From 59ee6aada77b66c8c9bac1cce34f4802f309c7b6 Mon Sep 17 00:00:00 2001
From: Michael Morten Sonne | Microsoft MVP
<49366751+michaelmsonne@users.noreply.github.com>
Date: Sun, 9 Nov 2025 21:49:41 +0100
Subject: [PATCH 1/2] Highlight Trusted Signing endpoint region requirement and
add 403 Forbidden troubleshooting
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Make the Endpoint region requirement obvious and provide a concrete example (403 Forbidden + SignerSign failure) with steps to resolve when the endpoint doesn’t match the region of the Trusted Signing account/certificate profile.
---
.../how-to-signing-integrations.md | 41 ++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/articles/trusted-signing/how-to-signing-integrations.md b/articles/trusted-signing/how-to-signing-integrations.md
index 85da7b952b6f4..60a43181612aa 100644
--- a/articles/trusted-signing/how-to-signing-integrations.md
+++ b/articles/trusted-signing/how-to-signing-integrations.md
@@ -147,7 +147,8 @@ To sign by using Trusted Signing, you need to provide the details of your Truste
}
```
- The `"Endpoint"` URI value must be a URI that aligns with the region where you created your Trusted Signing account and certificate profile when you set up these resources. The table shows regions and their corresponding URIs.
+ > [!IMPORTANT]
+ > The `"Endpoint"` URI value must match the region where you created your Trusted Signing account **and** the certificate profile. Use one of the region-specific URIs in the table below. A region/endpoint mismatch commonly causes a 403 Forbidden error and an internal `SignerSign()` failure during signing.
| Region | Region class fields | Endpoint URI value |
|--------------|-----------|------------|
@@ -160,6 +161,44 @@ To sign by using Trusted Signing, you need to provide the details of your Truste
1 The optional `"CorrelationId"` field is an opaque string value that you can provide to correlate sign requests with your own workflows, such as build identifiers or machine names.
+#### Endpoint mismatch error example
+
+If the endpoint does not match the region where the Trusted Signing account and certificate profile were created, a sign request can fail with a 403 Forbidden response and an internal SignTool error. This indicates the service rejected the request due to an incorrect regional endpoint.
+
+Example failure output:
+
+```
+Submitting digest for signing...
+Unhandled managed exception
+Azure.RequestFailedException: Service request failed.
+Status: 403 (Forbidden)
+
+Headers:
+Date: Sun, 09 Nov 2025 20:39:58 GMT
+Connection: keep-alive
+Strict-Transport-Security: REDACTED
+x-azure-ref: REDACTED
+X-Cache: REDACTED
+Content-Length: 0
+
+ at Azure.CodeSigning.CertificateProfileRestClient.SignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
+ at Azure.CodeSigning.CertificateProfileClient.StartSignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
+ at Azure.CodeSigning.Dlib.Core.DigestSigner.SignAsync(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle, CancellationToken cancellationToken)
+ at Azure.CodeSigning.Dlib.Core.DigestSigner.Sign(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle)
+ at AuthenticodeDigestSignExWithFileHandleManaged(_CRYPTOAPI_BLOB* pMetadataBlob, UInt32 digestAlgId, Byte* pbToBeSignedDigest, UInt32 cbToBeSignedDigest, Void* hFile, _CRYPTOAPI_BLOB* pSignedDigest, _CERT_CONTEXT** ppSignerCert, Void* hCertChainStore)
+
+SignTool Error: An unexpected internal error has occurred.
+Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
+```
+
+Resolution:
+1. Verify the region where the Trusted Signing account and certificate profile were provisioned.
+2. Update the `"Endpoint"` value in the JSON to the correct regional URI from the table above.
+3. Retry the signing operation.
+
+Tip: A 403 with zero content length and `SignerSign()` failure is a strong indicator of an endpoint–region mismatch.
+
+
### Authentication
This Task performs authentication using [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential), which attempts a series of authentication methods in order. If one method fails, it attempts the next one until authentication is successful.
From aa6934f333bff443b3b3f3b037795441727ea893 Mon Sep 17 00:00:00 2001
From: Michael Morten Sonne | Microsoft MVP
<49366751+michaelmsonne@users.noreply.github.com>
Date: Sun, 16 Nov 2025 15:51:42 +0100
Subject: [PATCH 2/2] Remove endpoint mismatch error example
Removed the endpoint mismatch error example and its resolution steps from the document.
The error comes from signtool not Trusted signing and signtool team prefers to keep it generic.
---
.../how-to-signing-integrations.md | 38 -------------------
1 file changed, 38 deletions(-)
diff --git a/articles/trusted-signing/how-to-signing-integrations.md b/articles/trusted-signing/how-to-signing-integrations.md
index 60a43181612aa..f73f25e36676e 100644
--- a/articles/trusted-signing/how-to-signing-integrations.md
+++ b/articles/trusted-signing/how-to-signing-integrations.md
@@ -161,44 +161,6 @@ To sign by using Trusted Signing, you need to provide the details of your Truste
1 The optional `"CorrelationId"` field is an opaque string value that you can provide to correlate sign requests with your own workflows, such as build identifiers or machine names.
-#### Endpoint mismatch error example
-
-If the endpoint does not match the region where the Trusted Signing account and certificate profile were created, a sign request can fail with a 403 Forbidden response and an internal SignTool error. This indicates the service rejected the request due to an incorrect regional endpoint.
-
-Example failure output:
-
-```
-Submitting digest for signing...
-Unhandled managed exception
-Azure.RequestFailedException: Service request failed.
-Status: 403 (Forbidden)
-
-Headers:
-Date: Sun, 09 Nov 2025 20:39:58 GMT
-Connection: keep-alive
-Strict-Transport-Security: REDACTED
-x-azure-ref: REDACTED
-X-Cache: REDACTED
-Content-Length: 0
-
- at Azure.CodeSigning.CertificateProfileRestClient.SignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
- at Azure.CodeSigning.CertificateProfileClient.StartSignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
- at Azure.CodeSigning.Dlib.Core.DigestSigner.SignAsync(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle, CancellationToken cancellationToken)
- at Azure.CodeSigning.Dlib.Core.DigestSigner.Sign(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle)
- at AuthenticodeDigestSignExWithFileHandleManaged(_CRYPTOAPI_BLOB* pMetadataBlob, UInt32 digestAlgId, Byte* pbToBeSignedDigest, UInt32 cbToBeSignedDigest, Void* hFile, _CRYPTOAPI_BLOB* pSignedDigest, _CERT_CONTEXT** ppSignerCert, Void* hCertChainStore)
-
-SignTool Error: An unexpected internal error has occurred.
-Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
-```
-
-Resolution:
-1. Verify the region where the Trusted Signing account and certificate profile were provisioned.
-2. Update the `"Endpoint"` value in the JSON to the correct regional URI from the table above.
-3. Retry the signing operation.
-
-Tip: A 403 with zero content length and `SignerSign()` failure is a strong indicator of an endpoint–region mismatch.
-
-
### Authentication
This Task performs authentication using [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential), which attempts a series of authentication methods in order. If one method fails, it attempts the next one until authentication is successful.