Yes, it's happening again. A regular person needs to ask for help on HN because a major tech company has broken processes and refuses to offer support.

I'm trying to sign up for Trusted Signing Accounts, so I can obtain certificates to sign Windows executables. There's a plethora of reports online about how broken Azure's processes surrounding this are. The business number field won't even accept ABNs (Australian Business Numbers). The work-around is just to enter your ABN as a Tax Identifier and pray to whatever deity you may or may not believe in.

Next, you need to verify your identity. This process is especially broken. Microsoft DO NOT actually verify your identity. What they attempt to do is verify you own a domain. What that has to do with code signing, I'm not sure. However, they go out of their way to make this process nice and easy for fraudulent persons to exploit, but near impossible for regular people to adhere to. Specifically, they DON'T let you verify your domain via TXT records or ACME-style HTTP challenges etc. No instead, your options are:

1. Assignment letter from an authorized representative of the organization

2. Domain ownership records, such as Whois

3. Domain purchase invoices or registry confirmation records

4. Website showing name, address, contact information, and domain of the organization

You might be scratching your head as how any of these verify your ownership of the domain. Well. That's because they don't. But let's just play along for a little.

Here's what I've tried:

1. Done. They didn't accept it.

2. Done. They didn't accept it.

3. Impossible for domains bought via AWS. They don't provide itemised invoices. However, I tried to verify a second domain this way. This was also not accepted.

4. Done. They didn't accept it.

Every time I submitted, typically after hours of waiting, I was met with the canned response:

> Hello, Thank you for reaching out. We are unable to verify your account based on the information you’ve provided and are requesting additional information. To ensure that the information we have on record is verifiable and correct, please take the following steps to appeal your verification status. Please provide the domain registration or domain invoice from registration or renewal that lists the entity/contact name and domain as it is stated on your account. If it is not possible to provide additional documentation, please update your domain information to match the documents already provided. All documents submitted must be issued within the previous 12 months or where the expiration date is a future date that is at least two months away. Thank you, Vetting Operations Support

Now I don't know if the documents I submitted were up to their standards. My Whois records do NOT have domain privacy enabled and show both my name and my business name, so I'm not sure what's wrong there. However, the invoice I submitted for option 3 was generated by Porkbun. I think the only way they'd accept my document is if I created a forgery that perfectly displayed the exact information they're after. Which brings me back to my point about how this process is great for those with nefarious intentions. In my letter for option 1, I even included a link to the letter itself hosted at the root domain i.e. I attempted HTTP-style authentication. Nope. I also included my phone number, both an Australian and US number. They've made zero attempt to contact me via phone.

I'd really appreciate it if someone at Microsoft could:

1. Tell me why my submissions are actually being rejected.

2. Point out to the PM in charge of Trusted Signing Accounts that their processes don't validate anything and are ripe for abuse.

Validation attempt IDs are 4908d985-d2d7-492f-a8a5-4c1c78ee52f8, 59378d4f-3228-459d-88a6-a41f6004d518 and 1629d8b8-9740-4316-9bd3-c4220976e5a8.