Reduce developer friction with Azure Code Signing

Microsoft 365 Developer · Beginner ·📰 AI News & Updates ·5y ago

Key Takeaways

The video demonstrates Azure Code Signing, a service that minimizes developer friction in code signing, and explores its integration with Windows Defender Application Control, GitHub Actions, and Azure Pipelines.

Full Transcript

[Music] hello my name is diane harteno i'm a program manager on the windows developer platform team i'm here to talk to you about how you can reduce your developer friction with azure code signing so let's begin you've got your application you're ready to go but first you have to learn about the importance of code signing code signing is windows best way to establish the identity of your application it's also windows best way to ensure the integrity of your application in other words we make sure that your app hasn't been tampered with as a result this provides a level of security when it comes to deploying your application so let's understand the code signing process the first thing you gotta do is you have to get your certificate you do this by going to a certificate authority and getting verified once you've been verified you then are able to generate a private and public key to be used later on you want to treat these keys as it's your driver's license minus the awkward photo the next step is to sign your application take the contents of your application and rehash it according to the windows authenticate standards these hashes are then signed with the keys from the previous step and then embedded into the files with the public certificate data the last step is to verify now the os will check that the application is signed by somebody it knows by checking the certificate chain it's also the time when the os checks that the application has been tampered with because it checks that the signature is still valid so there you go you've gone through the code signing process you might be thinking to yourself why not just self-sign i mean anybody can create a certificate well it goes back to the first point there's no authority figure to verify your identity so with code signing there's different types of trust depending on how the certificate is used think about it in two buckets the first one are considered privately trusted meaning if you're in an enterprise and let's say you have these certain certificates that need to be trusted on certain devices then you have your it pro opt in to trust these certificates on the other hand you'll have these uh what we call the publicly trusted certificates now these are are more used for developers who want to distribute their application in a more broader audience so these certificates must be trusted by default by the os we couldn't talk about certificates without certificate security remember your private keys represent you as the signer and now keys if they're ever leaked can can really have a detrimental effect your identity could be stolen or impersonated so we recommend you not store your keys on your dev machine even better if you have best practice and have a hardware backed solution so you might think to yourself all right how can i leverage code signing to even lock down my enterprise well you could use windows defender application control or wdap for short wdap is a critical line of defense when it comes to malware it's also a way for you to secure your devices without control so as an it pro you get to choose what type of apps run on your machine so if you have apps that are coming from unknown developers that might have malware you can easily block them and with code sighting it makes your policies be created and maintained in a more manageable and scalable way so think about windows defender application control as a way to define the circle of trust on your devices and a baseline what you could do is you could only allow the os components to run your devices and then um as an it pro you can get creative and generate policies based on the hash rules file types and file paths such that only certain applications will run on your machine now with code signing you can also create signer rules which are really more preferred from a security and manageability perspective so now i'm going to hand it over to jordan who's going to walk us through the windows defender application control and how it works really well with code signing thanks deanne my name is jordan gurten i'm a program manager on the microsoft enterprise and security team today i'll be showing you how easy it is to protect your enterprise devices using code signing and wdac wdac uses policy rules to define trust for the apps that you want to run on your enterprise devices again these can be rules based on the code signing certificate properties or application attributes like path file name or hash this is the wdac policy i've defined to allow this our line of business application called hello world i've created 24 hash rules to allow us the first three versions of the unsigned app i have to repeat this for each new version of the app that our dev department releases this is only for one app i also have to repeat this for each new application our org uses so when i attempt to load the newest version of the app without first updating the policy you'll see that wdac will block the app and show this ui each new version of the app requires new entries in the policy i will now show you how code signing drastically improves controlling your line of business apps wdac policies can be created using the powershell commandlets or with the easy to use wdac wizard app created to make life simpler we offer three base templates for the policy the first is windows works mode which allows trust for apps shipped inbox by windows the microsoft store and office 365 apps allow microsoft mode builds off of windows works and also allows trust for microsoft apps finally signed in reputable is a policy which uses microsoft defender's intelligence security graph which gathers intelligence on the reputation of millions of apps in our ecosystem only files with good reputation will be allowed at this point you can configure the policy rules you can hover above the label of each rule to learn more or refer to the documentation at this point in the process we want to create a custom rule based on the azure code signing code signing certificate to create a custom rule set the rule type equal to publisher and we'll allow the code signing certificate properties we're going to browse for a reference file to set to create the rule off of select the hello world msix file this is what we'll be basing our rule off of you can tailor the specificity of the publisher rule since i want to allow any app that is being signed by the code signing certificate issued by this ca in this publisher i set the slider to the publisher and click create rule let's take a look at the policy that the wdac wizard created so i created this one signer rule here now this one rule which is based on our code signing cert that is that is issued by microsoft azure code signing will allow list all future