Skip to main content
Back to blog
Tutorial · · 3 min read · G.D.G. Software

Sign Installers with Azure Artifact Signing

Tutorial Code Signing Azure Security

Code signing is one of the most effective ways to build trust with your users and avoid SmartScreen warnings. With Azure Artifact Signing, Microsoft offers a cloud-based signing service that eliminates the need to purchase, store, and renew traditional code-signing certificates.

Paquet Builder 2026 includes native integration with Azure Artifact Signing. This tutorial walks you through the entire setup process.

Prerequisites

Before you begin, make sure you have the following:

  • Paquet Builder 2026 Professional (or higher). Azure Artifact Signing integration is included in Professional and Site licenses.
  • An Azure account with an active subscription.
  • The Azure CLI installed on your development machine (version 2.50 or later).
  • A verified identity in the Azure Artifact Signing service.

Step 1: Create a Artifact Signing Account

  1. Sign in to the Azure Portal.
  2. Search for Artifact Signing in the marketplace and create a new Artifact Signing account.
  3. Choose your subscription, resource group, and region. Select the pricing tier that fits your volume.
  4. Complete the identity verification process. Microsoft will verify your organization’s identity, which typically takes one to three business days.

Once verified, Azure provisions a signing certificate that is managed entirely in the cloud. You never handle the private key directly.

Step 2: Register an Application in Azure AD

Paquet Builder authenticates with Azure using an app registration and a client secret (or certificate).

  1. In the Azure Portal, navigate to Azure Active Directory > App registrations and create a new registration.
  2. Note the Application (client) ID and Directory (tenant) ID.
  3. Under Certificates & secrets, create a new client secret. Copy the secret value — you will not be able to retrieve it later.
  4. In your Artifact Signing account, grant the app registration the Artifact Signing Certificate Profile Signer role.

Step 3: Configure Paquet Builder

Open your project in Paquet Builder and navigate to Build Settings > Code Signing.

  1. Set the Signing Method to Azure Artifact Signing.
  2. Enter your Tenant ID, Client ID, and Client Secret in the corresponding fields.
  3. Provide the Artifact Signing Account Name and Certificate Profile Name from the Azure Portal.
  4. Select the Endpoint URL that matches your account’s region (for example, https://eus.codesigning.azure.net).

Click Test Connection to verify that Paquet Builder can authenticate and reach the signing service.

Step 4: Build and Sign

With the configuration in place, every build will automatically sign your installer using Azure Artifact Signing. The signing process happens during the After Build phase:

  1. Paquet Builder compiles your installer as usual.
  2. The compiled executable is sent to the Azure Artifact Signing service for signing.
  3. The signed binary is written to your output directory.

The entire process adds only a few seconds to a typical build.

Step 5: Verify the Signature

After the build completes, right-click the output file in Windows Explorer, select Properties, and open the Digital Signatures tab. You should see a valid signature issued by Microsoft’s Artifact Signing CA.

You can also verify the signature from the command line:

signtool verify /pa /v YourInstaller.exe

Using Azure Artifact Signing in CI/CD

The console compiler supports the same Azure Artifact Signing configuration through directives or environment variables. This lets you sign builds in your CI/CD pipeline without storing credentials in your project file.

Set the following environment variables on your build agent:

PB_ATS_TENANT_ID=your-tenant-id
PB_ATS_CLIENT_ID=your-client-id
PB_ATS_CLIENT_SECRET=your-client-secret
PB_ATS_ACCOUNT=your-account-name
PB_ATS_PROFILE=your-certificate-profile
PB_ATS_ENDPOINT=https://eus.codesigning.azure.net

Then compile with:

pbcompiler.exe MyProject.pbp /sign

The compiler reads the credentials from the environment, signs the output, and returns a structured JSON result including the signature thumbprint.

Summary

Azure Artifact Signing removes the friction of traditional code-signing workflows. There are no USB tokens to manage, no certificate renewals to track, and no private keys to safeguard. Combined with Paquet Builder’s built-in integration, you can go from unsigned builds to fully signed installers in under an hour.

If you have questions or run into issues, visit our documentation or contact support.

All posts
Discuss Free Download

Related articles

Release Feb 1, 2025
Paquet Builder 2025.1 — Code Signing & More Paquet Builder 2025.1 adds advanced code signing with SignTool and Azure Artifact Signing support, updated UPX compression, and important bug fixes.
Tutorial Jan 15, 2025
Build Silent Installers for Windows Learn how to create silent installers with Paquet Builder that extract files and run setups in the background, with optional command-line activation.