From 2cba4420ad45bc1ef486075b2b72ef5f57af3713 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Fri, 14 Jun 2024 11:59:29 +0200
Subject: [PATCH 01/13] Added Sign.SignatureProviders.TrustedSigning.

---
 Directory.Packages.props                      |  4 +-
 sign.sln                                      |  7 ++
 src/Sign.Core/Sign.Core.csproj                |  2 +
 .../RSATrustedSigning.cs                      | 84 ++++++++++++++++
 ...n.SignatureProviders.TrustedSigning.csproj | 22 +++++
 .../TrustedSigningService.cs                  | 99 +++++++++++++++++++
 .../TrustedSigningServiceProvider.cs          | 70 +++++++++++++
 7 files changed, 287 insertions(+), 1 deletion(-)
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/RSATrustedSigning.cs
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/Sign.SignatureProviders.TrustedSigning.csproj
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/TrustedSigningService.cs
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/TrustedSigningServiceProvider.cs

diff --git a/Directory.Packages.props b/Directory.Packages.props
index 84fa4b7f..865516c9 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -4,6 +4,8 @@
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
   </PropertyGroup>
   <ItemGroup>
+    <PackageVersion Include="Azure.Core" Version="1.38.0" />
+    <PackageVersion Include="Azure.CodeSigning.Sdk" Version="0.1.96" />
     <PackageVersion Include="Azure.Identity" Version="1.11.4" />
     <PackageVersion Include="Azure.Security.KeyVault.Certificates" Version="4.6.0" />
     <PackageVersion Include="AzureSign.Core" Version="4.0.1" />
@@ -31,4 +33,4 @@
     <PackageVersion Include="System.Text.Json" Version="8.0.3" />
     <PackageVersion Include="Microsoft.Dynamics.BusinessCentral.Sip.Main" Version="24.0.15760" />
   </ItemGroup>
-</Project>
\ No newline at end of file
+</Project>
diff --git a/sign.sln b/sign.sln
index a66db519..103635b5 100644
--- a/sign.sln
+++ b/sign.sln
@@ -42,6 +42,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Sign.SignatureProviders.Cer
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Sign.SignatureProviders.CertificateStore.Test", "test\Sign.SignatureProviders.CertificateStore.Test\Sign.SignatureProviders.CertificateStore.Test.csproj", "{3AE48DC2-8422-4E3A-AFBC-12551D50DBCA}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Sign.SignatureProviders.TrustedSigning", "src\Sign.SignatureProviders.TrustedSigning\Sign.SignatureProviders.TrustedSigning.csproj", "{060800AF-42FC-493C-AD99-9C87212BA969}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -84,6 +86,10 @@ Global
 		{3AE48DC2-8422-4E3A-AFBC-12551D50DBCA}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{3AE48DC2-8422-4E3A-AFBC-12551D50DBCA}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{3AE48DC2-8422-4E3A-AFBC-12551D50DBCA}.Release|Any CPU.Build.0 = Release|Any CPU
+		{060800AF-42FC-493C-AD99-9C87212BA969}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{060800AF-42FC-493C-AD99-9C87212BA969}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{060800AF-42FC-493C-AD99-9C87212BA969}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{060800AF-42FC-493C-AD99-9C87212BA969}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -98,6 +104,7 @@ Global
 		{47F03ADD-A646-44C8-92FA-9594CD4506E6} = {780818DD-6B52-47C8-AC54-71448DF822BD}
 		{68104303-9832-4841-89AB-B98712C4E618} = {92C73EE1-4EF3-4721-B6A9-9F458A673CA3}
 		{3AE48DC2-8422-4E3A-AFBC-12551D50DBCA} = {780818DD-6B52-47C8-AC54-71448DF822BD}
+		{060800AF-42FC-493C-AD99-9C87212BA969} = {92C73EE1-4EF3-4721-B6A9-9F458A673CA3}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {7AA1043F-37A2-404F-8EC3-34C747C1CEB7}
diff --git a/src/Sign.Core/Sign.Core.csproj b/src/Sign.Core/Sign.Core.csproj
index adaeba0a..3eee397d 100644
--- a/src/Sign.Core/Sign.Core.csproj
+++ b/src/Sign.Core/Sign.Core.csproj
@@ -29,6 +29,8 @@
     <InternalsVisibleTo Include="Sign.SignatureProviders.CertificateStore.Test" />
     <InternalsVisibleTo Include="Sign.SignatureProviders.KeyVault" />
     <InternalsVisibleTo Include="Sign.SignatureProviders.KeyVault.Test" />
+    <InternalsVisibleTo Include="Sign.SignatureProviders.TrustedSigning" />
+    <InternalsVisibleTo Include="Sign.SignatureProviders.TrustedSigning.Test" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/Sign.SignatureProviders.TrustedSigning/RSATrustedSigning.cs b/src/Sign.SignatureProviders.TrustedSigning/RSATrustedSigning.cs
new file mode 100644
index 00000000..a1fc7f0d
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/RSATrustedSigning.cs
@@ -0,0 +1,84 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE.txt file in the project root for more information.
+
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using Azure;
+using Azure.CodeSigning;
+using Azure.CodeSigning.Models;
+
+namespace Sign.SignatureProviders.TrustedSigning
+{
+    internal sealed class RSATrustedSigning : RSA
+    {
+        private readonly CertificateProfileClient _client;
+        private readonly string _accountName;
+        private readonly string _certificateProfileName;
+        private readonly X509Certificate2 _publicKey;
+
+        public RSATrustedSigning(
+            CertificateProfileClient client,
+            string accountName,
+            string certificateProfileName,
+            X509Certificate2 publicKey)
+        {
+            _client = client;
+            _accountName = accountName;
+            _certificateProfileName = certificateProfileName;
+            _publicKey = publicKey;
+        }
+
+        private RSA PublicKey
+            => _publicKey.GetRSAPublicKey()!;
+
+        public override RSAParameters ExportParameters(bool includePrivateParameters)
+        {
+            if (includePrivateParameters)
+            {
+                throw new NotSupportedException();
+            }
+
+            return PublicKey.ExportParameters(false);
+        }
+
+        public override void ImportParameters(RSAParameters parameters)
+            => throw new NotImplementedException();
+
+        public override byte[] SignHash(byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
+        {
+            var signatureAlgorithm = GetSignatureAlgorithm(hash, padding);
+            SignRequest request = new(signatureAlgorithm, hash);
+            CertificateProfileSignOperation operation = _client.StartSign(_accountName, _certificateProfileName, request);
+            Response<SignStatus> response = operation.WaitForCompletion();
+            return response.Value.Signature;
+        }
+
+        public override bool VerifyHash(byte[] hash, byte[] signature, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
+            => PublicKey.VerifyHash(hash, signature, hashAlgorithm, padding);
+
+        protected override byte[] HashData(byte[] data, int offset, int count, HashAlgorithmName hashAlgorithm)
+        {
+            using HashAlgorithm hasher = CreateHasher(hashAlgorithm);
+            return hasher.ComputeHash(data, offset, count);
+        }
+
+        private static SignatureAlgorithm GetSignatureAlgorithm(byte[] digest, RSASignaturePadding padding)
+            => digest.Length switch
+            {
+                32 => padding == RSASignaturePadding.Pss ? Azure.CodeSigning.Models.SignatureAlgorithm.PS256 : Azure.CodeSigning.Models.SignatureAlgorithm.RS256,
+                48 => padding == RSASignaturePadding.Pss ? Azure.CodeSigning.Models.SignatureAlgorithm.PS384 : Azure.CodeSigning.Models.SignatureAlgorithm.RS384,
+                64 => padding == RSASignaturePadding.Pss ? Azure.CodeSigning.Models.SignatureAlgorithm.PS512 : Azure.CodeSigning.Models.SignatureAlgorithm.RS512,
+                _ => throw new NotSupportedException(),
+            };
+
+        private static HashAlgorithm CreateHasher(HashAlgorithmName hashAlgorithm)
+            => hashAlgorithm.Name switch
+            {
+                nameof(SHA256) => SHA256.Create(),
+                nameof(SHA384) => SHA384.Create(),
+                nameof(SHA512) => SHA512.Create(),
+                _ => throw new NotSupportedException(),
+            };
+    }
+}
diff --git a/src/Sign.SignatureProviders.TrustedSigning/Sign.SignatureProviders.TrustedSigning.csproj b/src/Sign.SignatureProviders.TrustedSigning/Sign.SignatureProviders.TrustedSigning.csproj
new file mode 100644
index 00000000..b8e2cef0
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/Sign.SignatureProviders.TrustedSigning.csproj
@@ -0,0 +1,22 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <IsShipping>true</IsShipping>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <!-- This can probably be removed here and in Directory.Packages.props once we upgrade to a different Trusted Signing library -->
+    <PackageReference Include="Azure.Core" />
+    <PackageReference Include="Azure.CodeSigning.Sdk" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Sign.Core\Sign.Core.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <InternalsVisibleTo Include="sign" />
+    <InternalsVisibleTo Include="Sign.SignatureProviders.TrustedSigning.Test" />
+  </ItemGroup>
+
+</Project>
\ No newline at end of file
diff --git a/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningService.cs b/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningService.cs
new file mode 100644
index 00000000..7cabeb1c
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningService.cs
@@ -0,0 +1,99 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE.txt file in the project root for more information.
+
+using System.Diagnostics;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using System.Text;
+using Azure;
+using Azure.CodeSigning;
+using Azure.CodeSigning.Models;
+using Azure.Core;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Sign.Core;
+
+namespace Sign.SignatureProviders.TrustedSigning
+{
+    internal sealed class TrustedSigningService : ISignatureAlgorithmProvider, ICertificateProvider, IDisposable
+    {
+        private static readonly SignRequest _emptyRequest = new(SignatureAlgorithm.RS256, new byte[32]);
+
+        private readonly CertificateProfileClient _client;
+        private readonly string _accountName;
+        private readonly string _certificateProfileName;
+        private readonly ILogger<TrustedSigningService> _logger;
+        private readonly SemaphoreSlim _mutex = new(1);
+        private X509Certificate2? _publicKey;
+
+        public TrustedSigningService(
+            IServiceProvider serviceProvider,
+            TokenCredential tokenCredential,
+            Uri endpointUrl,
+            string accountName,
+            string certificateProfileName)
+        {
+            ArgumentNullException.ThrowIfNull(serviceProvider, nameof(serviceProvider));
+            ArgumentNullException.ThrowIfNull(tokenCredential, nameof(tokenCredential));
+            ArgumentNullException.ThrowIfNull(endpointUrl, nameof(endpointUrl));
+            ArgumentException.ThrowIfNullOrEmpty(accountName, nameof(accountName));
+            ArgumentException.ThrowIfNullOrEmpty(certificateProfileName, nameof(certificateProfileName));
+
+            _client = new CertificateProfileClient(tokenCredential, endpointUrl);
+            _accountName = accountName;
+            _certificateProfileName = certificateProfileName;
+
+            _logger = serviceProvider.GetRequiredService<ILogger<TrustedSigningService>>();
+        }
+
+        public void Dispose()
+        {
+            _mutex.Dispose();
+            _publicKey?.Dispose();
+            GC.SuppressFinalize(this);
+        }
+
+        public async Task<X509Certificate2> GetCertificateAsync(CancellationToken cancellationToken)
+        {
+            if (_publicKey is not null)
+            {
+                return new X509Certificate2(_publicKey);
+            }
+
+            await _mutex.WaitAsync();
+            try
+            {
+                if (_publicKey is null)
+                {
+                    Stopwatch stopwatch = Stopwatch.StartNew();
+
+                    _logger.LogTrace(Resources.FetchingCertificate);
+
+                    CertificateProfileSignOperation operation = await _client.StartSignAsync(_accountName, _certificateProfileName, _emptyRequest, cancellationToken: cancellationToken);
+                    Response<SignStatus> response = await operation.WaitForCompletionAsync(cancellationToken);
+
+                    byte[] rawData = Convert.FromBase64String(Encoding.UTF8.GetString(response.Value.SigningCertificate));
+                    X509Certificate2Collection collection = [];
+                    collection.Import(rawData);
+
+                    _publicKey = collection[collection.Count - 1];
+
+                    _logger.LogTrace(Resources.FetchedCertificate, stopwatch.Elapsed.TotalMilliseconds);
+                }
+            }
+            finally
+            {
+                _mutex.Release();
+            }
+
+            return new X509Certificate2(_publicKey);
+        }
+
+        public async Task<RSA> GetRsaAsync(CancellationToken cancellationToken)
+        {
+            X509Certificate2 publicKey = await GetCertificateAsync(cancellationToken);
+            return new RSATrustedSigning(_client, _accountName, _certificateProfileName, publicKey);
+        }
+    }
+}
diff --git a/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningServiceProvider.cs b/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningServiceProvider.cs
new file mode 100644
index 00000000..dbb01f63
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningServiceProvider.cs
@@ -0,0 +1,70 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE.txt file in the project root for more information.
+
+using Azure.Core;
+using Sign.Core;
+
+namespace Sign.SignatureProviders.TrustedSigning
+{
+    internal sealed class TrustedSigningServiceProvider : ISignatureProvider
+    {
+        private readonly TokenCredential _tokenCredential;
+        private readonly Uri _endpointUrl;
+        private readonly string _accountName;
+        private readonly string _certificateProfileName;
+        private readonly object _lockObject = new();
+        private TrustedSigningService? _trustedSigningService;
+
+        public TrustedSigningServiceProvider(
+            TokenCredential tokenCredential,
+            Uri endpointUrl,
+            string accountName,
+            string certificateProfileName)
+        {
+            ArgumentNullException.ThrowIfNull(tokenCredential, nameof(tokenCredential));
+            ArgumentNullException.ThrowIfNull(endpointUrl, nameof(endpointUrl));
+            ArgumentException.ThrowIfNullOrEmpty(accountName, nameof(accountName));
+            ArgumentException.ThrowIfNullOrEmpty(certificateProfileName, nameof(certificateProfileName));
+
+            _tokenCredential = tokenCredential;
+            _endpointUrl = endpointUrl;
+            _accountName = accountName;
+            _certificateProfileName = certificateProfileName;
+        }
+
+        public ISignatureAlgorithmProvider GetSignatureAlgorithmProvider(IServiceProvider serviceProvider)
+        {
+            ArgumentNullException.ThrowIfNull(serviceProvider, nameof(serviceProvider));
+
+            return GetService(serviceProvider);
+        }
+
+        public ICertificateProvider GetCertificateProvider(IServiceProvider serviceProvider)
+        {
+            ArgumentNullException.ThrowIfNull(serviceProvider, nameof(serviceProvider));
+
+            return GetService(serviceProvider);
+        }
+
+        private TrustedSigningService GetService(IServiceProvider serviceProvider)
+        {
+            if (_trustedSigningService is not null)
+            {
+                return _trustedSigningService;
+            }
+
+            lock (_lockObject)
+            {
+                if (_trustedSigningService is not null)
+                {
+                    return _trustedSigningService;
+                }
+
+                _trustedSigningService = new TrustedSigningService(serviceProvider, _tokenCredential, _endpointUrl, _accountName, _certificateProfileName);
+            }
+
+            return _trustedSigningService;
+        }
+    }
+}

From 5a5b580c40ce4e73439a8dd26d5dddb07912db76 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Fri, 14 Jun 2024 13:11:09 +0200
Subject: [PATCH 02/13] Added unit tests for
 Sign.SignatureProviders.TrustedSigning.