versions of the app and any new apps signed with the certificate there's a huge improvement to creating hash rules per app version we replace every single rule here with one single rule based on the signer information this new policy can can be deployed to all managed machines so that our devices are secure against unknown apps in malware again all new signed versions of the app will not require updates to the wdac policy for more information on wdak please visit ak dot ms slash wdac the wizard can also be downloaded from ak dot ms slash wdac wizard thanks jordan now we chatted with our developers and we've gotten feedback about co-signing and we need to address this so the first point of friction would be acquiring certificates now these can be costly depending on the type of certificate you're trying to get so this is a barrier for certain developers the second one is securing your certificates can be difficult and lastly the overall maintaining and just getting your certificates can be tedious so what are we going to do about it introducing azure code signing azure code signing manages your certificates and keys on your behalf all you really need is to have assigned a role so as a developer or an it pro the service will sign for you you get to use microsoft's proven expertise when it comes to key infrastructure and it's easy to adopt and it will integrate with your existing tool sets so now i'm going to head it over to danielle who's gonna walk us through the azure code signing experience thanks dan hi my name is dana gonzalez and i'm a pm on the microsoft code signing team i'm here to walk you through a quick demo showing you how azure code setting works in your ci cd pipeline for this example i'll be using github actions from the perspective of an llb developer i plan on signing the application jordan allowed earlier in the wdeck policy push to our environment so let's get started with creating a release of the simple msix application so to do that i will draft a new release here we are so this will kick off a new action which is right here and while this is queuing up i just want to mention that github actions isn't the only integration we'll have we also plan on integrating with azure pipelines as well as the other leading cicd solutions and visual studio and visual studio code and more to come let's check the build alright so as you can see here we have the sign package fragment right here as well as some of the other pieces of our build and then let's actually take a look at that fragment itself here in the workflow file scroll down and so here we actually have the signed package and before we actually do the signing we just set up the environment extract the tag name and then we build and package that actual application and then here we have finally signed the application and there's only a couple fields that are part of this fragment including the azure sign client id and azure sign client secret and those are simply for authentication so this will just authorize you to use the azure code settings service as well as the file name where you put the artifact that's going to be created and in the future we plan on adding a couple other fields the main one being the type of certificate used and so we we plan on offering four different types in this scenario in this example we are using the enterprise signing certificate and so that essentially allows you to authorize applications for your environment your enterprise and that also includes third-party applications that may not be built by your internal organization but you want to include and support uh into your enterprise and then the others are release trial and test and releases for assigning trusted applications for all of windows for all users and then the test and trial are mainly for internal builds testing making sure that your pipelines are working the trial one is the one that you get when you first sign up that's not trusted by anything so you can kind of just play around with the service itself and you may think okay so we have this service and we want it to be you know protected private secure how can we control the people who actually have access to this service within your actual environment and enterprise and we do that by using role-based access control so there you can pick and choose who exactly has access to the service and what type of signing they have access so you may have a different group of developers who may only build internal lob apps and they'd only use the enterprise signing certificate and then you may have a team that releases applications ex to the exterior that can use the the release type of certificate similar with the trial and test you can pick and choose who exactly you want them or who exactly can use those certificates and so let's take a look at how our build is going and it's building and packaging right now and just to mention you know this won't be the only file type we support msx we plan on also supporting exe msi and some of the other leading application types a lot of the ones supported right now by sign tool will also be supported by azure code signing so it'll make it an easy transition so the signing finally kicked off here and let's just wait a couple hopefully only a couple seconds for that to complete and then we can actually download this application and open it awesome okay so the application is now signed we're going to upload and post awesome okay so let's open up this application here should be under releases version 48 there it is downloading all right let's open it up and as you can see the application is trusted as your code signing team and you can actually install this application and open it up and because we have jordan's wdac policy on this machine it should be allowed and authorized so we should have any issues oh open up on the other screen here it is awesome see see how easy that was all right dan back to you wow daniel that was so amazing thank you so much for walking us through that so to recap i'm going to go over the azure code signing experience with you the first thing you got to do is you have to sign up for this service once you've been verified go ahead and develop and sign with your existing toolset and remember azure code signing will generate the certificates and sign for you once you have your application that has been signed go ahead and distribute to your preferred endpoints some key features i want to highlight about azure code signing is that it's secure and seamless it integrates with the first and third party tool sets you'll be given a dashboard so that you can see the signing history as well as manage who gets to use this service you'll leverage microsoft's proven expertise when it comes to code signing and the service will support multiple files so in the demo you saw that it was citing an msix package but it will also support multiple file types so i want to leave you with this sign up for our azure code signing preview by emailing us at azure codesigningtap microsoft.com to learn more about the technologies that you saw today visit our websites you

