Microsoft.ArtifactSigning.Client 1.0.128

Artifact Signing Client (dlib)

This package provides the dlib component required to sign code using Artifact Signing with SignTool.

Prerequisites

1. Install .NET 8.0 Runtime

Install the .NET 8.0 Runtime matching your SignTool architecture:

• For x64 SignTool: Download .NET 8.0 Runtime - Windows x64 installer
• For x86 SignTool: Download .NET 8.0 Runtime - Windows x86 installer

2. Install Windows SDK

Ensure you have a compatible version of Windows SDK with SignTool.exe installed.

Installation

Option 1: Direct Download

1. Download the Microsoft.ArtifactSigning.Client package
2. Extract the contents to your preferred directory on your signing node

Option 2: NuGet Package Manager

.\nuget.exe install Microsoft.ArtifactSigning.Client -x

Configuration

Create a metadata.json file with your Artifact Signing account details:

{
  "Endpoint": "<Artifact Signing account endpoint>",
  "CodeSigningAccountName": "<Artifact Signing account name>",
  "CertificateProfileName": "<Certificate profile name>",
  "CorrelationId": "<Optional CorrelationId value>"
}

Note: A metadata.sample.json file is included in this package as a template.

Regional Endpoints

The Endpoint URI must match the region where your Artifact Signing account was created:

Important: A region/endpoint mismatch commonly causes a 403 Forbidden error during signing.

Usage

Basic Signing Command

signtool.exe sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "<Path to dlib>\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "<Path to metadata.json>" <File to sign>

Important Notes:

• Match the dlib architecture (x86/x64) with your SignTool version
• Use bin\x64\Azure.CodeSigning.Dlib.dll for x64 SignTool
• Use bin\x86\Azure.CodeSigning.Dlib.dll for x86 SignTool
• Time stamping is critical for continued signature validation beyond the 3-day certificate validity period

Example

signtool.exe sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "C:\ArtifactSigning\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "C:\ArtifactSigning\metadata.json" MyApp.exe

Authentication

The dlib uses DefaultAzureCredential, which attempts multiple authentication methods in sequence. If one fails, it tries the next until authentication succeeds.

Supported Authentication Methods

• Environment Credential
• Managed Identity Credential
• Workload Identity Credential
• Shared Token Cache Credential
• Visual Studio Credential
• Visual Studio Code Credential
• Azure CLI Credential
• Azure PowerShell Credential
• Azure Developer CLI Credential
• Interactive Browser Credential

Limiting Authentication Methods

To use a specific credential (e.g., Azure CLI only), exclude others in your metadata.json:

{
  "Endpoint": "https://eus.codesigning.azure.net",
  "CodeSigningAccountName": "MySigningAccount",
  "CertificateProfileName": "MyProfile",
  "ExcludeCredentials": [
    "ManagedIdentityCredential",
    "WorkloadIdentityCredential",
    "SharedTokenCacheCredential",
    "VisualStudioCredential",
    "VisualStudioCodeCredential",
    "AzurePowerShellCredential",
    "AzureDeveloperCliCredential",
    "InteractiveBrowserCredential"
  ]
}

Troubleshooting

Common Issues

403 Forbidden Error

• Verify your Endpoint URI matches your account's region
• Check that your Azure credentials have access to the Artifact Signing account
• Ensure the CodeSigningAccountName and CertificateProfileName are correct

DLL Not Found

• Confirm .NET 8.0 Runtime is installed
• Verify the dlib path matches your SignTool architecture (x86 vs x64)
• Check that all DLL dependencies are present in the bin folder

Authentication Failures

• Ensure you're authenticated via one of the supported credential types
• Try running az login if using Azure CLI Credential
• Check that excluded credentials don't include your intended authentication method

Additional Resources

• Artifact Signing Documentation
• Artifact Signing GitHub Actions
• Artifact Signing Azure DevOps Task
• Artifact Signing PowerShell Module