目录
Distribution

Azure Artifact Signing

How to set up Azure Artifact Signing to enable secure cloud-based code signing for Windows applications in your GitHub CI/CD.

Overview 

Azure Artifact Signing is Microsoft’s cloud-based code signing service that allows you to securely sign your Windows applications and installers without managing certificates on your local machine. This is the recommended approach for signing applications in GitHub Actions workflows and other CI/CD environments.

To get started, you’ll need:

  • An Azure subscription
  • The Owner role for Artifact Signing in your Azure subscription to create and manage Artifact Signing accounts

Create an Azure artifact signing account 

  1. In the Azure Portal, search for Artifact Signing Accounts.

Search results

  1. Click Create.

Creating signing account

  1. Fill in the required information:

    • Subscription: Select your Azure subscription.
    • Resource Group: Create a new resource group or select an existing one.
    • Account Name: Enter a unique name for your account (e.g., my-app-signing).
    • Region: Select the region closest to you (e.g., East US).
    • Pricing tier: Select a pricing tier based on your signing volume. The Basic tier is suitable for most development and small-scale releases. Higher tiers offer increased signing capacity and additional features.

  2. Click Review + create, then Create. The account creation may take a few minutes. Once complete, navigate to the resource.

  3. On the Artifact Signing account overview page, note the following values. You’ll need them when signing artifacts.

    • Account Name — The name of the Artifact Signing account (e.g., my-app-signing)
    • Account URI — The signing endpoint

Signing endpoint

Create an identity validation request 

Identity Validation ensures that your signing certificates are associated with your organization, which adds credibility when users install your application.

To create an identity validation request, you must be assigned the Artifact Signing Identity Verifier role in your Azure subscription.

Identity validation can be performed in two ways:

  • Organization: Validate your company or organization identity
  • Individual: Validate your personal identity as a developer

To create a new identity validation:

  1. In the Artifact Signing account you created, go to ObjectsIdentity validations in the left sidebar.
  2. Click + New identity and follow the identity validation flow.

Azure will verify your identity information. This process may take several hours.

For detailed guidance on the identity validation process, refer to the official Azure Artifact Signing identity validation guide.

Create a certificate profile 

A certificate profile defines the signing certificate that will be used for your applications.

  1. In your Artifact Signing account, go to ObjectsCertificate profiles in the left sidebar.
  2. Click + Create and select Public Trust (recommended for most applications).
  3. Enter the following information:
    • Certificate profile name: A descriptive name (e.g., app-production).
    • Verified CN and O: Select your verified identity from the previous section.
  4. Click Create.

Once the profile is created, note the Profile Name — you’ll need this for signing.

Create app registration 

To authenticate your builds with Azure, create API credentials for an App Registration to use outside of Azure, for example, in your GitHub Actions workflow.

  1. Search for App registrations.

App Registrations

  1. Click + New registration
  2. Fill in the details:
    • Name: A descriptive name (e.g., artifact-signing-ci).
    • Supported account types: Select Single tenant only.
  3. Click Register.
  4. Once the app is registered, open it and go to ManageCertificates & secrets.
  5. In the Client secrets tab, click + New client secret.
  6. Add a description and set the expiration (e.g., 24 months).
  7. Click Add.

Important: Copy the secret Value immediately after creation. This value cannot be retrieved later. Store it securely — you’ll need it for signing.

  1. On the Overview page of the registered application, copy Client ID and Tenant ID. Store the values securely — you’ll need them later for signing.

Tenant and Client IDs

Assign roles to the application 

The application created in the previous section needs permissions to use your Artifact Signing account.

  1. Navigate back to your Artifact Signing account.
  2. Go to Access Control (IAM) in the left sidebar.
  3. Click + Add and select Add role assignment.
  4. On the Role tab, search for and select Artifact Signing Certificate Profile Signer. This role is required to successfully sign using Artifact Signing.
  5. Click Next.
  6. On the Members tab:
    • Assign access to: Select User, group, or service principal.
    • Members: Search for the application by its display name, e.g. trusted-signing in our case
  7. Click Select, then Next.
  8. Review and click Assign.
  9. Repeat steps 3-8 to assign the Artifact Signing Identity Verifier role to the same application. This role is required to manage identity validation requests.

Gather your credentials 

You’ve already copied all of the credentials you need during the previous steps. Here’s a summary of all credentials required for signing artifacts:

CredentialSource
  • Tenant ID
  • Client ID
  • Client Secret Value
From Create App Registration
  • Account Name
  • Signing Endpoint
From Create an Azure Artifact Signing Account
  • Certificate Profile Name
From Create a Certificate Profile

Keep these credentials secure and never commit them to version control. You will use them to configure GitHub Secrets for your GitHub workflow.

本页内容