Original Description

Azure Code Signing is a service from Microsoft to enable developers and IT Pros to minimize the friction in code signing. The session will walk through the basics and importance of code signing and how Azure Code Signing will help reduce the challenges involved in signing your apps and code. For more information, visit https://developer.microsoft.com/windows
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from Microsoft 365 Developer · Microsoft 365 Developer · 0 of 60

← Previous Next →
1 Adaptive Cards community call-February 2019
Adaptive Cards community call-February 2019
Microsoft 365 Developer
2 PowerApps community call-February 2019
PowerApps community call-February 2019
Microsoft 365 Developer
3 Microsoft Graph community call-March 2019
Microsoft Graph community call-March 2019
Microsoft 365 Developer
4 Office Add ins community call-March 2019
Office Add ins community call-March 2019
Microsoft 365 Developer
5 PowerApps community call-March 2019
PowerApps community call-March 2019
Microsoft 365 Developer
6 Microsoft Teams community call-March 2019
Microsoft Teams community call-March 2019
Microsoft 365 Developer
7 Using React and Office UI Fabric React Components
Using React and Office UI Fabric React Components
Microsoft 365 Developer
8 Build Microsoft Teams customization using SharePoint Framework
Build Microsoft Teams customization using SharePoint Framework
Microsoft 365 Developer
9 Microsoft Graph community call-April 2019
Microsoft Graph community call-April 2019
Microsoft 365 Developer
10 Using Change Notifications and Track Changes with Microsoft Graph
Using Change Notifications and Track Changes with Microsoft Graph
Microsoft 365 Developer
11 Office Add Ins community call-April 2019
Office Add Ins community call-April 2019
Microsoft 365 Developer
12 Adaptive Cards community call-April 2019
Adaptive Cards community call-April 2019
Microsoft 365 Developer
13 Microsoft Teams community call-April 2019
Microsoft Teams community call-April 2019
Microsoft 365 Developer
14 Getting Started with Microsoft Graph and Application Registration
Getting Started with Microsoft Graph and Application Registration
Microsoft 365 Developer
15 Getting Started with Microsoft Graph and the Directory API
Getting Started with Microsoft Graph and the Directory API
Microsoft 365 Developer
16 Getting Started with Microsoft Graph and Microsoft Teams
Getting Started with Microsoft Graph and Microsoft Teams
Microsoft 365 Developer
17 Getting Started with Microsoft Graph Explorer
Getting Started with Microsoft Graph Explorer
Microsoft 365 Developer
18 Getting Started with Microsoft Graph
Getting Started with Microsoft Graph
Microsoft 365 Developer
19 Getting Started with Microsoft Graph and Mail API
Getting Started with Microsoft Graph and Mail API
Microsoft 365 Developer
20 Getting Started with Microsoft Graph and Office 365 Groups
Getting Started with Microsoft Graph and Office 365 Groups
Microsoft 365 Developer
21 Getting Started with Microsoft Graph and the Calendar API
Getting Started with Microsoft Graph and the Calendar API
Microsoft 365 Developer
22 Getting Started with the Microsoft Graph Toolkit
Getting Started with the Microsoft Graph Toolkit
Microsoft 365 Developer
23 Getting Started with Microsoft Graph and JavaScript SDKs
Getting Started with Microsoft Graph and JavaScript SDKs
Microsoft 365 Developer
24 Getting Started with Microsoft Graph and .NET SDKs
Getting Started with Microsoft Graph and .NET SDKs
Microsoft 365 Developer
25 Discover how businesses can be more productive with Microsoft 365 integrations
Discover how businesses can be more productive with Microsoft 365 integrations
Microsoft 365 Developer
26 Adaptive Cards community call-May 2019
Adaptive Cards community call-May 2019
Microsoft 365 Developer
27 Office Add-ins community call-May 2019
Office Add-ins community call-May 2019
Microsoft 365 Developer
28 Why We Built on Microsoft Teams
Why We Built on Microsoft Teams
Microsoft 365 Developer
29 Microsoft Teams community call-May 2019
Microsoft Teams community call-May 2019
Microsoft 365 Developer
30 Microsoft Graph community call-June 2019
