docs: document Microsoft Azure Trusted Signing as fallback to SignPath

Novel writing app that bridges outlining and drafting. Built with Rust

Status: Beta

Brought to you by: smithandweb

#156 docs: document Microsoft Azure Trusted Signing as fallback to SignPath

Status: open

Owner: nobody

Labels: documentation (13) platform: windows (2)

Updated: 2026-01-27

Created: 2026-01-27

Creator: Anonymous

Private: No

Originally created by: smith-and-web

Purpose

Document Microsoft Azure Trusted Signing as a backup option if the SignPath Foundation application is rejected or doesn't work out.

Background

If SignPath (#152) isn't viable, Azure Trusted Signing provides an alternative path to Windows code signing with immediate SmartScreen reputation.

Azure Trusted Signing Details

Aspect	Details
Cost	$9.99/month (~$120/year)
SmartScreen	Immediate reputation (no warning buildup)
HSM	Cloud-based, no hardware token needed
Integration	GitHub Actions support available
Availability	USA, Canada, EU, UK only

Advantages Over Traditional Certificates

No hardware security module (HSM) shipping/management
Simpler than traditional OV/EV certificate workflows
Microsoft-backed identity validation through Entra

When to Consider

SignPath application rejected
SignPath integration proves too complex
Need faster turnaround than SignPath approval process

Documentation to Add

If this becomes relevant, add to installation docs:

## Windows Code Signing

Windows builds are signed using Microsoft Azure Trusted Signing, which provides 
immediate SmartScreen reputation. You should not see security warnings when 
installing Kindling.

References

Azure Trusted Signing
GitHub Action for Azure Trusted Signing
Note: Since June 2023, all Windows code signing requires HSM storage—Azure handles this automatically

This is a backlog item. Only implement if SignPath (#152) doesn't work out.