Trusted Signing identity validation status Failed with no explanation

[alexvoina]

[ Hi,

I am trying to set up trusted signing for my windows application. I followed this guide https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/

After creating my Identity validation request, status changed to "Action Required" after a few days. I was asked to provide "Domain purchase invoices or registry confirmation records". I followed the instructions in the guide above (he had the same issue) and provided my last invoice from Iwantmyname for the domain (of my website url, primary & secondary email).

Status changed to "In progress", and after a day moved to "Action Required" again, asking for the same document - "Domain purchase invoices or registry confirmation records". This time I got confused, and provided a document that proves my legal entity is registered in Romania.

Again, after a day or so, the same thing happened - "Action Requiered", asking for the same document, without any explanation about why my 2 attempts were not good.

Last thing I tried was to send another document, an invoice from google that shows that my domain is connected to a google workspace.

In the end, status changed to "Failed" and I have no Idea what to do next, because I have never gotten an explanation. I am completely lost.

]

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 291fe46c-deb3-a2c9-48a8-6805f4abe427
• Version Independent ID: 75b190d6-201f-69c5-6a13-50c13d976171
• Content: Quickstart: Set up Trusted Signing
• Content Source: articles/trusted-signing/quickstart.md
• Service: trusted-signing
• GitHub Login: @mehasharma
• Microsoft Alias: mesharm

[tybrannock24]

For cdfa4282-513e-44db-b37d-ce590fd3cb08 - there was an email sent with a verification link, the link will expire on 19th Sep.

1a5162b0-d7cc-49d4-a882-349e3a34c1ac - please update domain registration or invoice that lists the entity/contact as it is stated on the request. All documents submitted must be issued within the previous 12months or where the expiration date is a future date that is at least 2 months away.

Thanks a million!! cdfa4282-513e-44db-b37d-ce590fd3cb08 just passed after verifying the email. I suppose I'll just let the other one fail.

Thanks again! 🙏🏽🙏🏽

[otryshko]

HI @mehasharma , do you happen to know why 49af6f2b-2660-408d-9c1e-8916743e8d1c could have failed validation? I followed the suggestions on this thread to ensure that addresses match, and provided EIN when submitting the request. The company is over 3 years old. Anything I'm missing?

[TacoTechSharma]

@otryshko I have responded to Ayet on the specifics on Microsoft Q&A.

[otryshko]

@otryshko I have responded to Ayet on the specifics on Microsoft Q&A.

@mehasharma thank you for answering! Not sure who is Ayet you are referring to?

[TacoTechSharma]

@otryshko Apologies for the confusion. For your org, you missed the email validation. If your organization has a year-founded date of more than three years, ensure that you didn't miss an email verification link that was sent to the primary email address you entered when you created your identity validation request. The link expires after seven days. If you overlooked the email or if you didn't select the link in the email within seven days, create a new identity validation request. https://learn.microsoft.com/en-us/azure/trusted-signing/faq#what-if-identity-validation-fails

[don41382]

I am also trying to get my identity validated and got dismissed on the first run.

People pay a lot of money to get their app into the market with Azure - so I don't understand why you can't build a proper feedback cycle? Right now it's just more a guessing game of what maybe went wrong. Can somebody from Microsoft please explain?

And that we discussing this in a Github issue just highlights this maniac process 😆 I don't know if it's just me, but it feels really weird ...

[latenitefilms]

@mehasharma - I've just tried to go through the verification process, and it failed, and found this GitHub issue - it seems the issue is because the company is brand new - and there's still a three year requirement. Is it possible to notify us on this GitHub issue once this limit is lifted? It seems pretty strange to have a three year requirement, given all the information we need to provide? Surely if people were going to use Trusted Signing for the wrong reasons, they wouldn't go to the effort of setting up a new registered company, registering a domain via the registered company, etc? Is there any further information that can be provided to "prove" that our company is legit?