Microsoft Graph community call-June 2019
Microsoft 365 Developer
31 Build Angular SPA's with Microsoft Graph - June 2019
Build Angular SPA's with Microsoft Graph - June 2019
Microsoft 365 Developer
32 Office Add -ins community call-June 2019
Office Add -ins community call-June 2019
Microsoft 365 Developer
33 Build Android native apps with the Microsoft Graph Android SDK - June 2019
Build Android native apps with the Microsoft Graph Android SDK - June 2019
Microsoft 365 Developer
34 Build MVC apps with Microsoft Graph - June 2019
Build MVC apps with Microsoft Graph - June 2019
Microsoft 365 Developer
35 Authenticate and connect with Microsoft Graph - June 2019
Authenticate and connect with Microsoft Graph - June 2019
Microsoft 365 Developer
36 Microsoft Graph data connect - June 2019
Microsoft Graph data connect - June 2019
Microsoft 365 Developer
37 Change notifications with Microsoft Graph - June 2019
Change notifications with Microsoft Graph - June 2019
Microsoft 365 Developer
38 Build iOS native apps with the Microsoft Graph REST API - June 2019
Build iOS native apps with the Microsoft Graph REST API - June 2019
Microsoft 365 Developer
39 Build Node.js Express apps with Microsoft Graph - June 2019
Build Node.js Express apps with Microsoft Graph - June 2019
Microsoft 365 Developer
40 Smart UI with Microsoft Graph - June 2019
Smart UI with Microsoft Graph - June 2019
Microsoft 365 Developer
41 Leveraging the Microsoft Graph API from the SharePoint Framework - June 2019
Leveraging the Microsoft Graph API from the SharePoint Framework - June 2019
Microsoft 365 Developer
42 Build UWP apps with Microsoft Graph - June 2019
Build UWP apps with Microsoft Graph - June 2019
Microsoft 365 Developer
43 Build React SPA's with Microsoft Graph - June 2019
Build React SPA's with Microsoft Graph - June 2019
Microsoft 365 Developer
44 Getting Started with Microsoft Graph and Batching
Getting Started with Microsoft Graph and Batching
Microsoft 365 Developer
45 Getting Started with Microsoft Graph and Change Notifications
Getting Started with Microsoft Graph and Change Notifications
Microsoft 365 Developer
46 Getting Started with Microsoft Graph and Consent Permissions
Getting Started with Microsoft Graph and Consent Permissions
Microsoft 365 Developer
47 Getting Started with Microsoft Graph and Education
Getting Started with Microsoft Graph and Education
Microsoft 365 Developer
48 Getting Started with Microsoft Graph and Financials
Getting Started with Microsoft Graph and Financials
Microsoft 365 Developer
49 Getting Started with Microsoft Graph and Excel
Getting Started with Microsoft Graph and Excel
Microsoft 365 Developer
50 Getting Started with Microsoft Graph and Data Connect
Getting Started with Microsoft Graph and Data Connect
Microsoft 365 Developer
51 Getting Started with Microsoft Graph and Intune
Getting Started with Microsoft Graph and Intune
Microsoft 365 Developer
52 Getting Started with Microsoft Graph and Notifications
Getting Started with Microsoft Graph and Notifications
Microsoft 365 Developer
53 Getting Started with Microsoft Graph and OneNote
Getting Started with Microsoft Graph and OneNote
Microsoft 365 Developer
54 Getting Started with Microsoft Graph and OneDrive
Getting Started with Microsoft Graph and OneDrive
Microsoft 365 Developer
55 Getting Started with Microsoft Graph and Open Extensions
Getting Started with Microsoft Graph and Open Extensions
Microsoft 365 Developer
56 Getting Started with Microsoft Graph and Paging
Getting Started with Microsoft Graph and Paging
Microsoft 365 Developer
57 Getting Started with Microsoft Graph and Schema Extensions
Getting Started with Microsoft Graph and Schema Extensions
Microsoft 365 Developer
58 Getting Started with Microsoft Graph and Security API
Getting Started with Microsoft Graph and Security API
Microsoft 365 Developer
59 Getting Started with Microsoft Graph and Query Parameters
Getting Started with Microsoft Graph and Query Parameters
Microsoft 365 Developer
60 Getting Started with Microsoft Graph and Reporting API
Getting Started with Microsoft Graph and Reporting API
Microsoft 365 Developer

