For pros, digital signing ought to be a formality. Even though the first program was digitally signed nearly thirty years ago, many users are still unaware of the benefits or reasons for using a code signing certificate. We require it to safeguard their intellectual property and improve end-user cybersecurity.

Software should always be code-signed before publication.

Why? Because code signing is a layer of security that performs several vital tasks and is more than just a great practice.

It is not a luxury to have SSO.

We at Advanced Installer decided to incorporate Azure Code Signing, which was formerly known as Azure Trusted Signing, into all of the commercial editions during its private preview period. You must first configure trusted signing from your Azure subscription to use it.

The OS and Signtool.exe can handle all of the authentication because Advanced Installer can handle the certificates through your Azure subscription. Your projects never store any sensitive data. Once the Azure services authentication has been verified, Signtool.exe is coordinated by our automation process to sign all the files in your package, including the setup package.

Why would you need another cloud solution?

All new code signing certificates must be kept on approved HSMs as of June 2023. This indicates that the FIPS 140-2 Level 3 certified cloud that the Trusted Signing team provided, or a certified flash drive, will be used. Professional teams may effortlessly control certificate access with the Azure portal, as we already know it can offer us the greatest identity and access management standards.

Still, we gave flash drives a try. They work well in situations where the software is built locally and the certificate does not need to be shared with other team members. On the other hand, organizations utilizing GitHub Actions, Azure DevOps, and other such services are better off using a cloud-based digital signature service.

A cloud-based digital system is more secure than any internal continuous integration system, even if that’s what we use. It allows you to easily revoke signatures without affecting previously signed files in the event of a breach, and it keeps track of exactly which resources were signed by whom.

Introducing code signing for open-source software

Code signing and the creation of open-source software have always been love/hate relationships.

When an attacker may compile and re-distribute an OSS program, guaranteeing end-user security becomes a continuous struggle.

The need for digital signatures on all MSIX packages makes the adoption of these more advanced and powerful packaging technologies difficult. It is particularly difficult for OSS maintainers to embrace code signing due to the high costs and complicated purchase or certification processes with certificate suppliers.

This is what Trusted Signing aims to rectify. With the aid of Advanced installer, ImageMagick, a well-known open-source software suite for editing and modifying digital photos, is now making available the first reliable signed MSIX-packaged version of its installation.

ImageMagick can upgrade its setup projects and begin the transition from its legacy packaging framework to Advanced Installer thanks to the latter’s free license for open-source projects, GitHub Actions, and Trusted Signing integration.


Bogdan Mitrache