[TacoTechSharma]

@latenitefilms The team is working on making the service available to organizations that were incorporated less than 3 years ago. It has more to do to ensure there is right process laid out before we can open up the service. There will be an announcement through MSFT and Azure comm channels when that capability is available.

[latenitefilms]

@mehasharma - Thanks heaps for the super fast reply - HUGELY appreciated! If you could update this GitHub issue too when it happens that would be AMAZING. I'm totally new to the whole Microsoft Azure world - and to be honest, setting up Trusted Signing was INSANELY complicated. I would say it would have been almost impossible to do if it wasn't for this super helpful blog post:

https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/

I only mention this because I don't currently really see anything from MSFT and Azure comm channels - as I'm totally outside of this world.

Who knew that just code-signing an app would be such a crazy challenge. Definitely a lot easier in the Apple world!

(For clarity, I managed to get Trusted Signing working with one of my companies that's been around for decades, but not a new company that we just set up)

Thanks again for your fast reply! If you want to test out the expansion, and need some beta testers, let me know, because I'd love to get Trusted Signing up and running with this new company ASAP (to avoid having to buy a hardware key for code-signing).

[TacoTechSharma]

@latenitefilms Appreciate the feedback and we can try to update the thread here! Do you mind elaborating which step of setting up Trusted Signing did you struggle with creating resources or setting up signing with your CICD pipelines?

[latenitefilms]

@mehasharma - To be honest, the whole process of setting up a Microsoft account, then an Azure account, then all the steps you need to go through to set up Trusted Signing felt completely foreign and overly complex.

If you compare to Apple, you just need to set up a Developer Account, then in Xcode you're basically good to go. The trickiest part with Apple's signup for companies is making sure you have a D-U-N-S number - but they also handle that for you.

Keep in mind that all I want from Azure is the ability to code-sign my Windows installer - I don't need all the billions of other things that Azure can do.

If you haven't already, I'd highly recommend having a read of this blog post:

https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/

It explains most of the annoyances/complexities with setting up a new Trusted Signing account.

I'd also LOVE better error messages - for example, no where in the rejection email did it say it was rejected because the company was less than 3 years old. This IS documented on Microsoft website's if you look hard enough, but NOT documented in the actual Azure website. It would save a lot of pain if the first thing it asked you when you click "Identity validation" is that it asked you if your company is more than 3 years old.

Currently my identify verification page just says "Failed" - and that's it. No further information about why it failed. No option to do anything about the failure. That's pretty terrible user interface design to be honest.

I'd also love to be able to search for "Identify validation" in the main search menu like you can for most other things. At the moment you need to just know that identify verification is in the Trusted Signing page - which makes sense, but you need to set up so many other things in different resources/services, that to be honest, this identify verification could be ANYWHERE.

Hope this helps? Any questions let me know!

[latenitefilms]

Another suggestion... if the user tells the Azure during identify validation that the company is less than three years old, and it won't work due to rejection, it would be amazing to have a "do you want us to send you an email when it's available" option. This would make things a lot slicker.

[BayScallop]

We are having the same issue. Established business with all public records current and MS ISV and Partner. Request to create a trusted signing account fails with big red FAIL, no explanation or suggestions. I submitted requested documents and would get a "In progress" message eventually resulting in a "fail" when I uploaded another doc with text asking what they were looking for. This is a big issue as it is blocking release of a new product.

[latenitefilms]

@BayScallop is your company older than 3 years? If not... unfortunately you've hit an un-passable (for now) roadblock. Your only option will be a hardware dongle for code-signing outside of Azure.

[BayScallop]

yes. my company was incorporated in 1993 so it has been around for a bit and all docs and tax records are in place.

---

From: Chris Hocking @.***> Sent: Wednesday, October 2, 2024 9:15 PM To: MicrosoftDocs/azure-docs Cc: Stephen Wheeler; Mention Subject: Re: [MicrosoftDocs/azure-docs] Trusted Signing identity validation status Failed with no explanation (Issue #122450)

@BayScallophttps://github.com/BayScallop is your company older than 3 years? If not... unfortunately you've hit an un-passable (for now) roadblock. Your only option will be a hardware dongle for code-signing outside of Azure.

— Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/122450#issuecomment-2390309463, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKAG5226WUKAP5RDJSPO4ETZZSECVAVCNFSM6AAAAABHUAUHTGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOJQGMYDSNBWGM. You are receiving this because you were mentioned.Message ID: @.***>

[latenitefilms]

Huh, that's very strange then. I had no issues with my company, only a new company that's less than a year old.

[BayScallop]

yes odd experience. Every thing seemed fine and I uploaded a whois screen shot from godaddy. They rejected that And my domains use MS DNS so I uploaded a doc for proof of ownership and that was reject. Finally I created a doc that included this information and I put a note in asking why it was rejected and what they wanted exactly then I got the fail.

My company is a US based S-Corp we have been incorporated for well over 10 years and we are a MS ISV Partner and a Certified Veteran Owned business so there is a lot of documentation to prove ownership.

It seems very difficult to get support on this issue; I have reached out to my contacts in the ISV programs and they seem to not be able to help.

I do get that MS wants to be very sure about this as a bad certification could be really impactful, but we have the docs and relationships to prove our organizational trustworthiness, so I feel a bit at am impasse.

Really appreciate you jumping in and providing some input here!

Stephen (Steve) Wheeler | Wheeler Technologies, Inc. President Phone: 813.818.4406 (office) Phone: 954.612.5197 (mobile) Email:  @.***   "Certified Service Disabled Veteran Owned Small Business"   PLEASE READ: The material contained in this email is confidential and solely for the use of the intended recipient. Please do not forward this email to others without permissions. All email sent to or from this address will be recorded and archived by Wheeler Technologies, Inc. (WTI) corporate email system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. WTI's privacy policy can be found at https://www.wheelertech.us/privacy   WARNING: For your own protection, avoid sending identifying information such as social security or account numbers to us, or others via email.  

---

From: Chris Hocking @.***> Sent: Wednesday, October 2, 2024 9:33 PM To: MicrosoftDocs/azure-docs Cc: Stephen Wheeler; Mention Subject: Re: [MicrosoftDocs/azure-docs] Trusted Signing identity validation status Failed with no explanation (Issue #122450)

Huh, that's very strange then. I had no issues with my company, only a new company that's less than a year old.

— Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/122450#issuecomment-2390323809, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKAG52ZF42U6HKHBAPWFQODZZSGFTAVCNFSM6AAAAABHUAUHTGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOJQGMZDGOBQHE. You are receiving this because you were mentioned.Message ID: @.***>

[don41382]

I got rejected again. I am just transferring my german company Rocket Solution GmbH to a Spanish S.L.. So I guess, I can't use the Spanish one, because it didn't exists for 3 years.

So this time I am trying to validate the identity with my German company (id: *-9b0b561acf61).

I would highly appreciate, if someone could assist me or give feedback on the decline reasons.

[don41382]

I finally got accepted 💥 Thank you!

[Kayo-b]

Hello, I've also had the same issue where the company's identity validation for its Trusted Signing Account has been denied three times after the "Formation documents" and "Domain purchase invoices" where provided. Now the status got changed to "Canceled" and the docs re-upload feature isn't available anymore.

Today I tried to create a new identity validation request but it got canceled without asking for any documents.

I would love to get some support on this if possible.

Org Name: Shaft Turbomachinery SE GmbH

Identity Validation IDs: e49118cf-0c9d-4a19-b5f4-b797f76c282f e11e470b-8151-4189-a5d4-f547139a24dd

Thanks!

[brendanrempel]

I'm getting the same error but probably because of either the business number or length of time for the business but the problem is that I can't tell. There's no explanation anywhere. There's an email that goes to the portal, but not even an entry in the Notifications.

[latenitefilms]

@brendanrempel - If your business is less than 3 years old, it will ALWAYS fail. There's no grey area, or exceptions. If it's MORE than 3 years old, try submitting again with a PDF that contains EVERY bit of company information you can think of.