---
 sign.sln                                      |   7 +
 ...natureProviders.TrustedSigning.Test.csproj |  22 +++
 .../TrustedSigningServiceProviderTests.cs     | 136 ++++++++++++++++++
 .../TrustedSigningServiceTests.cs             |  91 ++++++++++++
 .../Usings.cs                                 |   5 +
 5 files changed, 261 insertions(+)
 create mode 100644 test/Sign.SignatureProviders.TrustedSigning.Test/Sign.SignatureProviders.TrustedSigning.Test.csproj
 create mode 100644 test/Sign.SignatureProviders.TrustedSigning.Test/TrustedSigningServiceProviderTests.cs
 create mode 100644 test/Sign.SignatureProviders.TrustedSigning.Test/TrustedSigningServiceTests.cs
 create mode 100644 test/Sign.SignatureProviders.TrustedSigning.Test/Usings.cs

diff --git a/sign.sln b/sign.sln
index 103635b5..bcd6c440 100644
--- a/sign.sln
+++ b/sign.sln
@@ -44,6 +44,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Sign.SignatureProviders.Cer
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Sign.SignatureProviders.TrustedSigning", "src\Sign.SignatureProviders.TrustedSigning\Sign.SignatureProviders.TrustedSigning.csproj", "{060800AF-42FC-493C-AD99-9C87212BA969}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Sign.SignatureProviders.TrustedSigning.Test", "test\Sign.SignatureProviders.TrustedSigning.Test\Sign.SignatureProviders.TrustedSigning.Test.csproj", "{A81695AF-088A-436A-9A38-4D0B0DB2D826}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -90,6 +92,10 @@ Global
 		{060800AF-42FC-493C-AD99-9C87212BA969}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{060800AF-42FC-493C-AD99-9C87212BA969}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{060800AF-42FC-493C-AD99-9C87212BA969}.Release|Any CPU.Build.0 = Release|Any CPU
+		{A81695AF-088A-436A-9A38-4D0B0DB2D826}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{A81695AF-088A-436A-9A38-4D0B0DB2D826}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{A81695AF-088A-436A-9A38-4D0B0DB2D826}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{A81695AF-088A-436A-9A38-4D0B0DB2D826}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -105,6 +111,7 @@ Global
 		{68104303-9832-4841-89AB-B98712C4E618} = {92C73EE1-4EF3-4721-B6A9-9F458A673CA3}
 		{3AE48DC2-8422-4E3A-AFBC-12551D50DBCA} = {780818DD-6B52-47C8-AC54-71448DF822BD}
 		{060800AF-42FC-493C-AD99-9C87212BA969} = {92C73EE1-4EF3-4721-B6A9-9F458A673CA3}
+		{A81695AF-088A-436A-9A38-4D0B0DB2D826} = {780818DD-6B52-47C8-AC54-71448DF822BD}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {7AA1043F-37A2-404F-8EC3-34C747C1CEB7}
diff --git a/test/Sign.SignatureProviders.TrustedSigning.Test/Sign.SignatureProviders.TrustedSigning.Test.csproj b/test/Sign.SignatureProviders.TrustedSigning.Test/Sign.SignatureProviders.TrustedSigning.Test.csproj
new file mode 100644
index 00000000..9fe902db
--- /dev/null
+++ b/test/Sign.SignatureProviders.TrustedSigning.Test/Sign.SignatureProviders.TrustedSigning.Test.csproj
@@ -0,0 +1,22 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <Import Project="$(RepositoryRootDirectory)\SdkTools.props" />
+
+  <PropertyGroup>
+    <IsPackable>false</IsPackable>
+    <IsTestProject>true</IsTestProject>
+    <IsUnitTestProject>true</IsUnitTestProject>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="coverlet.collector">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="Moq" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Sign.SignatureProviders.TrustedSigning\Sign.SignatureProviders.TrustedSigning.csproj" />
+    <ProjectReference Include="..\Sign.TestInfrastructure\Sign.TestInfrastructure.csproj" />
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/test/Sign.SignatureProviders.TrustedSigning.Test/TrustedSigningServiceProviderTests.cs b/test/Sign.SignatureProviders.TrustedSigning.Test/TrustedSigningServiceProviderTests.cs
new file mode 100644
index 00000000..5918d019
--- /dev/null
+++ b/test/Sign.SignatureProviders.TrustedSigning.Test/TrustedSigningServiceProviderTests.cs
@@ -0,0 +1,136 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE.txt file in the project root for more information.
+
+using System.Collections.Concurrent;
+using Azure.Core;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Moq;
+using Sign.Core;
+using Sign.TestInfrastructure;
+
+namespace Sign.SignatureProviders.TrustedSigning.Test
+{
+    public class TrustedSigningServiceProviderTests
+    {
+        private readonly static TokenCredential TokenCredential = Mock.Of<TokenCredential>();
+        private readonly static Uri EndpointUrl = new("https://trustedsigning.test");
+        private const string AccountName = "a";
+        private const string CertificateProfileName = "b";
+        private readonly IServiceProvider serviceProvider;
+
+        public TrustedSigningServiceProviderTests()
+        {
+            ServiceCollection services = new();
+            services.AddSingleton<ILogger<TrustedSigningService>>(new TestLogger<TrustedSigningService>());
+            serviceProvider = services.BuildServiceProvider();
+        }
+
+        [Fact]
+        public void Constructor_WhenTokenCredentialIsNull_Throws()
+        {
+            ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
+                () => new TrustedSigningServiceProvider(tokenCredential: null!, EndpointUrl, AccountName, CertificateProfileName));
+
+            Assert.Equal("tokenCredential", exception.ParamName);
+        }
+
+        [Fact]
+        public void Constructor_WhenEndpointUrlIsNull_Throws()
+        {
+            ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
+                () => new TrustedSigningServiceProvider(TokenCredential, endpointUrl: null!, AccountName, CertificateProfileName));
+
+            Assert.Equal("endpointUrl", exception.ParamName);
+        }
+
+        [Fact]
+        public void Constructor_WhenAccountNameIsNull_Throws()
+        {
+            ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
+                () => new TrustedSigningServiceProvider(TokenCredential, EndpointUrl, accountName: null!, CertificateProfileName));
+
+            Assert.Equal("accountName", exception.ParamName);
+        }
+
+        [Fact]
+        public void Constructor_WhenAccountNameIsEmpty_Throws()
+        {
+            ArgumentException exception = Assert.Throws<ArgumentException>(
+                () => new TrustedSigningServiceProvider(TokenCredential, EndpointUrl, accountName: string.Empty, CertificateProfileName));
+
+            Assert.Equal("accountName", exception.ParamName);
+        }
+
+        [Fact]
+        public void Constructor_WhenCertificateProfileNameIsNull_Throws()
+        {
+            ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
+                () => new TrustedSigningServiceProvider(TokenCredential, EndpointUrl, AccountName, certificateProfileName: null!));
+
+            Assert.Equal("certificateProfileName", exception.ParamName);
+        }
+
+        [Fact]
+        public void Constructor_WhenCertificateProfileNameIsEmpty_Throws()
+        {
+            ArgumentException exception = Assert.Throws<ArgumentException>(
+                () => new TrustedSigningServiceProvider(TokenCredential, EndpointUrl, AccountName, certificateProfileName: string.Empty));
+
+            Assert.Equal("certificateProfileName", exception.ParamName);
+        }
+
+        [Fact]
+        public void GetSignatureAlgorithmProvider_WhenServiceProviderIsNull_Throws()
+        {
+            TrustedSigningServiceProvider provider = new(TokenCredential, EndpointUrl, AccountName, CertificateProfileName);
+
+            ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
+                () => provider.GetSignatureAlgorithmProvider(serviceProvider: null!));
+
+            Assert.Equal("serviceProvider", exception.ParamName);
+        }
+
+        [Fact]
+        public void GetSignatureAlgorithmProvider_ReturnsSameInstance()
+        {
+            TrustedSigningServiceProvider provider = new(TokenCredential, EndpointUrl, AccountName, CertificateProfileName);
+
+            ConcurrentBag<ISignatureAlgorithmProvider> signatureAlgorithmProviders = [];
+            Parallel.For(0, 2, (_, _) =>
+            {
+                signatureAlgorithmProviders.Add(provider.GetSignatureAlgorithmProvider(serviceProvider));
+            });
+
+            Assert.Equal(2, signatureAlgorithmProviders.Count);
+            Assert.Same(signatureAlgorithmProviders.First(), signatureAlgorithmProviders.Last());
+        }
+
+        [Fact]
+        public void GetCertificateProvider_WhenServiceProviderIsNull_Throws()
+        {
+            TrustedSigningServiceProvider provider = new(TokenCredential, EndpointUrl, AccountName, CertificateProfileName);
+
+            ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
+                () => provider.GetSignatureAlgorithmProvider(serviceProvider: null!));
+
+            Assert.Equal("serviceProvider", exception.ParamName);
+        }
+
+        [Fact]
+        public void GetCertificateProvider_ReturnsSameInstance()
+        {
+            TrustedSigningServiceProvider provider = new(TokenCredential, EndpointUrl, AccountName, CertificateProfileName);
+
+            ConcurrentBag<ICertificateProvider> certificateProviders = [];
+            Parallel.For(0, 2, (_, _) =>
+            {
+                certificateProviders.Add(provider.GetCertificateProvider(serviceProvider));
+            });
+
+            Assert.Equal(2, certificateProviders.Count);
+            Assert.Same(certificateProviders.First(), certificateProviders.Last());
+        }
+    }
+}
diff --git a/test/Sign.SignatureProviders.TrustedSigning.Test/TrustedSigningServiceTests.cs b/test/Sign.SignatureProviders.TrustedSigning.Test/TrustedSigningServiceTests.cs
new file mode 100644
index 00000000..6015a736
--- /dev/null
+++ b/test/Sign.SignatureProviders.TrustedSigning.Test/TrustedSigningServiceTests.cs
@@ -0,0 +1,91 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE.txt file in the project root for more information.
+
+using Azure.Core;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Moq;
+using Sign.TestInfrastructure;
+
+namespace Sign.SignatureProviders.TrustedSigning.Test
+{
+    public class TrustedSigningServiceTests
+    {
+        private readonly static TokenCredential TokenCredential = Mock.Of<TokenCredential>();
+        private readonly static Uri EndpointUrl = new("https://trustedsigning.test");
+        private const string AccountName = "a";
+        private const string CertificateProfileName = "b";
+        private readonly IServiceProvider serviceProvider;
+
+        public TrustedSigningServiceTests()
+        {
+            ServiceCollection services = new();
+            services.AddSingleton<ILogger<TrustedSigningService>>(new TestLogger<TrustedSigningService>());
+            serviceProvider = services.BuildServiceProvider();
+        }
+
+        [Fact]
+        public void Constructor_WhenServiceProviderIsNull_Throws()
+        {
+            ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
+                () => new TrustedSigningService(serviceProvider: null!, TokenCredential, EndpointUrl, AccountName, CertificateProfileName));
+
+            Assert.Equal("serviceProvider", exception.ParamName);
+        }
+
+        [Fact]
+        public void Constructor_WhenTokenCredentialIsNull_Throws()
+        {
+            ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
+                () => new TrustedSigningService(serviceProvider, tokenCredential: null!, EndpointUrl, AccountName, CertificateProfileName));
+
+            Assert.Equal("tokenCredential", exception.ParamName);
+        }
+
+        [Fact]
+        public void Constructor_WhenEndpointUrlIsNull_Throws()
+        {
+            ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
+                () => new TrustedSigningService(serviceProvider, TokenCredential, endpointUrl: null!, AccountName, CertificateProfileName));
+
+            Assert.Equal("endpointUrl", exception.ParamName);
+        }
+
+        [Fact]
+        public void Constructor_WhenAccountNameIsNull_Throws()
+        {
+            ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
+                () => new TrustedSigningService(serviceProvider, TokenCredential, EndpointUrl, accountName: null!, CertificateProfileName));
+
+            Assert.Equal("accountName", exception.ParamName);
+        }
+
+        [Fact]
+        public void Constructor_WhenAccountNameIsEmpty_Throws()
+        {
+            ArgumentException exception = Assert.Throws<ArgumentException>(
+                () => new TrustedSigningService(serviceProvider, TokenCredential, EndpointUrl, accountName: string.Empty, CertificateProfileName));
+
+            Assert.Equal("accountName", exception.ParamName);
+        }
+
+        [Fact]
+        public void Constructor_WhenCertificateProfileNameIsNull_Throws()
+        {
+            ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
+                () => new TrustedSigningService(serviceProvider, TokenCredential, EndpointUrl, AccountName, certificateProfileName: null!));
+
+            Assert.Equal("certificateProfileName", exception.ParamName);
+        }
+
+        [Fact]
+        public void Constructor_WhenCertificateProfileNameIsEmpty_Throws()
+        {
+            ArgumentException exception = Assert.Throws<ArgumentException>(
+                () => new TrustedSigningService(serviceProvider, TokenCredential, EndpointUrl, AccountName, certificateProfileName: string.Empty));
+
+            Assert.Equal("certificateProfileName", exception.ParamName);
+        }
+    }
+}
diff --git a/test/Sign.SignatureProviders.TrustedSigning.Test/Usings.cs b/test/Sign.SignatureProviders.TrustedSigning.Test/Usings.cs
new file mode 100644
index 00000000..bf1085a9
--- /dev/null
+++ b/test/Sign.SignatureProviders.TrustedSigning.Test/Usings.cs
@@ -0,0 +1,5 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE.txt file in the project root for more information.
+
+global using Xunit;
\ No newline at end of file

From acab2e202553302ae8467844050dd1b1dcc3e586 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Fri, 14 Jun 2024 14:32:02 +0200
Subject: [PATCH 03/13] Added TrustedSigningCommand.

---
 src/Sign.Cli/Sign.Cli.csproj                  |  12 +-
 src/Sign.Cli/SignCommand.cs                   |  12 +-
 src/Sign.Cli/TrustedSigningCommand.cs         | 100 +++++++++++
 .../TrustedSigningResources.Designer.cs       | 144 ++++++++++++++++
 src/Sign.Cli/TrustedSigningResources.resx     | 148 ++++++++++++++++
 .../xlf/TrustedSigningResources.cs.xlf        |  52 ++++++
 .../xlf/TrustedSigningResources.de.xlf        |  52 ++++++
 .../xlf/TrustedSigningResources.es.xlf        |  52 ++++++
 .../xlf/TrustedSigningResources.fr.xlf        |  52 ++++++
 .../xlf/TrustedSigningResources.it.xlf        |  52 ++++++
 .../xlf/TrustedSigningResources.ja.xlf        |  52 ++++++
 .../xlf/TrustedSigningResources.ko.xlf        |  52 ++++++
 .../xlf/TrustedSigningResources.pl.xlf        |  52 ++++++
 .../xlf/TrustedSigningResources.pt-BR.xlf     |  52 ++++++
 .../xlf/TrustedSigningResources.ru.xlf        |  52 ++++++
 .../xlf/TrustedSigningResources.tr.xlf        |  52 ++++++
 .../xlf/TrustedSigningResources.zh-Hans.xlf   |  52 ++++++
 .../xlf/TrustedSigningResources.zh-Hant.xlf   |  52 ++++++
 .../TrustedSigningCommandTests.cs             | 162 ++++++++++++++++++
 19 files changed, 1250 insertions(+), 4 deletions(-)
 create mode 100644 src/Sign.Cli/TrustedSigningCommand.cs
 create mode 100644 src/Sign.Cli/TrustedSigningResources.Designer.cs
 create mode 100644 src/Sign.Cli/TrustedSigningResources.resx
 create mode 100644 src/Sign.Cli/xlf/TrustedSigningResources.cs.xlf
 create mode 100644 src/Sign.Cli/xlf/TrustedSigningResources.de.xlf
 create mode 100644 src/Sign.Cli/xlf/TrustedSigningResources.es.xlf
 create mode 100644 src/Sign.Cli/xlf/TrustedSigningResources.fr.xlf
 create mode 100644 src/Sign.Cli/xlf/TrustedSigningResources.it.xlf
 create mode 100644 src/Sign.Cli/xlf/TrustedSigningResources.ja.xlf
 create mode 100644 src/Sign.Cli/xlf/TrustedSigningResources.ko.xlf
 create mode 100644 src/Sign.Cli/xlf/TrustedSigningResources.pl.xlf
 create mode 100644 src/Sign.Cli/xlf/TrustedSigningResources.pt-BR.xlf
 create mode 100644 src/Sign.Cli/xlf/TrustedSigningResources.ru.xlf
 create mode 100644 src/Sign.Cli/xlf/TrustedSigningResources.tr.xlf
 create mode 100644 src/Sign.Cli/xlf/TrustedSigningResources.zh-Hans.xlf
 create mode 100644 src/Sign.Cli/xlf/TrustedSigningResources.zh-Hant.xlf
 create mode 100644 test/Sign.Cli.Test/TrustedSigningCommandTests.cs

diff --git a/src/Sign.Cli/Sign.Cli.csproj b/src/Sign.Cli/Sign.Cli.csproj
index d5b1a9f1..8c34c446 100644
--- a/src/Sign.Cli/Sign.Cli.csproj
+++ b/src/Sign.Cli/Sign.Cli.csproj
@@ -22,6 +22,7 @@
     <ProjectReference Include="..\Sign.Core\Sign.Core.csproj" />
     <ProjectReference Include="..\Sign.SignatureProviders.CertificateStore\Sign.SignatureProviders.CertificateStore.csproj" />
     <ProjectReference Include="..\Sign.SignatureProviders.KeyVault\Sign.SignatureProviders.KeyVault.csproj" />
+    <ProjectReference Include="..\Sign.SignatureProviders.TrustedSigning\Sign.SignatureProviders.TrustedSigning.csproj" />
   </ItemGroup>
 
   <ItemGroup>
@@ -68,6 +69,11 @@
       <AutoGen>True</AutoGen>
       <DependentUpon>Resources.resx</DependentUpon>
     </Compile>
+    <Compile Update="TrustedSigningResources.Designer.cs">
+      <DesignTime>True</DesignTime>
+      <AutoGen>True</AutoGen>
+      <DependentUpon>TrustedSigningResources.resx</DependentUpon>
+    </Compile>
   </ItemGroup>
 
   <ItemGroup>
@@ -83,5 +89,9 @@
       <Generator>ResXFileCodeGenerator</Generator>
       <LastGenOutput>Resources.Designer.cs</LastGenOutput>
     </EmbeddedResource>
+    <EmbeddedResource Update="TrustedSigningResources.resx">
+      <Generator>ResXFileCodeGenerator</Generator>
+      <LastGenOutput>TrustedSigningResources.Designer.cs</LastGenOutput>
+    </EmbeddedResource>
   </ItemGroup>
-</Project>
\ No newline at end of file
+</Project>
diff --git a/src/Sign.Cli/SignCommand.cs b/src/Sign.Cli/SignCommand.cs
index ab7d8706..dc54a0a7 100644
--- a/src/Sign.Cli/SignCommand.cs
+++ b/src/Sign.Cli/SignCommand.cs
@@ -23,11 +23,17 @@ internal SignCommand(IServiceProviderFactory? serviceProviderFactory = null)
 
             codeCommand.AddCommand(azureKeyVaultCommand);
 
