Sign a CI policy by using Trusted Signing

This article shows you how to sign new code integrity (CI) policies by using the Trusted Signing service.

Prerequisites

To complete the steps in this article, you need:

• A Trusted Signing account, identity validation, and certificate profile.
• Individual or group assignment of the Trusted Signing Certificate Profile Signer role.
• Azure PowerShell in Windows installed.
• Az.CodeSigning module downloaded.

Sign a CI policy

1. ⁠Open PowerShell 7.

2. Optionally, you can create a metadata.json file that looks like this example:("Endpoint" URI value must be a URI that aligns with the region where you created your Trusted Signing account and certificate profile when you set up these resources.)

   {
   "Endpoint":"https://xxx.codesigning.azure.net/",
   "CodeSigningAccountName":"<Trusted Signing Account Name>",
   "CertificateProfileName":"<Certificate Profile Name>"
   }
   

3. Get the root certificate that you want to add to the trust store:

   Get-AzCodeSigningRootCert -AccountName TestAccount -ProfileName TestCertProfile -EndpointUrl https://xxx.codesigning.azure.net/ -Destination c:\temp\root.cer
   

   If you're using a metadata.json file, run this command instead:

   Get-AzCodeSigningRootCert -MetadataFilePath C:\temp\metadata.json https://xxx.codesigning.azure.net/ -Destination c:\temp\root.cer 
   

4. To get the Extended Key Usage (EKU) to insert into your policy:

   Get-AzCodeSigningCustomerEku -AccountName TestAccount -ProfileName TestCertProfile -EndpointUrl https://xxx.codesigning.azure.net/ 
   

   If you're using a metadata.json file, run this command instead:

   Get-AzCodeSigningCustomerEku -MetadataFilePath C:\temp\metadata.json 
   

5. To sign your policy, run the invoke command:

   Invoke-AzCodeSigningCIPolicySigning -accountName TestAccount -profileName TestCertProfile -endpointurl "https://xxx.codesigning.azure.net/" -Path C:\Temp\defaultpolicy.bin -Destination C:\Temp\defaultpolicy_signed.bin -TimeStamperUrl: http://timestamp.acs.microsoft.com 
   

   If you're using a metadata.json file, run this command instead:

   Invoke-AzCodeSigningCIPolicySigning -MetadataFilePath C:\temp\metadata.json -Path C:\Temp\defaultpolicy.bin -Destination C:\Temp\defaultpolicy_signed.bin -TimeStamperUrl: http://timestamp.acs.microsoft.com 
   

Create and deploy a CI policy

For steps to create and deploy your CI policy, see these articles:

• Use signed policies to protect Windows Defender Application Control against tampering
• Windows Defender Application Control design guide