Sign a CI policy by using Trusted Signing
This article shows you how to sign new code integrity (CI) policies by using the Trusted Signing service.
Prerequisites
To complete the steps in this article, you need:
- A Trusted Signing account, identity validation, and certificate profile.
- Individual or group assignment of the Trusted Signing Certificate Profile Signer role.
- Azure PowerShell in Windows installed.
- Az.CodeSigning module downloaded.
Sign a CI policy
Unzip the Az.CodeSigning module to a folder.
Open PowerShell 7.
In the Az.CodeSigning folder, run this command:
Import-Module .\Az.CodeSigning.psd1Optionally, you can create a metadata.json file that looks like this example:
{ "Endpoint":"https://xxx.codesigning.azure.net/", "TrustedSigningAccountName":"<Trusted Signing Account Name>", "CertificateProfileName":"<Certificate Profile Name>" }Get the root certificate that you want to add to the trust store:
Get-AzCodeSigningRootCert -AccountName TestAccount -ProfileName TestCertProfile -EndpointUrl https://xxx.codesigning.azure.net/ -Destination c:\temp\root.cerIf you're using a metadata.json file, run this command instead:
Get-AzCodeSigningRootCert -MetadataFilePath C:\temp\metadata.json https://xxx.codesigning.azure.net/ -Destination c:\temp\root.cerTo get the Extended Key Usage (EKU) to insert into your policy:
Get-AzCodeSigningCustomerEku -AccountName TestAccount -ProfileName TestCertProfile -EndpointUrl https://xxx.codesigning.azure.net/If you're using a metadata.json file, run this command instead:
Get-AzCodeSigningCustomerEku -MetadataFilePath C:\temp\metadata.jsonTo sign your policy, run the
invokecommand:Invoke-AzCodeSigningCIPolicySigning -accountName TestAccount -profileName TestCertProfile -endpointurl "https://xxx.codesigning.azure.net/" -Path C:\Temp\defaultpolicy.bin -Destination C:\Temp\defaultpolicy_signed.bin -TimeStamperUrl: http://timestamp.acs.microsoft.comIf you're using a metadata.json file, run this command instead:
Invoke-AzCodeSigningCIPolicySigning -MetadataFilePath C:\temp\metadata.json -Path C:\Temp\defaultpolicy.bin -Destination C:\Temp\defaultpolicy_signed.bin -TimeStamperUrl: http://timestamp.acs.microsoft.com
Create and deploy a CI policy
For steps to create and deploy your CI policy, see these articles:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for