-            CertificateStoreCommand certManagerCommand = new(
+            CertificateStoreCommand certificateStoreCommand = new(
                 codeCommand,
                 serviceProviderFactory);
 
-            codeCommand.AddCommand(certManagerCommand);
+            codeCommand.AddCommand(certificateStoreCommand);
+
+            TrustedSigningCommand trustedSigningCommand = new(
+                codeCommand,
+                serviceProviderFactory);
+
+            codeCommand.AddCommand(trustedSigningCommand);
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Sign.Cli/TrustedSigningCommand.cs b/src/Sign.Cli/TrustedSigningCommand.cs
new file mode 100644
index 00000000..a32cef77
--- /dev/null
+++ b/src/Sign.Cli/TrustedSigningCommand.cs
@@ -0,0 +1,100 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE.txt file in the project root for more information.
+
+using System.CommandLine;
+using System.CommandLine.Invocation;
+using System.CommandLine.IO;
+using Azure.Core;
+using Azure.Identity;
+using Sign.Core;
+using Sign.SignatureProviders.TrustedSigning;
+
+namespace Sign.Cli
+{
+    internal sealed class TrustedSigningCommand : Command
+    {
+        internal Option<Uri> EndpointOption { get; } = new(["-tse", "--trusted-signing-endpoint"], TrustedSigningResources.EndpointOptionDescription);
+        internal Option<string> AccountOption { get; } = new(["-tsa", "--trusted-signing-account"], TrustedSigningResources.AccountOptionDescription);
+        internal Option<string> CertificateProfileOption { get; } = new(["-tsc", "--trusted-signing-certificate-profile"], TrustedSigningResources.CertificateProfileOptionDescription);
+        internal Option<bool> ManagedIdentityOption { get; } = new(["-tsm", "--trusted-signing-managed-identity"], getDefaultValue: () => false, TrustedSigningResources.ManagedIdentityOptionDescription);
+        internal Option<string?> TenantIdOption { get; } = new(["-tst", "--trusted-signing-tenant-id"], TrustedSigningResources.TenantIdOptionDescription);
+        internal Option<string?> ClientIdOption { get; } = new(["-tsi", "--trusted-signing-client-id"], TrustedSigningResources.ClientIdOptionDescription);
+        internal Option<string?> ClientSecretOption { get; } = new(["-tss", "--trusted-signing-client-secret"], TrustedSigningResources.ClientSecretOptionDescription);
+
+        internal Argument<string?> FileArgument { get; } = new("file(s)", Resources.FilesArgumentDescription);
+
+        internal TrustedSigningCommand(CodeCommand codeCommand, IServiceProviderFactory serviceProviderFactory)
+            : base("trusted-signing", TrustedSigningResources.CommandDescription)
+        {
+            ArgumentNullException.ThrowIfNull(codeCommand, nameof(codeCommand));
+            ArgumentNullException.ThrowIfNull(serviceProviderFactory, nameof(serviceProviderFactory));
+
+            EndpointOption.IsRequired = true;
+            AccountOption.IsRequired = true;
+            CertificateProfileOption.IsRequired = true;
+
+            AddOption(EndpointOption);
+            AddOption(AccountOption);
+            AddOption(CertificateProfileOption);
+            AddOption(ManagedIdentityOption);
+            AddOption(TenantIdOption);
+            AddOption(ClientIdOption);
+            AddOption(ClientSecretOption);
+
+            AddArgument(FileArgument);
+
+            this.SetHandler(async (InvocationContext context) =>
+            {
+                string? fileArgument = context.ParseResult.GetValueForArgument(FileArgument);
+
+                if (string.IsNullOrEmpty(fileArgument))
+                {
+                    context.Console.Error.WriteLine(Resources.MissingFileValue);
+                    context.ExitCode = ExitCode.InvalidOptions;
+                    return;
+                }
+
+                bool useManagedIdentity = context.ParseResult.GetValueForOption(ManagedIdentityOption);
+
+                TokenCredential? credential = null;
+
+                if (useManagedIdentity)
+                {
+                    credential = new DefaultAzureCredential();
+                }
+                else
+                {
+                    string? tenantId = context.ParseResult.GetValueForOption(TenantIdOption);
+                    string? clientId = context.ParseResult.GetValueForOption(ClientIdOption);
+                    string? clientSecret = context.ParseResult.GetValueForOption(ClientSecretOption);
+
+                    if (string.IsNullOrEmpty(tenantId) ||
+                        string.IsNullOrEmpty(clientId) ||
+                        string.IsNullOrEmpty(clientSecret))
+                    {
+                        context.Console.Error.WriteFormattedLine(
+                                    TrustedSigningResources.InvalidClientSecretCredential,
+                                    TenantIdOption,
+                                    ClientIdOption,
+                                    ClientSecretOption);
+                        context.ExitCode = ExitCode.NoInputsFound;
+                        return;
+                    }
+
+                    credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
+                }
+
+                // Some of the options are required and that is why we can safely use
+                // the null-forgiving operator (!) to simplify the code.
+                Uri endpointUrl = context.ParseResult.GetValueForOption(EndpointOption)!;
+                string accountName = context.ParseResult.GetValueForOption(AccountOption)!;
+                string certificateProfileName = context.ParseResult.GetValueForOption(CertificateProfileOption)!;
+
+                TrustedSigningServiceProvider trustedSigningServiceProvider = new(credential, endpointUrl, accountName, certificateProfileName);
+
+                await codeCommand.HandleAsync(context, serviceProviderFactory, trustedSigningServiceProvider, fileArgument);
+            });
+        }
+    }
+}
diff --git a/src/Sign.Cli/TrustedSigningResources.Designer.cs b/src/Sign.Cli/TrustedSigningResources.Designer.cs
new file mode 100644
index 00000000..bb83ef8d
--- /dev/null
+++ b/src/Sign.Cli/TrustedSigningResources.Designer.cs
@@ -0,0 +1,144 @@
+//------------------------------------------------------------------------------
+// <auto-generated>
+//     This code was generated by a tool.
+//     Runtime Version:4.0.30319.42000
+//
+//     Changes to this file may cause incorrect behavior and will be lost if
+//     the code is regenerated.
+// </auto-generated>
+//------------------------------------------------------------------------------
+
+namespace Sign.Cli {
+    using System;
+    
+    
+    /// <summary>
+    ///   A strongly-typed resource class, for looking up localized strings, etc.
+    /// </summary>
+    // This class was auto-generated by the StronglyTypedResourceBuilder
+    // class via a tool like ResGen or Visual Studio.
+    // To add or remove a member, edit your .ResX file then rerun ResGen
+    // with the /str option, or rebuild your VS project.
+    [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "17.0.0.0")]
+    [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
+    [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
+    internal class TrustedSigningResources {
+        
+        private static global::System.Resources.ResourceManager resourceMan;
+        
+        private static global::System.Globalization.CultureInfo resourceCulture;
+        
+        [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
+        internal TrustedSigningResources() {
+        }
+        
+        /// <summary>
+        ///   Returns the cached ResourceManager instance used by this class.
+        /// </summary>
+        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+        internal static global::System.Resources.ResourceManager ResourceManager {
+            get {
+                if (object.ReferenceEquals(resourceMan, null)) {
+                    global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Sign.Cli.TrustedSigningResources", typeof(TrustedSigningResources).Assembly);
+                    resourceMan = temp;
+                }
+                return resourceMan;
+            }
+        }
+        
+        /// <summary>
+        ///   Overrides the current thread's CurrentUICulture property for all
+        ///   resource lookups using this strongly typed resource class.
+        /// </summary>
+        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+        internal static global::System.Globalization.CultureInfo Culture {
+            get {
+                return resourceCulture;
+            }
+            set {
+                resourceCulture = value;
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to The Trusted Signing Account name..
+        /// </summary>
+        internal static string AccountOptionDescription {
+            get {
+                return ResourceManager.GetString("AccountOptionDescription", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to The Certificate Profile name..
+        /// </summary>
+        internal static string CertificateProfileOptionDescription {
+            get {
+                return ResourceManager.GetString("CertificateProfileOptionDescription", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to Client ID to authenticate to Trusted Signing..
+        /// </summary>
+        internal static string ClientIdOptionDescription {
+            get {
+                return ResourceManager.GetString("ClientIdOptionDescription", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to Client secret to authenticate to Trusted Signing..
+        /// </summary>
+        internal static string ClientSecretOptionDescription {
+            get {
+                return ResourceManager.GetString("ClientSecretOptionDescription", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to Use Trusted Signing.
+        /// </summary>
+        internal static string CommandDescription {
+            get {
+                return ResourceManager.GetString("CommandDescription", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources..
+        /// </summary>
+        internal static string EndpointOptionDescription {
+            get {
+                return ResourceManager.GetString("EndpointOptionDescription", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to If not using a managed identity, all of these options are required: {0}, {1}, and {2}..
+        /// </summary>
+        internal static string InvalidClientSecretCredential {
+            get {
+                return ResourceManager.GetString("InvalidClientSecretCredential", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to Managed identity to authenticate to Trusted Signing..
+        /// </summary>
+        internal static string ManagedIdentityOptionDescription {
+            get {
+                return ResourceManager.GetString("ManagedIdentityOptionDescription", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to Tenant ID to authenticate to Trusted Signing..
+        /// </summary>
+        internal static string TenantIdOptionDescription {
+            get {
+                return ResourceManager.GetString("TenantIdOptionDescription", resourceCulture);
+            }
+        }
+    }
+}
diff --git a/src/Sign.Cli/TrustedSigningResources.resx b/src/Sign.Cli/TrustedSigningResources.resx
new file mode 100644
index 00000000..c561010d
--- /dev/null
+++ b/src/Sign.Cli/TrustedSigningResources.resx
@@ -0,0 +1,148 @@
+<?xml version="1.0" encoding="utf-8"?>
+<root>
+  <!-- 
+    Microsoft ResX Schema 
+    
+    Version 2.0
+    
+    The primary goals of this format is to allow a simple XML format 
+    that is mostly human readable. The generation and parsing of the 
+    various data types are done through the TypeConverter classes 
+    associated with the data types.
+    
+    Example:
+    
+    ... ado.net/XML headers & schema ...
+    <resheader name="resmimetype">text/microsoft-resx</resheader>
+    <resheader name="version">2.0</resheader>
+    <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
+    <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
+    <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
+    <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
+    <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
+        <value>[base64 mime encoded serialized .NET Framework object]</value>
+    </data>
+    <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
+        <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
+        <comment>This is a comment</comment>
+    </data>
+                
+    There are any number of "resheader" rows that contain simple 
+    name/value pairs.
+    
+    Each data row contains a name, and value. The row also contains a 
+    type or mimetype. Type corresponds to a .NET class that support 
+    text/value conversion through the TypeConverter architecture. 
+    Classes that don't support this are serialized and stored with the 
+    mimetype set.
+    
+    The mimetype is used for serialized objects, and tells the 
+    ResXResourceReader how to depersist the object. This is currently not 
+    extensible. For a given mimetype the value must be set accordingly:
+    
+    Note - application/x-microsoft.net.object.binary.base64 is the format 
+    that the ResXResourceWriter will generate, however the reader can 
+    read any of the formats listed below.
+    
+    mimetype: application/x-microsoft.net.object.binary.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
+            : and then encoded with base64 encoding.
+    
+    mimetype: application/x-microsoft.net.object.soap.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
+            : and then encoded with base64 encoding.
+
+    mimetype: application/x-microsoft.net.object.bytearray.base64
+    value   : The object must be serialized into a byte array 
+            : using a System.ComponentModel.TypeConverter
+            : and then encoded with base64 encoding.
+    -->
+  <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
+    <xsd:element name="root" msdata:IsDataSet="true">
+      <xsd:complexType>
+        <xsd:choice maxOccurs="unbounded">
+          <xsd:element name="metadata">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" />
+              </xsd:sequence>
+              <xsd:attribute name="name" use="required" type="xsd:string" />
+              <xsd:attribute name="type" type="xsd:string" />
+              <xsd:attribute name="mimetype" type="xsd:string" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="assembly">
+            <xsd:complexType>
+              <xsd:attribute name="alias" type="xsd:string" />
+              <xsd:attribute name="name" type="xsd:string" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="data">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+                <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
+              <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
+              <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="resheader">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" />
+            </xsd:complexType>
+          </xsd:element>
+        </xsd:choice>
+      </xsd:complexType>
+    </xsd:element>
+  </xsd:schema>
+  <resheader name="resmimetype">
+    <value>text/microsoft-resx</value>
+  </resheader>
+  <resheader name="version">
+    <value>2.0</value>
+  </resheader>
+  <resheader name="reader">
+    <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <resheader name="writer">
+    <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <data name="AccountOptionDescription" xml:space="preserve">
+    <value>The Trusted Signing Account name.</value>
+  </data>
+  <data name="CertificateProfileOptionDescription" xml:space="preserve">
+    <value>The Certificate Profile name.</value>
+  </data>
+  <data name="ClientIdOptionDescription" xml:space="preserve">
+    <value>Client ID to authenticate to Trusted Signing.</value>
+  </data>
+  <data name="ClientSecretOptionDescription" xml:space="preserve">
+    <value>Client secret to authenticate to Trusted Signing.</value>
+  </data>
+  <data name="CommandDescription" xml:space="preserve">
+    <value>Use Trusted Signing</value>
+  </data>
+  <data name="EndpointOptionDescription" xml:space="preserve">
+    <value>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</value>
+  </data>
+  <data name="InvalidClientSecretCredential" xml:space="preserve">
+    <value>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</value>
+    <comment>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</comment>
+  </data>
+  <data name="ManagedIdentityOptionDescription" xml:space="preserve">
+    <value>Managed identity to authenticate to Trusted Signing.</value>
+  </data>
+  <data name="TenantIdOptionDescription" xml:space="preserve">
+    <value>Tenant ID to authenticate to Trusted Signing.</value>
+  </data>
+</root>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.cs.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.cs.xlf
new file mode 100644
index 00000000..60055953
--- /dev/null
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.cs.xlf
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="cs" original="../TrustedSigningResources.resx">
+    <body>
+      <trans-unit id="AccountOptionDescription">
+        <source>The Trusted Signing Account name.</source>
+        <target state="new">The Trusted Signing Account name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CertificateProfileOptionDescription">
+        <source>The Certificate Profile name.</source>
+        <target state="new">The Certificate Profile name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Trusted Signing.</source>
+        <target state="new">Client ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Trusted Signing.</source>
+        <target state="new">Client secret to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CommandDescription">
+        <source>Use Trusted Signing</source>
+        <target state="new">Use Trusted Signing</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="EndpointOptionDescription">
+        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
+        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Trusted Signing.</source>
+        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Trusted Signing.</source>
+        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.de.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.de.xlf
new file mode 100644
index 00000000..b509a8ee
--- /dev/null
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.de.xlf
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="de" original="../TrustedSigningResources.resx">
+    <body>
+      <trans-unit id="AccountOptionDescription">
+        <source>The Trusted Signing Account name.</source>
+        <target state="new">The Trusted Signing Account name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CertificateProfileOptionDescription">
+        <source>The Certificate Profile name.</source>
+        <target state="new">The Certificate Profile name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Trusted Signing.</source>
+        <target state="new">Client ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Trusted Signing.</source>
+        <target state="new">Client secret to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CommandDescription">
+        <source>Use Trusted Signing</source>
+        <target state="new">Use Trusted Signing</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="EndpointOptionDescription">
+        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
+        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Trusted Signing.</source>
+        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Trusted Signing.</source>
+        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.es.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.es.xlf
new file mode 100644
index 00000000..6c3ee824
--- /dev/null
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.es.xlf
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="es" original="../TrustedSigningResources.resx">
+    <body>
+      <trans-unit id="AccountOptionDescription">
+        <source>The Trusted Signing Account name.</source>
+        <target state="new">The Trusted Signing Account name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CertificateProfileOptionDescription">
+        <source>The Certificate Profile name.</source>
+        <target state="new">The Certificate Profile name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Trusted Signing.</source>
+        <target state="new">Client ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Trusted Signing.</source>
+        <target state="new">Client secret to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CommandDescription">
+        <source>Use Trusted Signing</source>
+        <target state="new">Use Trusted Signing</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="EndpointOptionDescription">
+        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
+        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Trusted Signing.</source>
+        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Trusted Signing.</source>
+        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.fr.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.fr.xlf
new file mode 100644
index 00000000..e7ab7de6
--- /dev/null
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.fr.xlf
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="fr" original="../TrustedSigningResources.resx">
+    <body>
+      <trans-unit id="AccountOptionDescription">
+        <source>The Trusted Signing Account name.</source>
+        <target state="new">The Trusted Signing Account name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CertificateProfileOptionDescription">
+        <source>The Certificate Profile name.</source>
+        <target state="new">The Certificate Profile name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Trusted Signing.</source>
+        <target state="new">Client ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Trusted Signing.</source>
+        <target state="new">Client secret to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CommandDescription">
+        <source>Use Trusted Signing</source>
+        <target state="new">Use Trusted Signing</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="EndpointOptionDescription">
+        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
+        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Trusted Signing.</source>
+        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Trusted Signing.</source>
+        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.it.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.it.xlf
new file mode 100644
index 00000000..9cc34f71
--- /dev/null
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.it.xlf
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="it" original="../TrustedSigningResources.resx">
+    <body>
+      <trans-unit id="AccountOptionDescription">
+        <source>The Trusted Signing Account name.</source>
+        <target state="new">The Trusted Signing Account name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CertificateProfileOptionDescription">
+        <source>The Certificate Profile name.</source>
+        <target state="new">The Certificate Profile name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Trusted Signing.</source>
+        <target state="new">Client ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Trusted Signing.</source>
+        <target state="new">Client secret to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CommandDescription">
+        <source>Use Trusted Signing</source>
+        <target state="new">Use Trusted Signing</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="EndpointOptionDescription">
+        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
+        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Trusted Signing.</source>
+        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Trusted Signing.</source>
+        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.ja.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.ja.xlf
new file mode 100644
index 00000000..b350db7a
--- /dev/null
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.ja.xlf
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="ja" original="../TrustedSigningResources.resx">
+    <body>
+      <trans-unit id="AccountOptionDescription">
+        <source>The Trusted Signing Account name.</source>
+        <target state="new">The Trusted Signing Account name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CertificateProfileOptionDescription">
+        <source>The Certificate Profile name.</source>
+        <target state="new">The Certificate Profile name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Trusted Signing.</source>
+        <target state="new">Client ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Trusted Signing.</source>
+        <target state="new">Client secret to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CommandDescription">
+        <source>Use Trusted Signing</source>
+        <target state="new">Use Trusted Signing</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="EndpointOptionDescription">
+        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
+        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Trusted Signing.</source>
+        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Trusted Signing.</source>
+        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.ko.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.ko.xlf
new file mode 100644
index 00000000..6d1e1b17
--- /dev/null
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.ko.xlf
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="ko" original="../TrustedSigningResources.resx">
+    <body>
+      <trans-unit id="AccountOptionDescription">
+        <source>The Trusted Signing Account name.</source>
+        <target state="new">The Trusted Signing Account name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CertificateProfileOptionDescription">
+        <source>The Certificate Profile name.</source>
+        <target state="new">The Certificate Profile name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Trusted Signing.</source>
+        <target state="new">Client ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Trusted Signing.</source>
+        <target state="new">Client secret to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CommandDescription">
+        <source>Use Trusted Signing</source>
+        <target state="new">Use Trusted Signing</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="EndpointOptionDescription">
+        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
+        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Trusted Signing.</source>
+        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Trusted Signing.</source>
+        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.pl.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.pl.xlf
new file mode 100644
index 00000000..f70d470f
--- /dev/null
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.pl.xlf
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="pl" original="../TrustedSigningResources.resx">
+    <body>
+      <trans-unit id="AccountOptionDescription">
+        <source>The Trusted Signing Account name.</source>
+        <target state="new">The Trusted Signing Account name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CertificateProfileOptionDescription">
+        <source>The Certificate Profile name.</source>
+        <target state="new">The Certificate Profile name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Trusted Signing.</source>
+        <target state="new">Client ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Trusted Signing.</source>
+        <target state="new">Client secret to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CommandDescription">
+        <source>Use Trusted Signing</source>
+        <target state="new">Use Trusted Signing</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="EndpointOptionDescription">
+        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
+        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Trusted Signing.</source>
+        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Trusted Signing.</source>
+        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.pt-BR.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.pt-BR.xlf
new file mode 100644
index 00000000..c8382898
--- /dev/null
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.pt-BR.xlf
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="pt-BR" original="../TrustedSigningResources.resx">
+    <body>
+      <trans-unit id="AccountOptionDescription">
+        <source>The Trusted Signing Account name.</source>
+        <target state="new">The Trusted Signing Account name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CertificateProfileOptionDescription">
+        <source>The Certificate Profile name.</source>
+        <target state="new">The Certificate Profile name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Trusted Signing.</source>
+        <target state="new">Client ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Trusted Signing.</source>
+        <target state="new">Client secret to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CommandDescription">
+        <source>Use Trusted Signing</source>
+        <target state="new">Use Trusted Signing</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="EndpointOptionDescription">
+        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
+        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Trusted Signing.</source>
+        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Trusted Signing.</source>
+        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.ru.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.ru.xlf
new file mode 100644
index 00000000..d770d712
--- /dev/null
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.ru.xlf
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="ru" original="../TrustedSigningResources.resx">
+    <body>
+      <trans-unit id="AccountOptionDescription">
+        <source>The Trusted Signing Account name.</source>
+        <target state="new">The Trusted Signing Account name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CertificateProfileOptionDescription">
+        <source>The Certificate Profile name.</source>
+        <target state="new">The Certificate Profile name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Trusted Signing.</source>
+        <target state="new">Client ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Trusted Signing.</source>
+        <target state="new">Client secret to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CommandDescription">
+        <source>Use Trusted Signing</source>
+        <target state="new">Use Trusted Signing</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="EndpointOptionDescription">
+        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
+        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Trusted Signing.</source>
+        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Trusted Signing.</source>
+        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.tr.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.tr.xlf
new file mode 100644
index 00000000..08e308eb
--- /dev/null
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.tr.xlf
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="tr" original="../TrustedSigningResources.resx">
+    <body>
+      <trans-unit id="AccountOptionDescription">
+        <source>The Trusted Signing Account name.</source>
+        <target state="new">The Trusted Signing Account name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CertificateProfileOptionDescription">
+        <source>The Certificate Profile name.</source>
+        <target state="new">The Certificate Profile name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Trusted Signing.</source>
+        <target state="new">Client ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Trusted Signing.</source>
+        <target state="new">Client secret to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CommandDescription">
+        <source>Use Trusted Signing</source>
+        <target state="new">Use Trusted Signing</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="EndpointOptionDescription">
+        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
+        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Trusted Signing.</source>
+        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Trusted Signing.</source>
+        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hans.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hans.xlf
new file mode 100644
index 00000000..9ae6cda8
--- /dev/null
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hans.xlf
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="zh-Hans" original="../TrustedSigningResources.resx">
+    <body>
+      <trans-unit id="AccountOptionDescription">
+        <source>The Trusted Signing Account name.</source>
+        <target state="new">The Trusted Signing Account name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CertificateProfileOptionDescription">
+        <source>The Certificate Profile name.</source>
+        <target state="new">The Certificate Profile name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Trusted Signing.</source>
+        <target state="new">Client ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Trusted Signing.</source>
+        <target state="new">Client secret to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CommandDescription">
+        <source>Use Trusted Signing</source>
+        <target state="new">Use Trusted Signing</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="EndpointOptionDescription">
+        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
+        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Trusted Signing.</source>
+        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Trusted Signing.</source>
+        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hant.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hant.xlf
new file mode 100644
index 00000000..4451f442
--- /dev/null
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hant.xlf
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="zh-Hant" original="../TrustedSigningResources.resx">
+    <body>
+      <trans-unit id="AccountOptionDescription">
+        <source>The Trusted Signing Account name.</source>
+        <target state="new">The Trusted Signing Account name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CertificateProfileOptionDescription">
+        <source>The Certificate Profile name.</source>
+        <target state="new">The Certificate Profile name.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Trusted Signing.</source>
+        <target state="new">Client ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Trusted Signing.</source>
+        <target state="new">Client secret to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="CommandDescription">
+        <source>Use Trusted Signing</source>
+        <target state="new">Use Trusted Signing</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="EndpointOptionDescription">
+        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
+        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Trusted Signing.</source>
+        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Trusted Signing.</source>
+        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/test/Sign.Cli.Test/TrustedSigningCommandTests.cs b/test/Sign.Cli.Test/TrustedSigningCommandTests.cs
new file mode 100644
index 00000000..49e4b4ec
--- /dev/null
+++ b/test/Sign.Cli.Test/TrustedSigningCommandTests.cs
@@ -0,0 +1,162 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE.txt file in the project root for more information.
+
+using System.CommandLine;
+using System.CommandLine.Builder;
+using System.CommandLine.Parsing;
+using Moq;
+using Sign.Core;
+
+namespace Sign.Cli.Test
+{
+    public class TrustedSigningCommandTests
+    {
+        private readonly TrustedSigningCommand _command = new(new CodeCommand(), Mock.Of<IServiceProviderFactory>());
+
+        [Fact]
+        public void Constructor_WhenCodeCommandIsNull_Throws()
+        {
+            ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
+                () => new TrustedSigningCommand(codeCommand: null!, Mock.Of<IServiceProviderFactory>()));
+
+            Assert.Equal("codeCommand", exception.ParamName);
+        }
+
+        [Fact]
+        public void Constructor_WhenServiceProviderFactoryIsNull_Throws()
+        {
+            ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
+                () => new TrustedSigningCommand(new CodeCommand(), serviceProviderFactory: null!));
+
+            Assert.Equal("serviceProviderFactory", exception.ParamName);
+        }
+
+        [Fact]
+        public void EndpointOption_Always_HasArityOfExactlyOne()
+        {
+            Assert.Equal(ArgumentArity.ExactlyOne, _command.EndpointOption.Arity);
+        }
+
+        [Fact]
+        public void EndpointOption_Always_IsRequired()
+        {
+            Assert.True(_command.EndpointOption.IsRequired);
+        }
+
+        [Fact]
+        public void AccountOption_Always_HasArityOfExactlyOne()
+        {
+            Assert.Equal(ArgumentArity.ExactlyOne, _command.AccountOption.Arity);
+        }
+
+        [Fact]
+        public void AccountOption_Always_IsRequired()
+        {
+            Assert.True(_command.AccountOption.IsRequired);
+        }
+
+        [Fact]
+        public void CertificateProfileOption_Always_HasArityOfExactlyOne()
+        {
+            Assert.Equal(ArgumentArity.ExactlyOne, _command.CertificateProfileOption.Arity);
+        }
+
+        [Fact]
+        public void CertificateProfileOption_Always_IsRequired()
+        {
+            Assert.True(_command.CertificateProfileOption.IsRequired);
+        }
+
+        [Fact]
+        public void ManagedIdentityOption_Always_HasArityOfZeroOrOne()
+        {
+            Assert.Equal(ArgumentArity.ZeroOrOne, _command.ManagedIdentityOption.Arity);
+        }
+
+        [Fact]
+        public void ManagedIdentityOption_Always_IsNotRequired()
+        {
+            Assert.False(_command.ManagedIdentityOption.IsRequired);
+        }
+
+        [Fact]
+        public void TenantIdOption_Always_HasArityOfExactlyOne()
+        {
+            Assert.Equal(ArgumentArity.ExactlyOne, _command.TenantIdOption.Arity);
+        }
+
+        [Fact]
+        public void TenantIdOption_Always_IsNotRequired()
+        {
+            Assert.False(_command.TenantIdOption.IsRequired);
+        }
+
+        [Fact]
+        public void ClientIdOption_Always_HasArityOfExactlyOne()
+        {
+            Assert.Equal(ArgumentArity.ExactlyOne, _command.ClientIdOption.Arity);
+        }
+
+        [Fact]
+        public void ClientIdOption_Always_IsNotRequired()
+        {
+            Assert.False(_command.ClientIdOption.IsRequired);
+        }
+
+        [Fact]
+        public void ClientSecretOption_Always_HasArityOfExactlyOne()
+        {
+            Assert.Equal(ArgumentArity.ExactlyOne, _command.ClientSecretOption.Arity);
+        }
+
+        [Fact]
+        public void ClientSecretOption_Always_IsNotRequired()
+        {
+            Assert.False(_command.ClientSecretOption.IsRequired);
+        }
+
+        public class ParserTests
+        {
+            private readonly TrustedSigningCommand _command;
+            private readonly Parser _parser;
+
+            public ParserTests()
+            {
+                _command = new(new CodeCommand(), Mock.Of<IServiceProviderFactory>());
+                _parser = new CommandLineBuilder(_command).Build();
+            }
+
+            [Theory]
+            [InlineData("trusted-signing")]
+            [InlineData("trusted-signing a")]
+            [InlineData("trusted-signing -tse")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -tst")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -tst c")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -tst c -tsi")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -tst c -tsi d")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -tst c -tsi d -tss")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -tst c -tsi d -tss e")]
+            public void Command_WhenRequiredArgumentOrOptionsAreMissing_HasError(string command)
+            {
+                ParseResult result = _parser.Parse(command);
+
+                Assert.NotEmpty(result.Errors);
+            }
+
+            [Theory]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -tsm c")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -tst c -tsi d -tss e f")]
+            public void Command_WhenRequiredArgumentsArePresent_HasNoError(string command)
+            {
+                ParseResult result = _parser.Parse(command);
+
+                Assert.Empty(result.Errors);
+            }
+        }
+    }
+}

