Safer Software with Signing Transparency: What's New from Microsoft
Nov 28, 2025 | Jindřich Zechmeister
Microsoft introduced Signing Transparency — a cryptographically verifiable transparent log that increases trust in software and protects against attacks on the software supply chain. Learn how this technology is changing the way signed artifacts are verified.
Why Software Supply Chain Security Is Becoming More Challenging
The security of the software supply chain has been one of the biggest topics in the field of cybersecurity in recent years. Modern applications are no longer a monolithic block of code but rather a mosaic of internal components, open-source libraries, third-party services, and build tools. It only takes a single weak spot in this chain for an attacker to stealthily insert malicious code into legitimate-looking software. While traditional digital signatures still play an important role, they alone are no longer sufficient against sophisticated attacks—especially when the signing key or the entire build system can be compromised.
Microsoft Introduces Signing Transparency
Microsoft is responding to this issue with a new service called Signing Transparency, which was introduced in public preview. Its goal is to add an additional layer of trust and transparency to the signing process. The basic idea is simple: every signed artifact—whether it be a binary, container image, firmware, or another type of software—will not only have a standard digital signature, but an immutable record of it will also be created in a so-called transparency log.
How Signing Transparency Works
When an artifact is signed, the signature information is sent to the Signing Transparency service. This service maintains a cryptographically secured, append-only log, meaning a ledger where new entries can only be added and cannot be changed or deleted retrospectively. This log operates in a confidential computing environment, ensuring that even the infrastructure where it resides is protected against unauthorized interventions. A "receipt" is then issued with the signature, a cryptographic confirmation that the signature has been recorded in the log, including a Merkle tree-based proof of when and by whom the artifact was signed.
Benefits for Software Recipients and Publishers
For software recipients, this means they no longer have to rely solely on a signature visually appearing legitimate. They can independently verify whether the given signature actually exists in the official log, matches the expected publisher, and has not undergone suspicious changes. An attacker who obtains the signing key can indeed sign malicious code, but cannot bypass the transparent log—every such signature would be traceable and auditable. This significantly complicates attacks of the type of quiet compromise of updates, where users receive seemingly legitimate updates containing hidden malware.
The Next Step in the Evolution of Software Signing
Overall, Signing Transparency represents an important step in the evolution of digital signing. It is no longer sufficient just to verify that a file is signed—it must be possible to demonstrate that the signature fits into a broader, transparent, and auditable context. Microsoft is thereby responding to the growing number of attacks on the software supply chain and the need to standardize software trustworthiness across the entire ecosystem.
Sources:
The article Enhancing software supply chain security with Microsoft’s Signing Transparency, available on the Azure blog.
