Why is azuresigntool.exe executable file itself not signed?

[jwarwick-bry]

Maybe I am in that unfortunate valley of only having enough knowledge to be troublesome, but I was really surprised to find immediately after installing azuresigntool via dotnet tool install --global AzureSignTool that the $HOME.dotnet\tools\azuresigntool.exe file itself is not signed. I suppose that if you actually go back and check signatures with a separate tool, that mitigates some hypothetical supply chain attack camouflaging via compromised signing tool, but still I'm kind of surprised that something so central to the issue wouldn't just be subject to signing by default.
So, for my edification, why is azuresigntool.exe (as installed to typical GA workstations running vanilla everything) itself not signed?

[vcsjones]

AzureSignTool, when installed as a NuGet global tool, has no EXE - there is no EXE for me to sign.

That azuresigntool.exe is created by NuGet (dotnet tool) and is a stub executable that executes the .NET code that actually contains the AzureSignTool implementation.

The actual implementation of the library will be in a directory like

%HOMEPATH%\.dotnet\tools\.store\azuresigntool\6.0.0\azuresigntool\6.0.0\tools\net8.0\any\AzureSignTool.dll

and that library is signed (As is AzureSign.Core.dll). That is all of the flexibility of what I can sign. Since the .EXE is created on-the-fly by dotnet tool there is no way for me to provide a signed EXE stub, as far as I know.

---

If you want a signed EXE, then I would recommend using the installation that does not use dotnet tool or NuGet. You can grab a normal, signed EXE from the GitHub release or install it with winget install vcsjones.azuresigntool.

The EXEs there are signed.

The README has recently been updated to explain other differences between acquiring the tool from dotnet tool and just downloading a normal EXE.

[jwarwick-bry]

Thank you for taking the time to explain it. Ignorance reduced.