From 55ebde31d8145c5d42b398ce8872af99103688ed Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Sat, 15 Jun 2024 07:57:02 +0200
Subject: [PATCH 04/13] No longer put the CodeCommand in a private field.

---
 src/Sign.Cli/CertificateStoreCommand.cs | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/src/Sign.Cli/CertificateStoreCommand.cs b/src/Sign.Cli/CertificateStoreCommand.cs
index 64605355..adefdc9f 100644
--- a/src/Sign.Cli/CertificateStoreCommand.cs
+++ b/src/Sign.Cli/CertificateStoreCommand.cs
@@ -15,8 +15,6 @@ namespace Sign.Cli
 {
     internal sealed class CertificateStoreCommand : Command
     {
-        private readonly CodeCommand _codeCommand;
-
         internal Option<string?> CertificateFingerprintOption { get; } = new(["-cfp", "--certificate-fingerprint"], ParseCertificateFingerprint, description: CertificateStoreResources.CertificateFingerprintOptionDescription);
         internal Option<string?> CertificateFileOption { get; } = new(["-cf", "--certificate-file"], CertificateStoreResources.CertificateFileOptionDescription);
         internal Option<string?> CertificatePasswordOption { get; } = new(["-p", "--password"], CertificateStoreResources.CertificatePasswordOptionDescription);
@@ -32,8 +30,6 @@ internal CertificateStoreCommand(CodeCommand codeCommand, IServiceProviderFactor
             ArgumentNullException.ThrowIfNull(codeCommand, nameof(codeCommand));
             ArgumentNullException.ThrowIfNull(serviceProviderFactory, nameof(serviceProviderFactory));
 
-            _codeCommand = codeCommand;
-
             CertificateFingerprintOption.IsRequired = true;
 
             AddOption(CertificateFingerprintOption);
@@ -111,7 +107,7 @@ internal CertificateStoreCommand(CodeCommand codeCommand, IServiceProviderFactor
                     certificatePassword,
                     useMachineKeyContainer);
 
-                await _codeCommand.HandleAsync(context, serviceProviderFactory, certificateStoreServiceProvider, fileArgument);
+                await codeCommand.HandleAsync(context, serviceProviderFactory, certificateStoreServiceProvider, fileArgument);
             });
         }
 

From d1512cb3b9d181655174a7eeea7912c8ce7ba1d2 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Sat, 15 Jun 2024 08:03:28 +0200
Subject: [PATCH 05/13] Moved the Azure auth options to a separate class and
 share this between AzureKeyVaultCommand and TrustedSigningCommand.