For example:

My Company Name Pty Ltd ABN: 72130929000
1 23 Fake Street Fakesville 1234 Victoria, Australia +61 0000 000 000 hello@email.com www.website.com

Tuesday 8th October 2024

Attention: Microsoft Azure Team



Subject: Assignment Letter for Microsoft Azure Account Management



I, Bart Simpson, am writing on behalf of My Company Name Pty Ltd to authorise myself to manage our organisation's Microsoft Azure account and services. This authorisation allows me to sign agreements, access services, and act on behalf of My Company Name Pty Ltd in all matters related to Microsoft Azure.



This letter authorises myself, Bart Simpson, Founder, with email hello@email.com and phone +61 0000 000 000, to act as our official representative for the purpose of accessing, managing, and configuring services within our Microsoft Azure account, effective immediately. This authorisation includes the authority to make purchasing decisions, manage billing, access support, and modify subscriptions as needed.



My Company Name Pty Ltd is a registered proprietary limited company in Australia, with an ABN of 72130929000, with the official address at 123 Fake Street, Fakesville 1234, Victoria, Ausstralia. Our D-U-N-S number is 123545321. You can find our company name at the bottom of the www.website.com website, and in our privacy policy at: https://www.website.com/privacy/



Please do not hesitate to contact us if you require further information regarding this authorisation. Thank you for your attention to this matter.

Sincerely,

Bart Simpson

[latenitefilms]

@mehasharma - Before I go down the expensive route of a hardware signing key, do you have any ROUGH estimate how long until you open things up to companies under three years? Are we talking weeks, months or years?

[TacoTechSharma]

@BayScallop Please ensure the documents uploaded match and cover everything that is in the request. Refer to the section : "More documentation here": https://learn.microsoft.com/en-us/azure/trusted-signing/quickstart?tabs=registerrp-portal%2Caccount-portal%2Ccertificateprofile-portal%2Cdeleteresources-portal. The validation team got back the documents do not match the what's input in the request. Please review all the information entered in the request and upload the supporting documents. We very much want to ensure folks are able to onboard and use the service, however, you got it right, why the process is the way it is laid out. We need to verify any and everything mentioned in the request before we can onboard someone.

[TacoTechSharma]

@Kayo-b Please ensure you review the details here and see the documents uploaded meet the criteria: https://learn.microsoft.com/en-us/azure/trusted-signing/quickstart?tabs=registerrp-portal%2Caccount-portal%2Ccertificateprofile-portal%2Cdeleteresources-portal#important-information-for-public-identity-validation

[TacoTechSharma]

@latenitefilms we are talking months not years!

[latenitefilms]

@mehasharma - Amazing! Thanks so much! We'll hold off buying a third party certificate for now then. Please let me know if you need any beta testers for early signups!

[LckySndays]

@TacoTechSharma I need help, not sure what is the cause for my validation to failed Identity Validation IDs: e09ed835-4a42-44b6-a198-14beaa8f885d (Failed after submitting document 3 times) 3ffaa143-a724-4d0a-a5f0-a2ebcfc8f478 (Failed without any chance to submit anything) db35dcc2-545a-4945-8a65-02f544ffca6f (Failed without any chance to submit anything)

[TacoTechSharma]

@LckySndays Looks like this is a duplicate for the question asked on Q&A as well.

[LckySndays]

@LckySndays Looks like this is a duplicate for the question asked on Q&A as well.

@TacoTechSharma yes, since I keep getting auto-fail for every new identity validation submission, I have no any chance to upload any new updated document to fix the issue. have been trying to contact for support by email/phone with no luck for now. I even tried to upload new updated document as file attached in Q&A but get banned automatically by system for misconduct I think. I also uploaded the document as attachment via email hoping someone can help resolve my issue. https://learn.microsoft.com/en-us/answers/questions/1856363/trusted-signing-identity-validation-keeps-refusing