Azure Code Signing reduces developer friction by managing certificates and keys, integrating with existing toolsets, and providing a dashboard for managing signing history and user access. This service is crucial for ensuring the identity and integrity of applications.

Key Takeaways
  1. Create policies based on hash rules, file types, and file paths
  2. Define trust for apps using WDAC policy rules
  3. Replace hash rules with signer rules for easier management
  4. Deploy policy to all managed machines
  5. Create a release of the simple MSIX application
  6. Draft a new release in GitHub
  7. Set up the environment and extract the tag name
  8. Build and package the actual application
  9. Sign the application using Azure Code Signing
💡 Azure Code Signing simplifies the code signing process by managing certificates and keys on behalf of developers, reducing the complexity and friction associated with traditional code signing methods.

Related Reads

📰
Google Is Winning the AI Race and Losing Its Business Model at the Same Time
Google is leading in AI development but its business model is under threat due to changes in search behavior and advertising revenue, learn how AI is disrupting traditional business models
Medium · AI
📰
AI Will Not Save You from Thinking: Why Polymathy Is Becoming the Real Career Advantage
Learn why polymathy is crucial in an AI-driven career and how to develop it to stay ahead
Medium · AI
📰
The Apple Intelligence Compromise: Why China is Forcing Apple to Use Local AI Models
Apple must use local AI models in China, highlighting geopolitical tensions in tech
Medium · AI
📰
Everything You Know About AI Needs an Urgent Upgrade
Upgrade your understanding of AI to keep pace with rapid advancements in the field
Medium · Programming
Up next
Mythos Hype is Absurd! You Already Have AI Tools #shorts
Income stream surfers
Watch →