---
 src/Sign.Cli/AzureAuthOptions.cs              | 57 ++++++++++++++++
 src/Sign.Cli/AzureKeyVaultCommand.cs          | 55 +++-------------
 .../AzureKeyVaultResources.Designer.cs        | 45 -------------
 src/Sign.Cli/AzureKeyVaultResources.resx      | 16 -----
 src/Sign.Cli/Resources.Designer.cs            | 45 +++++++++++++
 src/Sign.Cli/Resources.resx                   | 16 +++++
 src/Sign.Cli/TrustedSigningCommand.cs         | 41 ++----------
 .../TrustedSigningResources.Designer.cs       | 45 -------------
 src/Sign.Cli/TrustedSigningResources.resx     | 16 -----
 .../xlf/AzureKeyVaultResources.cs.xlf         | 25 -------
 .../xlf/AzureKeyVaultResources.de.xlf         | 25 -------
 .../xlf/AzureKeyVaultResources.es.xlf         | 25 -------
 .../xlf/AzureKeyVaultResources.fr.xlf         | 25 -------
 .../xlf/AzureKeyVaultResources.it.xlf         | 25 -------
 .../xlf/AzureKeyVaultResources.ja.xlf         | 25 -------
 .../xlf/AzureKeyVaultResources.ko.xlf         | 25 -------
 .../xlf/AzureKeyVaultResources.pl.xlf         | 25 -------
 .../xlf/AzureKeyVaultResources.pt-BR.xlf      | 25 -------
 .../xlf/AzureKeyVaultResources.ru.xlf         | 25 -------
 .../xlf/AzureKeyVaultResources.tr.xlf         | 25 -------
 .../xlf/AzureKeyVaultResources.zh-Hans.xlf    | 25 -------
 .../xlf/AzureKeyVaultResources.zh-Hant.xlf    | 25 -------
 src/Sign.Cli/xlf/Resources.cs.xlf             | 25 +++++++
 src/Sign.Cli/xlf/Resources.de.xlf             | 25 +++++++
 src/Sign.Cli/xlf/Resources.es.xlf             | 25 +++++++
 src/Sign.Cli/xlf/Resources.fr.xlf             | 25 +++++++
 src/Sign.Cli/xlf/Resources.it.xlf             | 25 +++++++
 src/Sign.Cli/xlf/Resources.ja.xlf             | 25 +++++++
 src/Sign.Cli/xlf/Resources.ko.xlf             | 25 +++++++
 src/Sign.Cli/xlf/Resources.pl.xlf             | 25 +++++++
 src/Sign.Cli/xlf/Resources.pt-BR.xlf          | 25 +++++++
 src/Sign.Cli/xlf/Resources.ru.xlf             | 25 +++++++
 src/Sign.Cli/xlf/Resources.tr.xlf             | 25 +++++++
 src/Sign.Cli/xlf/Resources.zh-Hans.xlf        | 25 +++++++
 src/Sign.Cli/xlf/Resources.zh-Hant.xlf        | 25 +++++++
 .../xlf/TrustedSigningResources.cs.xlf        | 25 -------
 .../xlf/TrustedSigningResources.de.xlf        | 25 -------
 .../xlf/TrustedSigningResources.es.xlf        | 25 -------
 .../xlf/TrustedSigningResources.fr.xlf        | 25 -------
 .../xlf/TrustedSigningResources.it.xlf        | 25 -------
 .../xlf/TrustedSigningResources.ja.xlf        | 25 -------
 .../xlf/TrustedSigningResources.ko.xlf        | 25 -------
 .../xlf/TrustedSigningResources.pl.xlf        | 25 -------
 .../xlf/TrustedSigningResources.pt-BR.xlf     | 25 -------
 .../xlf/TrustedSigningResources.ru.xlf        | 25 -------
 .../xlf/TrustedSigningResources.tr.xlf        | 25 -------
 .../xlf/TrustedSigningResources.zh-Hans.xlf   | 25 -------
 .../xlf/TrustedSigningResources.zh-Hant.xlf   | 25 -------
 test/Sign.Cli.Test/AzureAuthOptionsTests.cs   | 61 +++++++++++++++++
 .../AzureKeyVaultCommandTests.cs              | 66 +++----------------
 .../SignCommandTests.Globbing.cs              |  8 +--
 test/Sign.Cli.Test/SignCommandTests.cs        |  6 +-
 .../TrustedSigningCommandTests.cs             | 64 +++---------------
 53 files changed, 543 insertions(+), 973 deletions(-)
 create mode 100644 src/Sign.Cli/AzureAuthOptions.cs
 create mode 100644 test/Sign.Cli.Test/AzureAuthOptionsTests.cs

diff --git a/src/Sign.Cli/AzureAuthOptions.cs b/src/Sign.Cli/AzureAuthOptions.cs
new file mode 100644
index 00000000..e217a396
--- /dev/null
+++ b/src/Sign.Cli/AzureAuthOptions.cs
@@ -0,0 +1,57 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE.txt file in the project root for more information.
+
+using System.CommandLine;
+using System.CommandLine.Invocation;
+using Azure.Core;
+using Azure.Identity;
+using Sign.Core;
+
+namespace Sign.Cli
+{
+    internal sealed class AzureAuthOptions
+    {
+        internal Option<bool> ManagedIdentityOption { get; } = new(["-azm", "--azure-managed-identity"], getDefaultValue: () => false, Resources.ManagedIdentityOptionDescription);
+        internal Option<string?> TenantIdOption { get; } = new(["-azt", "--azure-tenant-id"], Resources.TenantIdOptionDescription);
+        internal Option<string?> ClientIdOption { get; } = new(["-azi", "--azure-client-id"], Resources.ClientIdOptionDescription);
+        internal Option<string?> ClientSecretOption { get; } = new(["-azs", "--azure-client-secret"], Resources.ClientSecretOptionDescription);
+
+        internal void AddOptionsToCommand(Command command)
+        {
+            command.AddOption(ManagedIdentityOption);
+            command.AddOption(TenantIdOption);
+            command.AddOption(ClientIdOption);
+            command.AddOption(ClientSecretOption);
+        }
+
+        internal TokenCredential? CreateTokenCredential(InvocationContext context)
+        {
+            bool useManagedIdentity = context.ParseResult.GetValueForOption(ManagedIdentityOption);
+
+            if (useManagedIdentity)
+            {
+                return new DefaultAzureCredential();
+            }
+
+            string? tenantId = context.ParseResult.GetValueForOption(TenantIdOption);
+            string? clientId = context.ParseResult.GetValueForOption(ClientIdOption);
+            string? secret = context.ParseResult.GetValueForOption(ClientSecretOption);
+
+            if (string.IsNullOrEmpty(tenantId) ||
+                string.IsNullOrEmpty(clientId) ||
+                string.IsNullOrEmpty(secret))
+            {
+                context.Console.Error.WriteFormattedLine(
+                    Resources.InvalidClientSecretCredential,
+                    TenantIdOption,
+                    ClientIdOption,
+                    ClientSecretOption);
+                context.ExitCode = ExitCode.NoInputsFound;
+                return null;
+            }
+
+            return new ClientSecretCredential(tenantId, clientId, secret);
+        }
+    }
+}
diff --git a/src/Sign.Cli/AzureKeyVaultCommand.cs b/src/Sign.Cli/AzureKeyVaultCommand.cs
index 046080a6..925ead0b 100644
--- a/src/Sign.Cli/AzureKeyVaultCommand.cs
+++ b/src/Sign.Cli/AzureKeyVaultCommand.cs
@@ -6,7 +6,6 @@
 using System.CommandLine.Invocation;
 using System.CommandLine.IO;
 using Azure.Core;
-using Azure.Identity;
 using Sign.Core;
 using Sign.SignatureProviders.KeyVault;
 
@@ -14,14 +13,9 @@ namespace Sign.Cli
 {
     internal sealed class AzureKeyVaultCommand : Command
     {
-        private readonly CodeCommand _codeCommand;
-
-        internal Option<string> CertificateOption { get; } = new(["-kvc", "--azure-key-vault-certificate"], AzureKeyVaultResources.CertificateOptionDescription);
-        internal Option<string?> ClientIdOption { get; } = new(["-kvi", "--azure-key-vault-client-id"], AzureKeyVaultResources.ClientIdOptionDescription);
-        internal Option<string?> ClientSecretOption { get; } = new(["-kvs", "--azure-key-vault-client-secret"], AzureKeyVaultResources.ClientSecretOptionDescription);
-        internal Option<bool> ManagedIdentityOption { get; } = new(["-kvm", "--azure-key-vault-managed-identity"], getDefaultValue: () => false, AzureKeyVaultResources.ManagedIdentityOptionDescription);
-        internal Option<string?> TenantIdOption { get; } = new(["-kvt", "--azure-key-vault-tenant-id"], AzureKeyVaultResources.TenantIdOptionDescription);
         internal Option<Uri> UrlOption { get; } = new(["-kvu", "--azure-key-vault-url"], AzureKeyVaultResources.UrlOptionDescription);
+        internal Option<string> CertificateOption { get; } = new(["-kvc", "--azure-key-vault-certificate"], AzureKeyVaultResources.CertificateOptionDescription);
+        internal AzureAuthOptions AzureAuthOptions { get; } = new();
 
         internal Argument<string?> FileArgument { get; } = new("file(s)", Resources.FilesArgumentDescription);
 
@@ -31,19 +25,12 @@ internal AzureKeyVaultCommand(CodeCommand codeCommand, IServiceProviderFactory s
             ArgumentNullException.ThrowIfNull(codeCommand, nameof(codeCommand));
             ArgumentNullException.ThrowIfNull(serviceProviderFactory, nameof(serviceProviderFactory));
 
-            _codeCommand = codeCommand;
-
             CertificateOption.IsRequired = true;
             UrlOption.IsRequired = true;
 
-            ManagedIdentityOption.SetDefaultValue(false);
-
             AddOption(UrlOption);
-            AddOption(TenantIdOption);
-            AddOption(ClientIdOption);
-            AddOption(ClientSecretOption);
             AddOption(CertificateOption);
-            AddOption(ManagedIdentityOption);
+            AzureAuthOptions.AddOptionsToCommand(this);
 
             AddArgument(FileArgument);
 
@@ -67,41 +54,19 @@ internal AzureKeyVaultCommand(CodeCommand codeCommand, IServiceProviderFactory s
                     return;
                 }
 
+                TokenCredential? credential = AzureAuthOptions.CreateTokenCredential(context);
+                if (credential is null)
+                {
+                    return;
+                }
+
                 // Some of the options are required and that is why we can safely use
                 // the null-forgiving operator (!) to simplify the code.
                 Uri url = context.ParseResult.GetValueForOption(UrlOption)!;
-                string? tenantId = context.ParseResult.GetValueForOption(TenantIdOption);
-                string? clientId = context.ParseResult.GetValueForOption(ClientIdOption);
-                string? secret = context.ParseResult.GetValueForOption(ClientSecretOption);
                 string certificateId = context.ParseResult.GetValueForOption(CertificateOption)!;
-                bool useManagedIdentity = context.ParseResult.GetValueForOption(ManagedIdentityOption);
-
-                TokenCredential? credential = null;
-
-                if (useManagedIdentity)
-                {
-                    credential = new DefaultAzureCredential();
-                }
-                else
-                {
-                    if (string.IsNullOrEmpty(tenantId) ||
-                        string.IsNullOrEmpty(clientId) ||
-                        string.IsNullOrEmpty(secret))
-                    {
-                        context.Console.Error.WriteFormattedLine(
-                            AzureKeyVaultResources.InvalidClientSecretCredential,
-                            TenantIdOption,
-                            ClientIdOption,
-                            ClientSecretOption);
-                        context.ExitCode = ExitCode.NoInputsFound;
-                        return;
-                    }
-
-                    credential = new ClientSecretCredential(tenantId, clientId, secret);
-                }
 
                 KeyVaultServiceProvider keyVaultServiceProvider = new(credential, url, certificateId);
-                await _codeCommand.HandleAsync(context, serviceProviderFactory, keyVaultServiceProvider, fileArgument);
+                await codeCommand.HandleAsync(context, serviceProviderFactory, keyVaultServiceProvider, fileArgument);
             });
         }
     }
diff --git a/src/Sign.Cli/AzureKeyVaultResources.Designer.cs b/src/Sign.Cli/AzureKeyVaultResources.Designer.cs
index 6717fe00..ae840eba 100644
--- a/src/Sign.Cli/AzureKeyVaultResources.Designer.cs
+++ b/src/Sign.Cli/AzureKeyVaultResources.Designer.cs
@@ -78,24 +78,6 @@ internal static string ClickOnceExtensionNotSupported {
             }
         }
         
-        /// <summary>
-        ///   Looks up a localized string similar to Client ID to authenticate to Azure Key Vault..
-        /// </summary>
-        internal static string ClientIdOptionDescription {
-            get {
-                return ResourceManager.GetString("ClientIdOptionDescription", resourceCulture);
-            }
-        }
-        
-        /// <summary>
-        ///   Looks up a localized string similar to Client secret to authenticate to Azure Key Vault..
-        /// </summary>
-        internal static string ClientSecretOptionDescription {
-            get {
-                return ResourceManager.GetString("ClientSecretOptionDescription", resourceCulture);
-            }
-        }
-        
         /// <summary>
         ///   Looks up a localized string similar to Use Azure Key Vault..
         /// </summary>
@@ -105,33 +87,6 @@ internal static string CommandDescription {
             }
         }
         
-        /// <summary>
-        ///   Looks up a localized string similar to If not using a managed identity, all of these options are required: {0}, {1}, and {2}..
-        /// </summary>
-        internal static string InvalidClientSecretCredential {
-            get {
-                return ResourceManager.GetString("InvalidClientSecretCredential", resourceCulture);
-            }
-        }
-        
-        /// <summary>
-        ///   Looks up a localized string similar to Managed identity to authenticate to Azure Key Vault..
-        /// </summary>
-        internal static string ManagedIdentityOptionDescription {
-            get {
-                return ResourceManager.GetString("ManagedIdentityOptionDescription", resourceCulture);
-            }
-        }
-        
-        /// <summary>
-        ///   Looks up a localized string similar to Tenant ID to authenticate to Azure Key Vault..
-        /// </summary>
-        internal static string TenantIdOptionDescription {
-            get {
-                return ResourceManager.GetString("TenantIdOptionDescription", resourceCulture);
-            }
-        }
-        
         /// <summary>
         ///   Looks up a localized string similar to URL to an Azure Key Vault..
         /// </summary>
diff --git a/src/Sign.Cli/AzureKeyVaultResources.resx b/src/Sign.Cli/AzureKeyVaultResources.resx
index 773e45dc..97762b0d 100644
--- a/src/Sign.Cli/AzureKeyVaultResources.resx
+++ b/src/Sign.Cli/AzureKeyVaultResources.resx
@@ -123,25 +123,9 @@
   <data name="ClickOnceExtensionNotSupported" xml:space="preserve">
     <value>ClickOnce signing via the legacy .clickonce ZIP workaround is no longer supported. See documentation.</value>
   </data>
-  <data name="ClientIdOptionDescription" xml:space="preserve">
-    <value>Client ID to authenticate to Azure Key Vault.</value>
-  </data>
-  <data name="ClientSecretOptionDescription" xml:space="preserve">
-    <value>Client secret to authenticate to Azure Key Vault.</value>
-  </data>
   <data name="CommandDescription" xml:space="preserve">
     <value>Use Azure Key Vault.</value>
   </data>
-  <data name="InvalidClientSecretCredential" xml:space="preserve">
-    <value>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</value>
-    <comment>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</comment>
-  </data>
-  <data name="ManagedIdentityOptionDescription" xml:space="preserve">
-    <value>Managed identity to authenticate to Azure Key Vault.</value>
-  </data>
-  <data name="TenantIdOptionDescription" xml:space="preserve">
-    <value>Tenant ID to authenticate to Azure Key Vault.</value>
-  </data>
   <data name="UrlOptionDescription" xml:space="preserve">
     <value>URL to an Azure Key Vault.</value>
   </data>
diff --git a/src/Sign.Cli/Resources.Designer.cs b/src/Sign.Cli/Resources.Designer.cs
index 08783b2b..c8ec3319 100644
--- a/src/Sign.Cli/Resources.Designer.cs
+++ b/src/Sign.Cli/Resources.Designer.cs
@@ -87,6 +87,24 @@ internal static string CertificateStoreCommandDescription {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Client ID to authenticate to Azure Key Vault..
+        /// </summary>
+        internal static string ClientIdOptionDescription {
+            get {
+                return ResourceManager.GetString("ClientIdOptionDescription", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to Client secret to authenticate to Azure Key Vault..
+        /// </summary>
+        internal static string ClientSecretOptionDescription {
+            get {
+                return ResourceManager.GetString("ClientSecretOptionDescription", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Sign binaries and containers..
         /// </summary>
@@ -159,6 +177,15 @@ internal static string InvalidCertificateFingerprintValue {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to If not using a managed identity, all of these options are required: {0}, {1}, and {2}..
+        /// </summary>
+        internal static string InvalidClientSecretCredential {
+            get {
+                return ResourceManager.GetString("InvalidClientSecretCredential", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Invalid value for {0}. The value must be &apos;sha256&apos;, &apos;sha384&apos;, or &apos;sha512&apos;..
         /// </summary>
@@ -195,6 +222,15 @@ internal static string InvalidUrlValue {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Managed identity to authenticate to Azure Key Vault..
+        /// </summary>
+        internal static string ManagedIdentityOptionDescription {
+            get {
+                return ResourceManager.GetString("ManagedIdentityOptionDescription", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Maximum concurrency..
         /// </summary>
@@ -258,6 +294,15 @@ internal static string SomeFilesDoNotExist {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to Tenant ID to authenticate to Azure Key Vault..
+        /// </summary>
+        internal static string TenantIdOptionDescription {
+            get {
+                return ResourceManager.GetString("TenantIdOptionDescription", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Digest algorithm for the RFC 3161 timestamp server. Allowed values are sha256, sha384, and sha512..
         /// </summary>
diff --git a/src/Sign.Cli/Resources.resx b/src/Sign.Cli/Resources.resx
index 631c1d92..584c3ec0 100644
--- a/src/Sign.Cli/Resources.resx
+++ b/src/Sign.Cli/Resources.resx
@@ -126,6 +126,12 @@
   <data name="CertificateStoreCommandDescription" xml:space="preserve">
     <value>Use Windows Certificate Store or a local certificate file.</value>
   </data>
+  <data name="ClientIdOptionDescription" xml:space="preserve">
+    <value>Client ID to authenticate to Azure Key Vault.</value>
+  </data>
+  <data name="ClientSecretOptionDescription" xml:space="preserve">
+    <value>Client secret to authenticate to Azure Key Vault.</value>
+  </data>
   <data name="CodeCommandDescription" xml:space="preserve">
     <value>Sign binaries and containers.</value>
   </data>
@@ -153,6 +159,10 @@
     <value>Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</value>
     <comment>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</comment>
   </data>
+  <data name="InvalidClientSecretCredential" xml:space="preserve">
+    <value>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</value>
+    <comment>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</comment>
+  </data>
   <data name="InvalidDigestValue" xml:space="preserve">
     <value>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</value>
     <comment>{Locked="sha256", "sha384", "sha512"} are cryptographic hash algorithm names and should not be localized.  {NumberedPlaceholder="{0}"} is an option name (e.g.:  --file-digest) and should not be localized.</comment>
@@ -168,6 +178,9 @@
     <value>Invalid value for {0}. The value must be an absolute HTTP or HTTPS URL.</value>
     <comment>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</comment>
   </data>
+  <data name="ManagedIdentityOptionDescription" xml:space="preserve">
+    <value>Managed identity to authenticate to Azure Key Vault.</value>
+  </data>
   <data name="MaxConcurrencyOptionDescription" xml:space="preserve">
     <value>Maximum concurrency.</value>
   </data>
@@ -191,6 +204,9 @@
     <value>Some files do not exist.  Try using a different {0} value or a fully qualified file path.</value>
     <comment>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</comment>
   </data>
+  <data name="TenantIdOptionDescription" xml:space="preserve">
+    <value>Tenant ID to authenticate to Azure Key Vault.</value>
+  </data>
   <data name="TimestampDigestOptionDescription" xml:space="preserve">
     <value>Digest algorithm for the RFC 3161 timestamp server. Allowed values are sha256, sha384, and sha512.</value>
     <comment>{Locked="RFC 3161"} is an Internet standard (https://www.rfc-editor.org/info/rfc3161), and {Locked="sha256", "sha384", "sha512"} are cryptographic hash algorithm names should not be localized.</comment>
diff --git a/src/Sign.Cli/TrustedSigningCommand.cs b/src/Sign.Cli/TrustedSigningCommand.cs
index a32cef77..0935551f 100644
--- a/src/Sign.Cli/TrustedSigningCommand.cs
+++ b/src/Sign.Cli/TrustedSigningCommand.cs
@@ -6,7 +6,6 @@
 using System.CommandLine.Invocation;
 using System.CommandLine.IO;
 using Azure.Core;
-using Azure.Identity;
 using Sign.Core;
 using Sign.SignatureProviders.TrustedSigning;
 
