true,
  "managedByTenants": [],
  "name": "Azure subscription 1",
  "state": "Enabled",
  "tenantId": "8ed82196-51fe-4d84-bb8d-0115bbd4b999",
  "user": {
    "name": "playbideuchre_outlook.com#EXT#@playbideuchreoutlook.onmicrosoft.com",
    "type": "user"
  }
}

C:\Users\clont\Documents\PBE Desktop Version>"C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" sign /v /debug /fd SHA256 /tr http://timestamp.acs.microsoft.com /td SHA256 /dlib "C:\Users\clont\AppData\Local\Microsoft\MicrosoftTrustedSigningClientTools\Azure.CodeSigning.Dlib.dll" /dmdf Certificates\metadata.json PlayBidEuchre.exe

Trusted Signing

Version: 1.0.68

"Metadata": {
  "Endpoint": "https://wus2.codesigning.azure.net",
  "CodeSigningAccountName": "AlumniConsultingServices",
  "CertificateProfileName": "Play-Bid-Euchre-Certificate-Profile",
  "ExcludeCredentials": [
    "ManagedIdentityCredential",
    "WorkloadIdentityCredential"
  ]
}

Submitting digest for signing...
Unhandled managed exception
Azure.RequestFailedException: Service request failed.
Status: 403 (Forbidden)

Headers:
Date: Sun, 23 Nov 2025 23:54:10 GMT
Connection: keep-alive
Server: Kestrel
Strict-Transport-Security: REDACTED
Content-Length: 0

   at Azure.CodeSigning.CertificateProfileRestClient.SignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
   at Azure.CodeSigning.CertificateProfileClient.StartSignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
   at Azure.CodeSigning.Dlib.Core.DigestSigner.SignAsync(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle, CancellationToken cancellationToken)
   at Azure.CodeSigning.Dlib.Core.DigestSigner.Sign(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle)
   at AuthenticodeDigestSignExWithFileHandleManaged(_CRYPTOAPI_BLOB* pMetadataBlob, UInt32 digestAlgId, Byte* pbToBeSignedDigest, UInt32 cbToBeSignedDigest, Void* hFile, _CRYPTOAPI_BLOB* pSignedDigest, _CERT_CONTEXT** ppSignerCert, Void* hCertChainStore)

SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)

Thx for your help

Azure Trusted Signing
Azure Trusted Signing
Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the certificate signing process and helps partner developers more easily build and distribute applications.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-24T01:15:09.0633333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The 403 Forbidden error you are encountering when using SignTool with Azure Trusted Signing can be caused by several factors. Here are some common troubleshooting steps you can take:

    1. Check Azure Subscription Status: Ensure that your Azure subscription is in the "Registered" state. If it's not, you may need to register it.
    2. Role Assignment: Verify that the identity you are using to sign the file has the Trusted Signing Certificate Profile Signer role assigned correctly. Ensure that the role is assigned to the correct user or service principal.
    3. Endpoint and Profile Configuration: Double-check the values in your metadata JSON file. Ensure that the Endpoint, CodeSigningAccountName, and CertificateProfileName are all correct and correspond to the resources you have set up in Azure.
    4. Network Issues: If you are accessing the Trusted Signing endpoint from a virtual machine or computer, ensure that there are no network issues preventing access. You might want to try executing the action from a different machine.
    5. Identity Validation: Confirm that the identity validation status is Completed and that the Certificate Profile is active.
    6. Check for Excluded Credentials: Since you have excluded ManagedIdentityCredential and WorkloadIdentityCredential, ensure that these are not required for your signing operation. If your environment requires these credentials, consider removing them from the exclusion list.
    7. Service Principal Authentication: If you are using service principal authentication, ensure that the environment variables are set correctly as per the requirements for service principal with certificate-based authentication.

    If you have checked all of the above and are still facing issues, consider reviewing the Azure documentation for more detailed troubleshooting steps or reaching out to Azure support for assistance.

    References:

    0 comments
  2. Mike Clonts 45 Reputation points
    2025-11-24T03:55:35.0933333+00:00

    Switched to authorize by Service Principal and reinstalled Windows 10 SDK which had lost it's digital signature from microsoft. Problem solved.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.