@@ -17,10 +16,7 @@ internal sealed class TrustedSigningCommand : Command
         internal Option<Uri> EndpointOption { get; } = new(["-tse", "--trusted-signing-endpoint"], TrustedSigningResources.EndpointOptionDescription);
         internal Option<string> AccountOption { get; } = new(["-tsa", "--trusted-signing-account"], TrustedSigningResources.AccountOptionDescription);
         internal Option<string> CertificateProfileOption { get; } = new(["-tsc", "--trusted-signing-certificate-profile"], TrustedSigningResources.CertificateProfileOptionDescription);
-        internal Option<bool> ManagedIdentityOption { get; } = new(["-tsm", "--trusted-signing-managed-identity"], getDefaultValue: () => false, TrustedSigningResources.ManagedIdentityOptionDescription);
-        internal Option<string?> TenantIdOption { get; } = new(["-tst", "--trusted-signing-tenant-id"], TrustedSigningResources.TenantIdOptionDescription);
-        internal Option<string?> ClientIdOption { get; } = new(["-tsi", "--trusted-signing-client-id"], TrustedSigningResources.ClientIdOptionDescription);
-        internal Option<string?> ClientSecretOption { get; } = new(["-tss", "--trusted-signing-client-secret"], TrustedSigningResources.ClientSecretOptionDescription);
+        internal AzureAuthOptions AzureAuthOptions { get; } = new();
 
         internal Argument<string?> FileArgument { get; } = new("file(s)", Resources.FilesArgumentDescription);
 
@@ -37,10 +33,7 @@ internal TrustedSigningCommand(CodeCommand codeCommand, IServiceProviderFactory
             AddOption(EndpointOption);
             AddOption(AccountOption);
             AddOption(CertificateProfileOption);
-            AddOption(ManagedIdentityOption);
-            AddOption(TenantIdOption);
-            AddOption(ClientIdOption);
-            AddOption(ClientSecretOption);
+            AzureAuthOptions.AddOptionsToCommand(this);
 
             AddArgument(FileArgument);
 
@@ -55,34 +48,10 @@ internal TrustedSigningCommand(CodeCommand codeCommand, IServiceProviderFactory
                     return;
                 }
 
-                bool useManagedIdentity = context.ParseResult.GetValueForOption(ManagedIdentityOption);
-
-                TokenCredential? credential = null;
-
-                if (useManagedIdentity)
-                {
-                    credential = new DefaultAzureCredential();
-                }
-                else
+                TokenCredential? credential = AzureAuthOptions.CreateTokenCredential(context);
+                if (credential is null)
                 {
-                    string? tenantId = context.ParseResult.GetValueForOption(TenantIdOption);
-                    string? clientId = context.ParseResult.GetValueForOption(ClientIdOption);
-                    string? clientSecret = context.ParseResult.GetValueForOption(ClientSecretOption);
-
-                    if (string.IsNullOrEmpty(tenantId) ||
-                        string.IsNullOrEmpty(clientId) ||
-                        string.IsNullOrEmpty(clientSecret))
-                    {
-                        context.Console.Error.WriteFormattedLine(
-                                    TrustedSigningResources.InvalidClientSecretCredential,
-                                    TenantIdOption,
-                                    ClientIdOption,
-                                    ClientSecretOption);
-                        context.ExitCode = ExitCode.NoInputsFound;
-                        return;
-                    }
-
-                    credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
+                    return;
                 }
 
                 // Some of the options are required and that is why we can safely use
diff --git a/src/Sign.Cli/TrustedSigningResources.Designer.cs b/src/Sign.Cli/TrustedSigningResources.Designer.cs
index bb83ef8d..c6fd3d14 100644
--- a/src/Sign.Cli/TrustedSigningResources.Designer.cs
+++ b/src/Sign.Cli/TrustedSigningResources.Designer.cs
@@ -78,24 +78,6 @@ internal static string CertificateProfileOptionDescription {
             }
         }
         
-        /// <summary>
-        ///   Looks up a localized string similar to Client ID to authenticate to Trusted Signing..
-        /// </summary>
-        internal static string ClientIdOptionDescription {
-            get {
-                return ResourceManager.GetString("ClientIdOptionDescription", resourceCulture);
-            }
-        }
-        
-        /// <summary>
-        ///   Looks up a localized string similar to Client secret to authenticate to Trusted Signing..
-        /// </summary>
-        internal static string ClientSecretOptionDescription {
-            get {
-                return ResourceManager.GetString("ClientSecretOptionDescription", resourceCulture);
-            }
-        }
-        
         /// <summary>
         ///   Looks up a localized string similar to Use Trusted Signing.
         /// </summary>
@@ -113,32 +95,5 @@ internal static string EndpointOptionDescription {
                 return ResourceManager.GetString("EndpointOptionDescription", resourceCulture);
             }
         }
-        
-        /// <summary>
-        ///   Looks up a localized string similar to If not using a managed identity, all of these options are required: {0}, {1}, and {2}..
-        /// </summary>
-        internal static string InvalidClientSecretCredential {
-            get {
-                return ResourceManager.GetString("InvalidClientSecretCredential", resourceCulture);
-            }
-        }
-        
-        /// <summary>
-        ///   Looks up a localized string similar to Managed identity to authenticate to Trusted Signing..
-        /// </summary>
-        internal static string ManagedIdentityOptionDescription {
-            get {
-                return ResourceManager.GetString("ManagedIdentityOptionDescription", resourceCulture);
-            }
-        }
-        
-        /// <summary>
-        ///   Looks up a localized string similar to Tenant ID to authenticate to Trusted Signing..
-        /// </summary>
-        internal static string TenantIdOptionDescription {
-            get {
-                return ResourceManager.GetString("TenantIdOptionDescription", resourceCulture);
-            }
-        }
     }
 }
diff --git a/src/Sign.Cli/TrustedSigningResources.resx b/src/Sign.Cli/TrustedSigningResources.resx
index c561010d..5226f388 100644
--- a/src/Sign.Cli/TrustedSigningResources.resx
+++ b/src/Sign.Cli/TrustedSigningResources.resx
@@ -123,26 +123,10 @@
   <data name="CertificateProfileOptionDescription" xml:space="preserve">
     <value>The Certificate Profile name.</value>
   </data>
-  <data name="ClientIdOptionDescription" xml:space="preserve">
-    <value>Client ID to authenticate to Trusted Signing.</value>
-  </data>
-  <data name="ClientSecretOptionDescription" xml:space="preserve">
-    <value>Client secret to authenticate to Trusted Signing.</value>
-  </data>
   <data name="CommandDescription" xml:space="preserve">
     <value>Use Trusted Signing</value>
   </data>
   <data name="EndpointOptionDescription" xml:space="preserve">
     <value>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</value>
   </data>
-  <data name="InvalidClientSecretCredential" xml:space="preserve">
-    <value>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</value>
-    <comment>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</comment>
-  </data>
-  <data name="ManagedIdentityOptionDescription" xml:space="preserve">
-    <value>Managed identity to authenticate to Trusted Signing.</value>
-  </data>
-  <data name="TenantIdOptionDescription" xml:space="preserve">
-    <value>Tenant ID to authenticate to Trusted Signing.</value>
-  </data>
 </root>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/AzureKeyVaultResources.cs.xlf b/src/Sign.Cli/xlf/AzureKeyVaultResources.cs.xlf
index 49bf8943..0c35af0d 100644
--- a/src/Sign.Cli/xlf/AzureKeyVaultResources.cs.xlf
+++ b/src/Sign.Cli/xlf/AzureKeyVaultResources.cs.xlf
@@ -12,36 +12,11 @@
         <target state="translated">Podepisování ClickOnce prostřednictvím starší verze alternativního řešení .clickonce ZIP se už nepodporuje. Projděte si dokumentaci.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">ID klienta, které se má ověřit pro Azure Key Vault.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="translated">Tajný kód klienta, který se má ověřit pro Azure Key Vault.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Azure Key Vault.</source>
         <target state="translated">Použijte Azure Key Vault.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="translated">Pokud se nepoužívá spravovaná identita, vyžadují se všechny tyto možnosti: {0}, {1}a {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="translated">Spravovaná identita pro ověření pro Azure Key Vault.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">ID tenanta, které se má ověřit pro Azure Key Vault.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">Adresa URL Azure Key Vault.</target>
diff --git a/src/Sign.Cli/xlf/AzureKeyVaultResources.de.xlf b/src/Sign.Cli/xlf/AzureKeyVaultResources.de.xlf
index 17e60980..be16e6c8 100644
--- a/src/Sign.Cli/xlf/AzureKeyVaultResources.de.xlf
+++ b/src/Sign.Cli/xlf/AzureKeyVaultResources.de.xlf
@@ -12,36 +12,11 @@
         <target state="translated">Die ClickOnce-Signierung über die Legacy-.clickonce-ZIP-Problemumgehung wird nicht mehr unterstützt. Siehe Dokumentation.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">Client-ID für die Authentifizierung bei Azure Key Vault.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="translated">Geheimer Clientschlüssel für die Authentifizierung bei Azure Key Vault.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Azure Key Vault.</source>
         <target state="translated">Verwenden Sie Azure Key Vault.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="translated">Wenn Sie keine verwaltete Identität verwenden, sind alle diese Optionen erforderlich: {0}, {1} und {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="translated">Verwaltete Identität für die Authentifizierung bei Azure Key Vault.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">Mandanten-ID für die Authentifizierung bei Azure Key Vault.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">URL zu einem Azure Key Vault.</target>
diff --git a/src/Sign.Cli/xlf/AzureKeyVaultResources.es.xlf b/src/Sign.Cli/xlf/AzureKeyVaultResources.es.xlf
index e3068538..05cc2178 100644
--- a/src/Sign.Cli/xlf/AzureKeyVaultResources.es.xlf
+++ b/src/Sign.Cli/xlf/AzureKeyVaultResources.es.xlf
@@ -12,36 +12,11 @@
         <target state="translated">Ya no se admite la firma ClickOnce a través de la solución zip heredada .clickonce. Consulte la documentación.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">Id. de cliente para autenticarse en Azure Key Vault.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="translated">Secreto de cliente para autenticarse en Azure Key Vault.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Azure Key Vault.</source>
         <target state="translated">Use Azure Key Vault.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="translated">Si no usa una identidad administrada, se requieren todas estas opciones: {0}, {1} y {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="translated">Identidad administrada para autenticarse en Azure Key Vault.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">Identificador de inquilino para autenticarse en Azure Key Vault.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">Dirección URL a un Azure Key Vault.</target>
diff --git a/src/Sign.Cli/xlf/AzureKeyVaultResources.fr.xlf b/src/Sign.Cli/xlf/AzureKeyVaultResources.fr.xlf
index 9500cca3..0944b34e 100644
--- a/src/Sign.Cli/xlf/AzureKeyVaultResources.fr.xlf
+++ b/src/Sign.Cli/xlf/AzureKeyVaultResources.fr.xlf
@@ -12,36 +12,11 @@
         <target state="translated">La signature ClickOnce via la solution de contournement zip .clickonce héritée n’est plus prise en charge. Consulter la documentation.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">ID client à authentifier auprès d’Azure Key Vault.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="translated">Clé secrète client pour s’authentifier auprès d’Azure Key Vault.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Azure Key Vault.</source>
         <target state="translated">Utilisez Azure Key Vault.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="translated">Si vous n’utilisez pas d’identité managée, toutes ces options sont requises : {0}, {1} et {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="translated">Identité managée à authentifier auprès d’Azure Key Vault.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">ID client pour s’authentifier auprès d’Azure Key Vault.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">URL d’un Azure Key Vault.</target>
diff --git a/src/Sign.Cli/xlf/AzureKeyVaultResources.it.xlf b/src/Sign.Cli/xlf/AzureKeyVaultResources.it.xlf
index 3751cdc4..41c944c4 100644
--- a/src/Sign.Cli/xlf/AzureKeyVaultResources.it.xlf
+++ b/src/Sign.Cli/xlf/AzureKeyVaultResources.it.xlf
@@ -12,36 +12,11 @@
         <target state="translated">La firma ClickOnce tramite la soluzione alternativa legacy .clickonce ZIP non è più supportata. Vedere la documentazione.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">ID client da autenticare in Azure Key Vault.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="translated">Segreto client da autenticare in Azure Key Vault.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Azure Key Vault.</source>
         <target state="translated">Usare Azure Key Vault.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="translated">Se non si usa un'identità gestita, saranno necessarie tutte le opzioni seguenti: {0}, {1} e {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="translated">Identità gestita da autenticare in Azure Key Vault.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">ID tenant da autenticare in Azure Key Vault.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">URL a un Azure Key Vault.</target>
diff --git a/src/Sign.Cli/xlf/AzureKeyVaultResources.ja.xlf b/src/Sign.Cli/xlf/AzureKeyVaultResources.ja.xlf
index 4532f67a..ea8b1e01 100644
--- a/src/Sign.Cli/xlf/AzureKeyVaultResources.ja.xlf
+++ b/src/Sign.Cli/xlf/AzureKeyVaultResources.ja.xlf
@@ -12,36 +12,11 @@
         <target state="translated">従来の .clickonce ZIP 回避策による ClickOnce 署名はサポートされなくなりました。ドキュメントを参照してください。</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">Azure Key Vault に対して認証するクライアント ID。</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="translated">Azure Key Vault に対して認証するクライアント シークレット。</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Azure Key Vault.</source>
         <target state="translated">Azure Key Vault を使用してください。</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="translated">マネージド ID を使用しない場合は、{0}、{1}、{2} のオプションがすべて必要です。</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="translated">Azure Key Vault に対して認証するマネージド ID。</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">Azure Key Vault に対して認証するテナント ID。</target>
-        <note />
-      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">Azure Key Vault への URL。</target>
diff --git a/src/Sign.Cli/xlf/AzureKeyVaultResources.ko.xlf b/src/Sign.Cli/xlf/AzureKeyVaultResources.ko.xlf
index 7aaf4955..bf448e15 100644
--- a/src/Sign.Cli/xlf/AzureKeyVaultResources.ko.xlf
+++ b/src/Sign.Cli/xlf/AzureKeyVaultResources.ko.xlf
@@ -12,36 +12,11 @@
         <target state="translated">레거시 .clickonce ZIP 해결 방법을 통한 ClickOnce 서명은 더 이상 지원되지 않습니다. 설명서를 참조하세요.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">Azure Key Vault에 인증하기 위한 클라이언트 ID입니다.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="translated">Azure Key Vault에 인증하기 위한 클라이언트 암호입니다.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Azure Key Vault.</source>
         <target state="translated">Azure Key Vault를 사용합니다.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="translated">관리 ID를 사용하고 있지 않은 경우 {0}, {1} 및 {2} 옵션이 모두 필요합니다.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="translated">Azure Key Vault에 인증하기 위한 관리 ID입니다.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">Azure Key Vault에 인증하기 위한 테넌트 ID입니다.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">Azure Key Vault에 대한 URL입니다.</target>
diff --git a/src/Sign.Cli/xlf/AzureKeyVaultResources.pl.xlf b/src/Sign.Cli/xlf/AzureKeyVaultResources.pl.xlf
index f846f13c..ec2a609b 100644
--- a/src/Sign.Cli/xlf/AzureKeyVaultResources.pl.xlf
+++ b/src/Sign.Cli/xlf/AzureKeyVaultResources.pl.xlf
@@ -12,36 +12,11 @@
         <target state="translated">Podpisywanie clickOnce za pośrednictwem starszego obejścia .clickonce ZIP nie jest już obsługiwane. Zobacz dokumentację.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">Identyfikator klienta do uwierzytelnienia w usłudze Azure Key Vault.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="translated">Klucz tajny klienta do uwierzytelnienia w usłudze Azure Key Vault.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Azure Key Vault.</source>
         <target state="translated">Użyj usługi Azure Key Vault.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="translated">Jeśli tożsamość zarządzana nie jest używana, wymagane są wszystkie następujące opcje: {0}, {1} i {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="translated">Tożsamość zarządzana do uwierzytelnienia w usłudze Azure Key Vault.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">Identyfikator dzierżawy do uwierzytelnienia w usłudze Azure Key Vault.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">Adres URL do usługi Azure Key Vault.</target>
diff --git a/src/Sign.Cli/xlf/AzureKeyVaultResources.pt-BR.xlf b/src/Sign.Cli/xlf/AzureKeyVaultResources.pt-BR.xlf
index bfac1e07..46c29ed6 100644
--- a/src/Sign.Cli/xlf/AzureKeyVaultResources.pt-BR.xlf
+++ b/src/Sign.Cli/xlf/AzureKeyVaultResources.pt-BR.xlf
@@ -12,36 +12,11 @@
         <target state="translated">Não há mais suporte para a assinatura do ClickOnce por meio da solução alternativa .clickonce ZIP herdada. Consulte a documentação.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">ID do cliente a ser autenticada no Azure Key Vault.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="translated">Segredo do cliente a ser autenticado no Azure Key Vault.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Azure Key Vault.</source>
         <target state="translated">Use o Azure Key Vault.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="translated">Se não estiver usando uma identidade gerenciada, todas essas opções serão necessárias: {0}, {1} e {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="translated">Identidade gerenciada a ser autenticada no Azure Key Vault.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">ID do locatário a ser autenticada no Azure Key Vault.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">URL para um Azure Key Vault.</target>
diff --git a/src/Sign.Cli/xlf/AzureKeyVaultResources.ru.xlf b/src/Sign.Cli/xlf/AzureKeyVaultResources.ru.xlf
index 7fa74c88..e1cc1b47 100644
--- a/src/Sign.Cli/xlf/AzureKeyVaultResources.ru.xlf
+++ b/src/Sign.Cli/xlf/AzureKeyVaultResources.ru.xlf
@@ -12,36 +12,11 @@
         <target state="translated">Подписание ClickOnce с помощью устаревшего обходного пути .clickonce ZIP больше не поддерживается. См. документацию.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">ИД клиента для проверки подлинности в Azure Key Vault.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="translated">Секрет клиента для проверки подлинности в Azure Key Vault.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Azure Key Vault.</source>
         <target state="translated">Использование Azure Key Vault.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="translated">Если управляемое удостоверение не используется, требуются все следующие параметры: {0}, {1} и {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="translated">Управляемое удостоверение для проверки подлинности в Azure Key Vault.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">ИД клиента для проверки подлинности в Azure Key Vault.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">URL-адрес для Azure Key Vault.</target>
diff --git a/src/Sign.Cli/xlf/AzureKeyVaultResources.tr.xlf b/src/Sign.Cli/xlf/AzureKeyVaultResources.tr.xlf
index f4bf097b..60a93955 100644
--- a/src/Sign.Cli/xlf/AzureKeyVaultResources.tr.xlf
+++ b/src/Sign.Cli/xlf/AzureKeyVaultResources.tr.xlf
@@ -12,36 +12,11 @@
         <target state="translated">Eski .clickonce ZIP geçici çözümü aracılığıyla ClickOnce imzalama işlemi artık desteklenmiyor. Belgelere bakın.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">Azure Key Vault için kimlik doğrulamak amacıyla kullanılan istemci kimliği.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="translated">Azure Key Vault için kimlik doğrulamak amacıyla kullanılan gizli anahtar.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Azure Key Vault.</source>
         <target state="translated">Azure Key Vault’u kullanın.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="translated">Bir yönetilen kimlik kullanılmıyorsa bu seçeneklerin tümü gereklidir: {0}, {1} ve {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="translated">Azure Key Vault için kimlik doğrulamak amacıyla kullanılan yönetilen kimlik.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">Azure Key Vault için kimlik doğrulamak amacıyla kullanılan kiracı kimliği.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">Azure Key Vault URL’si.</target>
diff --git a/src/Sign.Cli/xlf/AzureKeyVaultResources.zh-Hans.xlf b/src/Sign.Cli/xlf/AzureKeyVaultResources.zh-Hans.xlf
index 05e0b438..d6ec9934 100644
--- a/src/Sign.Cli/xlf/AzureKeyVaultResources.zh-Hans.xlf
+++ b/src/Sign.Cli/xlf/AzureKeyVaultResources.zh-Hans.xlf
@@ -12,36 +12,11 @@
         <target state="translated">不再支持通过旧版 .clickonce ZIP 解决方法进行 ClickOnce 签名。参阅文档。</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">要向 Azure Key Vault 进行身份验证的客户端 ID。</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="translated">要向 Azure Key Vault 进行身份验证的客户端密码。</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Azure Key Vault.</source>
         <target state="translated">使用 Azure Key Vault。</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="translated">如果不使用托管标识，则需要以下所有选项: {0}、{1} 和 {2}。</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="translated">要向 Azure Key Vault 进行身份验证的托管标识。</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">要向 Azure Key Vault 进行身份验证的租户 ID。</target>
-        <note />
-      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">指向 Azure Key Vault 的 URL。</target>
diff --git a/src/Sign.Cli/xlf/AzureKeyVaultResources.zh-Hant.xlf b/src/Sign.Cli/xlf/AzureKeyVaultResources.zh-Hant.xlf
index 25b41727..4d51be73 100644
--- a/src/Sign.Cli/xlf/AzureKeyVaultResources.zh-Hant.xlf
+++ b/src/Sign.Cli/xlf/AzureKeyVaultResources.zh-Hant.xlf
@@ -12,36 +12,11 @@
         <target state="translated">已不再支援透過舊版 .clickonce ZIP 因應措施進行 ClickOnce 簽署。請參閱文件。</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">要向 Azure Key Vault 進行驗證的用戶端識別碼。</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="translated">要向 Azure Key Vault 進行驗證的用戶端密碼。</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Azure Key Vault.</source>
         <target state="translated">使用 Azure Key Vault。</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="translated">如果未使用受控識別，則需要下列所有選項: {0}、{1} 和 {2}。</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="translated">要向 Azure Key Vault 進行驗證的受控識別。</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="translated">要向 Azure Key Vault 進行驗證的租用戶識別碼。</target>
-        <note />
-      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">Azure Key Vault 的 URL。</target>
diff --git a/src/Sign.Cli/xlf/Resources.cs.xlf b/src/Sign.Cli/xlf/Resources.cs.xlf
index 1bc95143..a99251cf 100644
--- a/src/Sign.Cli/xlf/Resources.cs.xlf
+++ b/src/Sign.Cli/xlf/Resources.cs.xlf
@@ -17,6 +17,16 @@
         <target state="translated">Použijte úložiště certifikátů systému Windows nebo místní soubor certifikátu.</target>
         <note />
       </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Azure Key Vault.</source>
+        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="CodeCommandDescription">
         <source>Sign binaries and containers.</source>
         <target state="translated">Podepisovat binární soubory a kontejnery.</target>
@@ -57,6 +67,11 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">Neplatná hodnota pro {0}. Hodnota musí být sha256, sha384 nebo sha512.</target>
@@ -77,6 +92,11 @@
         <target state="translated">Neplatná hodnota pro {0}. Hodnota musí být absolutní adresa URL protokolu HTTP nebo HTTPS.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Azure Key Vault.</source>
+        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
         <source>Maximum concurrency.</source>
         <target state="translated">Maximální souběžnost.</target>
@@ -112,6 +132,11 @@
         <target state="translated">Některé soubory neexistují.  Zkuste použít jinou hodnotu {0} nebo plně kvalifikovanou cestu k souboru.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
         <source>Digest algorithm for the RFC 3161 timestamp server. Allowed values are sha256, sha384, and sha512.</source>
         <target state="translated">Algoritmus hodnoty hash pro server časového razítka RFC 3161. Povolené hodnoty jsou sha256, sha384 a sha512.</target>
diff --git a/src/Sign.Cli/xlf/Resources.de.xlf b/src/Sign.Cli/xlf/Resources.de.xlf
index 2d624b57..26495085 100644
--- a/src/Sign.Cli/xlf/Resources.de.xlf
+++ b/src/Sign.Cli/xlf/Resources.de.xlf
@@ -17,6 +17,16 @@
         <target state="translated">Verwenden Sie den Windows-Zertifikatspeicher oder eine lokale Zertifikatdatei.</target>
         <note />
       </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Azure Key Vault.</source>
+        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="CodeCommandDescription">
         <source>Sign binaries and containers.</source>
         <target state="translated">Signieren Sie Binärdateien und Container.</target>
@@ -57,6 +67,11 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">Ungültiger Wert für {0}. Der Wert muss "sha256", "sha384" oder "sha512" sein.</target>
@@ -77,6 +92,11 @@
         <target state="translated">Ungültiger Wert für {0}. Der Wert muss eine absolute HTTP- oder HTTPS-URL sein.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Azure Key Vault.</source>
+        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
         <source>Maximum concurrency.</source>
         <target state="translated">Maximale Parallelität.</target>
@@ -112,6 +132,11 @@
         <target state="translated">Einige Dateien sind nicht vorhanden.  Versuchen Sie, einen anderen {0}-Wert oder einen vollqualifizierten Dateipfad zu verwenden.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
         <source>Digest algorithm for the RFC 3161 timestamp server. Allowed values are sha256, sha384, and sha512.</source>
         <target state="translated">Digest-Algorithmus für den RFC 3161-Zeitstempelserver. Zulässige Werte sind sha256, sha384 und sha512.</target>
diff --git a/src/Sign.Cli/xlf/Resources.es.xlf b/src/Sign.Cli/xlf/Resources.es.xlf
index 435a67d1..81f81854 100644
--- a/src/Sign.Cli/xlf/Resources.es.xlf
+++ b/src/Sign.Cli/xlf/Resources.es.xlf
@@ -17,6 +17,16 @@
         <target state="translated">Use el Almacén de certificados de Windows o un archivo de certificados local.</target>
         <note />
       </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Azure Key Vault.</source>
+        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="CodeCommandDescription">
         <source>Sign binaries and containers.</source>
         <target state="translated">Firmar archivos binarios y contenedores.</target>
@@ -57,6 +67,11 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">Valor no válido para {0}. El valor debe ser 'sha256', 'sha384' o 'sha512'.</target>
@@ -77,6 +92,11 @@
         <target state="translated">Valor no válido para {0}. El valor debe ser una dirección URL HTTP o HTTPS absoluta.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Azure Key Vault.</source>
+        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
         <source>Maximum concurrency.</source>
         <target state="translated">Simultaneidad máxima.</target>
@@ -112,6 +132,11 @@
         <target state="translated">Algunos archivos no existen.  Pruebe a usar otro valor {0} o una ruta de acceso de archivo completa.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
         <source>Digest algorithm for the RFC 3161 timestamp server. Allowed values are sha256, sha384, and sha512.</source>
         <target state="translated">Algoritmo de resumen para el servidor de marca de tiempo RFC 3161. Los valores permitidos son sha256, sha384 y sha512.</target>
diff --git a/src/Sign.Cli/xlf/Resources.fr.xlf b/src/Sign.Cli/xlf/Resources.fr.xlf
index ca13a794..2adf3653 100644
--- a/src/Sign.Cli/xlf/Resources.fr.xlf
+++ b/src/Sign.Cli/xlf/Resources.fr.xlf
@@ -17,6 +17,16 @@
         <target state="translated">Utilisez le magasin de certificats Windows ou un fichier local du certificat.</target>
         <note />
       </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Azure Key Vault.</source>
+        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="CodeCommandDescription">
         <source>Sign binaries and containers.</source>
         <target state="translated">Signer les fichiers binaires et les conteneurs.</target>
@@ -57,6 +67,11 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">Valeur invalide pour {0}. La valeur doit être 'sha256', 'sha384' ou 'sha512'.</target>
@@ -77,6 +92,11 @@
         <target state="translated">Valeur non valide pour {0}. La valeur doit être une URL HTTP ou HTTPS absolue.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Azure Key Vault.</source>
+        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
         <source>Maximum concurrency.</source>
         <target state="translated">Concurrence maximale.</target>
@@ -112,6 +132,11 @@
         <target state="translated">Certains fichiers n’existent pas. Essayez d’utiliser une autre valeur {0} ou un chemin de fichier complet.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
         <source>Digest algorithm for the RFC 3161 timestamp server. Allowed values are sha256, sha384, and sha512.</source>
         <target state="translated">Algorithme de hachage pour le serveur d’horodatage RFC 3161. Les valeurs autorisées sont sha256, sha384 et sha512.</target>
diff --git a/src/Sign.Cli/xlf/Resources.it.xlf b/src/Sign.Cli/xlf/Resources.it.xlf
index 18594555..7e67bd87 100644
--- a/src/Sign.Cli/xlf/Resources.it.xlf
+++ b/src/Sign.Cli/xlf/Resources.it.xlf
@@ -17,6 +17,16 @@
         <target state="translated">Utilizzare l'archivio certificati di Windows o un file di certificato locale.</target>
         <note />
       </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Azure Key Vault.</source>
+        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="CodeCommandDescription">
         <source>Sign binaries and containers.</source>
         <target state="translated">Consente di firmare file binari e contenitori.</target>
@@ -57,6 +67,11 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">Valore non valido per {0}. Il valore deve essere 'sha256', 'sha384' o 'sha512'.</target>
@@ -77,6 +92,11 @@
         <target state="translated">Valore non valido per {0}. Il valore deve essere un URL HTTP o HTTPS assoluto.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Azure Key Vault.</source>
+        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
         <source>Maximum concurrency.</source>
         <target state="translated">Concorrenza massima.</target>
@@ -112,6 +132,11 @@
         <target state="translated">Alcuni file non esistono.  Provare a usare un valore di {0} diverso o un percorso di file completo.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
         <source>Digest algorithm for the RFC 3161 timestamp server. Allowed values are sha256, sha384, and sha512.</source>
         <target state="translated">Algoritmo di digest per il server di timestamp RFC 3161. I valori consentiti sono sha256, sha384 e sha512.</target>
diff --git a/src/Sign.Cli/xlf/Resources.ja.xlf b/src/Sign.Cli/xlf/Resources.ja.xlf
index 204a8dab..8dc8e043 100644
--- a/src/Sign.Cli/xlf/Resources.ja.xlf
+++ b/src/Sign.Cli/xlf/Resources.ja.xlf
@@ -17,6 +17,16 @@
         <target state="translated">Windows 証明書ストアまたはローカル証明書ファイルを使用します。</target>
         <note />
       </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Azure Key Vault.</source>
+        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="CodeCommandDescription">
         <source>Sign binaries and containers.</source>
         <target state="translated">バイナリとコンテナーに署名します。</target>
@@ -57,6 +67,11 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">{0} の値が無効です。値は 'sha256'、'sha384'、または 'sha512' である必要があります。</target>
@@ -77,6 +92,11 @@
         <target state="translated">{0}の値が無効です。値は HTTP または HTTPS の絶対 URL である必要があります。</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Azure Key Vault.</source>
+        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
         <source>Maximum concurrency.</source>
         <target state="translated">最大コンカレンシー。</target>
@@ -112,6 +132,11 @@
         <target state="translated">一部のファイルが存在しません。別の {0} 値または完全修飾ファイル パスを使用してみてください。</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
         <source>Digest algorithm for the RFC 3161 timestamp server. Allowed values are sha256, sha384, and sha512.</source>
         <target state="translated">RFC 3161 タイムスタンプ サーバーのダイジェスト アルゴリズム。使用できる値は、sha256、sha384、および sha512 です。</target>
diff --git a/src/Sign.Cli/xlf/Resources.ko.xlf b/src/Sign.Cli/xlf/Resources.ko.xlf
index 3be29715..8b6933b4 100644
--- a/src/Sign.Cli/xlf/Resources.ko.xlf
+++ b/src/Sign.Cli/xlf/Resources.ko.xlf
@@ -17,6 +17,16 @@
         <target state="translated">Windows 인증서 저장소 또는 로컬 인증서 파일을 사용합니다.</target>
         <note />
       </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Azure Key Vault.</source>
+        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="CodeCommandDescription">
         <source>Sign binaries and containers.</source>
         <target state="translated">이진 파일 및 컨테이너에 서명합니다.</target>
@@ -57,6 +67,11 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">{0}에 대한 값이 잘못되었습니다. 값은 'sha256', 'sha384' 또는 'sha512'.여야 합니다.</target>
@@ -77,6 +92,11 @@
         <target state="translated">{0}에 대한 값이 잘못되었습니다. 값은 절대 HTTP 또는 HTTPS URL이어야 합니다.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Azure Key Vault.</source>
+        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
         <source>Maximum concurrency.</source>
         <target state="translated">최대 동시성입니다.</target>
@@ -112,6 +132,11 @@
         <target state="translated">일부 파일이 존재하지 않습니다.  다른 {0} 값 또는 정규화된 파일 경로를 사용해 보세요.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
         <source>Digest algorithm for the RFC 3161 timestamp server. Allowed values are sha256, sha384, and sha512.</source>
         <target state="translated">RFC 3161 타임스탬프 서버용 다이제스트 알고리즘입니다. 허용되는 값은 sha256, sha384 및 sha512입니다.</target>
diff --git a/src/Sign.Cli/xlf/Resources.pl.xlf b/src/Sign.Cli/xlf/Resources.pl.xlf
index c123396a..747ed164 100644
--- a/src/Sign.Cli/xlf/Resources.pl.xlf
+++ b/src/Sign.Cli/xlf/Resources.pl.xlf
@@ -17,6 +17,16 @@
         <target state="translated">Użyj magazynu certyfikatów systemu Windows lub lokalnego pliku certyfikatów.</target>
         <note />
       </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Azure Key Vault.</source>
+        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="CodeCommandDescription">
         <source>Sign binaries and containers.</source>
         <target state="translated">Podpisz pliki binarne i kontenery.</target>
@@ -57,6 +67,11 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">Nieprawidłowa wartość dla {0}. Wartością musi być „sha256”, „sha384”, lub „sha512”.</target>
@@ -77,6 +92,11 @@
         <target state="translated">Nieprawidłowa wartość dla {0}. Wartość musi być bezwzględnym adresem URL protokołu HTTP lub HTTPS.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Azure Key Vault.</source>
+        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
         <source>Maximum concurrency.</source>
         <target state="translated">Maksymalna współbieżność.</target>
@@ -112,6 +132,11 @@
         <target state="translated">Niektóre pliki nie istnieją.  Spróbuj użyć innej wartości {0} lub w pełni kwalifikowanej ścieżki pliku.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
         <source>Digest algorithm for the RFC 3161 timestamp server. Allowed values are sha256, sha384, and sha512.</source>
         <target state="translated">Algorytm skrótu dla serwera znacznika czasu RFC 3161. Dozwolonymi wartościami są: sha256, sha384 i sha512.</target>
diff --git a/src/Sign.Cli/xlf/Resources.pt-BR.xlf b/src/Sign.Cli/xlf/Resources.pt-BR.xlf
index c55b5f83..1743b3cf 100644
--- a/src/Sign.Cli/xlf/Resources.pt-BR.xlf
+++ b/src/Sign.Cli/xlf/Resources.pt-BR.xlf
@@ -17,6 +17,16 @@
         <target state="translated">Use o Repositório de Certificados do Windows ou um arquivo de certificado local.</target>
         <note />
       </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Azure Key Vault.</source>
+        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="CodeCommandDescription">
         <source>Sign binaries and containers.</source>
         <target state="translated">Autenticar contêineres e binários.</target>
@@ -57,6 +67,11 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">Valor inválido para {0}. O valor deve ser 'sha256', 'sha384' ou 'sha512'.</target>
@@ -77,6 +92,11 @@
         <target state="translated">Valor inválido para {0}. O valor deve ser uma URL HTTP ou HTTPS absoluta.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Azure Key Vault.</source>
+        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
         <source>Maximum concurrency.</source>
         <target state="translated">Simultaneidade máxima.</target>
@@ -112,6 +132,11 @@
         <target state="translated">Alguns arquivos não existem.  Tente usar um valor diferente de {0} ou um caminho de arquivo totalmente qualificado.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
         <source>Digest algorithm for the RFC 3161 timestamp server. Allowed values are sha256, sha384, and sha512.</source>
         <target state="translated">Resumo do algoritmo para o servidor de carimbo de data/hora RFC 3161. Os valores permitidos são sha256, sha384 e sha512.</target>
diff --git a/src/Sign.Cli/xlf/Resources.ru.xlf b/src/Sign.Cli/xlf/Resources.ru.xlf
index a37483ac..c02a0735 100644
--- a/src/Sign.Cli/xlf/Resources.ru.xlf
+++ b/src/Sign.Cli/xlf/Resources.ru.xlf
@@ -17,6 +17,16 @@
         <target state="translated">Используйте хранилище сертификатов Windows или локальный файл сертификата.</target>
         <note />
       </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Azure Key Vault.</source>
+        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="CodeCommandDescription">
         <source>Sign binaries and containers.</source>
         <target state="translated">Подписывание двоичных файлов и контейнеров.</target>
@@ -57,6 +67,11 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">Недопустимое значение для {0}. Необходимо использовать "sha256", "sha384" или "sha512".</target>
@@ -77,6 +92,11 @@
         <target state="translated">Недопустимое значение для {0}. Значение должно быть абсолютным URL-адресом HTTP или HTTPS.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Azure Key Vault.</source>
+        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
         <source>Maximum concurrency.</source>
         <target state="translated">Максимальный параллелизм.</target>
@@ -112,6 +132,11 @@
         <target state="translated">Некоторые файлы не существуют.  Попробуйте использовать другое значение {0} или полный путь к файлу.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
         <source>Digest algorithm for the RFC 3161 timestamp server. Allowed values are sha256, sha384, and sha512.</source>
         <target state="translated">Алгоритм дайджеста для сервера меток времени RFC 3161. Допустимые значения: sha256, sha384 и sha512.</target>
diff --git a/src/Sign.Cli/xlf/Resources.tr.xlf b/src/Sign.Cli/xlf/Resources.tr.xlf
index 79cbcf74..8c634b67 100644
--- a/src/Sign.Cli/xlf/Resources.tr.xlf
+++ b/src/Sign.Cli/xlf/Resources.tr.xlf
@@ -17,6 +17,16 @@
         <target state="translated">Windows Sertifika Deposu veya yerel bir sertifika dosyası kullanın.</target>
         <note />
       </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Azure Key Vault.</source>
+        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="CodeCommandDescription">
         <source>Sign binaries and containers.</source>
         <target state="translated">İkili dosyaları ve kapsayıcıları imzalayın.</target>
@@ -57,6 +67,11 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">{0} için geçersiz değer. Değer 'sha256', 'sha384' veya 'sha512' olmalıdır.</target>
@@ -77,6 +92,11 @@
         <target state="translated">{0} için geçersiz değer. Değer mutlak bir HTTP veya HTTPS URL’si olmalıdır.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Azure Key Vault.</source>
+        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
         <source>Maximum concurrency.</source>
         <target state="translated">Maksimum eşzamanlılık.</target>
@@ -112,6 +132,11 @@
         <target state="translated">Bazı dosyalar mevcut değil. Farklı bir {0} değeri veya tam bir dosya yolu kullanmayı deneyin.</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
         <source>Digest algorithm for the RFC 3161 timestamp server. Allowed values are sha256, sha384, and sha512.</source>
         <target state="translated">RFC 3161 zaman damgası sunucusu için karma algoritması. İzin verilen değerler şunlardır. sha256, sha384 ve sha512.</target>
diff --git a/src/Sign.Cli/xlf/Resources.zh-Hans.xlf b/src/Sign.Cli/xlf/Resources.zh-Hans.xlf
index cfecc57f..df1a27be 100644
--- a/src/Sign.Cli/xlf/Resources.zh-Hans.xlf
+++ b/src/Sign.Cli/xlf/Resources.zh-Hans.xlf
@@ -17,6 +17,16 @@
         <target state="translated">使用 Windows 证书存储或本地证书文件。</target>
         <note />
       </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Azure Key Vault.</source>
+        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="CodeCommandDescription">
         <source>Sign binaries and containers.</source>
         <target state="translated">对二进制文件和容器进行签名。</target>
@@ -57,6 +67,11 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">{0} 的值无效。值必须为 "sha256"、"sha384" 或 "sha512"。</target>
@@ -77,6 +92,11 @@
         <target state="translated">{0} 的值无效。值必须是绝对 HTTP 或 HTTPS URL。</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Azure Key Vault.</source>
+        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
         <source>Maximum concurrency.</source>
         <target state="translated">最大并发。</target>
@@ -112,6 +132,11 @@
         <target state="translated">某些文件不存在。请尝试使用其他 {0} 值或完全限定的文件路径。</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
         <source>Digest algorithm for the RFC 3161 timestamp server. Allowed values are sha256, sha384, and sha512.</source>
         <target state="translated">RFC 3161 时间戳服务器的摘要算法。允许的值为 sha256、sha384 和 sha512。</target>
diff --git a/src/Sign.Cli/xlf/Resources.zh-Hant.xlf b/src/Sign.Cli/xlf/Resources.zh-Hant.xlf
index d21006c4..774b847b 100644
--- a/src/Sign.Cli/xlf/Resources.zh-Hant.xlf
+++ b/src/Sign.Cli/xlf/Resources.zh-Hant.xlf
@@ -17,6 +17,16 @@
         <target state="translated">使用 Windows 憑證存放區或本機憑證檔案。</target>
         <note />
       </trans-unit>
+      <trans-unit id="ClientIdOptionDescription">
+        <source>Client ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ClientSecretOptionDescription">
+        <source>Client secret to authenticate to Azure Key Vault.</source>
+        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="CodeCommandDescription">
         <source>Sign binaries and containers.</source>
         <target state="translated">簽署二進位檔和容器。</target>
@@ -57,6 +67,11 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
+      <trans-unit id="InvalidClientSecretCredential">
+        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
+        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
+        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
+      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">{0} 的值無效。值必須是 'sha256'、'sha384' 或 'sha512'。</target>
@@ -77,6 +92,11 @@
         <target state="translated">{0} 的值無效。值必須是絕對 HTTP 或 HTTPS URL。</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="ManagedIdentityOptionDescription">
+        <source>Managed identity to authenticate to Azure Key Vault.</source>
+        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
         <source>Maximum concurrency.</source>
         <target state="translated">並行最大值。</target>
@@ -112,6 +132,11 @@
         <target state="translated">某些檔案不存在。請嘗試使用不同的 {0} 值或完整檔案路徑。</target>
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
+      <trans-unit id="TenantIdOptionDescription">
+        <source>Tenant ID to authenticate to Azure Key Vault.</source>
+        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
         <source>Digest algorithm for the RFC 3161 timestamp server. Allowed values are sha256, sha384, and sha512.</source>
         <target state="translated">RFC 3161 時間戳記伺服器的摘要演算法。允許的值為 sha256、sha384 和 sha512。</target>
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.cs.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.cs.xlf
index 60055953..3a1efdef 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.cs.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.cs.xlf
@@ -12,16 +12,6 @@
         <target state="new">The Certificate Profile name.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Trusted Signing.</source>
-        <target state="new">Client ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Trusted Signing.</source>
-        <target state="new">Client secret to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Trusted Signing</source>
         <target state="new">Use Trusted Signing</target>
@@ -32,21 +22,6 @@
         <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Trusted Signing.</source>
-        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Trusted Signing.</source>
-        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
     </body>
   </file>
 </xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.de.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.de.xlf
index b509a8ee..f529142c 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.de.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.de.xlf
@@ -12,16 +12,6 @@
         <target state="new">The Certificate Profile name.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Trusted Signing.</source>
-        <target state="new">Client ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Trusted Signing.</source>
-        <target state="new">Client secret to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Trusted Signing</source>
         <target state="new">Use Trusted Signing</target>
@@ -32,21 +22,6 @@
         <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Trusted Signing.</source>
-        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Trusted Signing.</source>
-        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
     </body>
   </file>
 </xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.es.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.es.xlf
index 6c3ee824..c10a72e2 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.es.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.es.xlf
@@ -12,16 +12,6 @@
         <target state="new">The Certificate Profile name.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Trusted Signing.</source>
-        <target state="new">Client ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Trusted Signing.</source>
-        <target state="new">Client secret to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Trusted Signing</source>
         <target state="new">Use Trusted Signing</target>
@@ -32,21 +22,6 @@
         <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Trusted Signing.</source>
-        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Trusted Signing.</source>
-        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
     </body>
   </file>
 </xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.fr.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.fr.xlf
index e7ab7de6..0baec48c 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.fr.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.fr.xlf
@@ -12,16 +12,6 @@
         <target state="new">The Certificate Profile name.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Trusted Signing.</source>
-        <target state="new">Client ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Trusted Signing.</source>
-        <target state="new">Client secret to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Trusted Signing</source>
         <target state="new">Use Trusted Signing</target>
@@ -32,21 +22,6 @@
         <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Trusted Signing.</source>
-        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Trusted Signing.</source>
-        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
     </body>
   </file>
 </xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.it.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.it.xlf
index 9cc34f71..60483744 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.it.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.it.xlf
@@ -12,16 +12,6 @@
         <target state="new">The Certificate Profile name.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Trusted Signing.</source>
-        <target state="new">Client ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Trusted Signing.</source>
-        <target state="new">Client secret to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Trusted Signing</source>
         <target state="new">Use Trusted Signing</target>
@@ -32,21 +22,6 @@
         <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Trusted Signing.</source>
-        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Trusted Signing.</source>
-        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
     </body>
   </file>
 </xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.ja.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.ja.xlf
index b350db7a..31145fa7 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.ja.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.ja.xlf
@@ -12,16 +12,6 @@
         <target state="new">The Certificate Profile name.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Trusted Signing.</source>
-        <target state="new">Client ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Trusted Signing.</source>
-        <target state="new">Client secret to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Trusted Signing</source>
         <target state="new">Use Trusted Signing</target>
@@ -32,21 +22,6 @@
         <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Trusted Signing.</source>
-        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Trusted Signing.</source>
-        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
     </body>
   </file>
 </xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.ko.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.ko.xlf
index 6d1e1b17..85317288 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.ko.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.ko.xlf
@@ -12,16 +12,6 @@
         <target state="new">The Certificate Profile name.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Trusted Signing.</source>
-        <target state="new">Client ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Trusted Signing.</source>
-        <target state="new">Client secret to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Trusted Signing</source>
         <target state="new">Use Trusted Signing</target>
@@ -32,21 +22,6 @@
         <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Trusted Signing.</source>
-        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Trusted Signing.</source>
-        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
     </body>
   </file>
 </xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.pl.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.pl.xlf
index f70d470f..dbad6e6e 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.pl.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.pl.xlf
@@ -12,16 +12,6 @@
         <target state="new">The Certificate Profile name.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Trusted Signing.</source>
-        <target state="new">Client ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Trusted Signing.</source>
-        <target state="new">Client secret to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Trusted Signing</source>
         <target state="new">Use Trusted Signing</target>
@@ -32,21 +22,6 @@
         <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Trusted Signing.</source>
-        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Trusted Signing.</source>
-        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
     </body>
   </file>
 </xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.pt-BR.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.pt-BR.xlf
index c8382898..ae5787f6 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.pt-BR.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.pt-BR.xlf
@@ -12,16 +12,6 @@
         <target state="new">The Certificate Profile name.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Trusted Signing.</source>
-        <target state="new">Client ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Trusted Signing.</source>
-        <target state="new">Client secret to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Trusted Signing</source>
         <target state="new">Use Trusted Signing</target>
@@ -32,21 +22,6 @@
         <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Trusted Signing.</source>
-        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Trusted Signing.</source>
-        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
     </body>
   </file>
 </xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.ru.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.ru.xlf
index d770d712..72e96ab9 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.ru.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.ru.xlf
@@ -12,16 +12,6 @@
         <target state="new">The Certificate Profile name.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Trusted Signing.</source>
-        <target state="new">Client ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Trusted Signing.</source>
-        <target state="new">Client secret to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Trusted Signing</source>
         <target state="new">Use Trusted Signing</target>
@@ -32,21 +22,6 @@
         <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Trusted Signing.</source>
-        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Trusted Signing.</source>
-        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
     </body>
   </file>
 </xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.tr.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.tr.xlf
index 08e308eb..6a610f02 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.tr.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.tr.xlf
@@ -12,16 +12,6 @@
         <target state="new">The Certificate Profile name.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Trusted Signing.</source>
-        <target state="new">Client ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Trusted Signing.</source>
-        <target state="new">Client secret to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Trusted Signing</source>
         <target state="new">Use Trusted Signing</target>
@@ -32,21 +22,6 @@
         <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Trusted Signing.</source>
-        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Trusted Signing.</source>
-        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
     </body>
   </file>
 </xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hans.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hans.xlf
index 9ae6cda8..9a2520a0 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hans.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hans.xlf
@@ -12,16 +12,6 @@
         <target state="new">The Certificate Profile name.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Trusted Signing.</source>
-        <target state="new">Client ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Trusted Signing.</source>
-        <target state="new">Client secret to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Trusted Signing</source>
         <target state="new">Use Trusted Signing</target>
@@ -32,21 +22,6 @@
         <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Trusted Signing.</source>
-        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Trusted Signing.</source>
-        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
     </body>
   </file>
 </xliff>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hant.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hant.xlf
index 4451f442..ee7ccd9e 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hant.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hant.xlf
@@ -12,16 +12,6 @@
         <target state="new">The Certificate Profile name.</target>
         <note />
       </trans-unit>
-      <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Trusted Signing.</source>
-        <target state="new">Client ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Trusted Signing.</source>
-        <target state="new">Client secret to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
       <trans-unit id="CommandDescription">
         <source>Use Trusted Signing</source>
         <target state="new">Use Trusted Signing</target>
@@ -32,21 +22,6 @@
         <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
         <note />
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
-      <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Trusted Signing.</source>
-        <target state="new">Managed identity to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Trusted Signing.</source>
-        <target state="new">Tenant ID to authenticate to Trusted Signing.</target>
-        <note />
-      </trans-unit>
     </body>
   </file>
 </xliff>
\ No newline at end of file
diff --git a/test/Sign.Cli.Test/AzureAuthOptionsTests.cs b/test/Sign.Cli.Test/AzureAuthOptionsTests.cs
new file mode 100644
index 00000000..97218b10
--- /dev/null
+++ b/test/Sign.Cli.Test/AzureAuthOptionsTests.cs
@@ -0,0 +1,61 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE.txt file in the project root for more information.
+
+using System.CommandLine;
+
+namespace Sign.Cli.Test
+{
+    public class AzureAuthOptionsTests
+    {
+        private readonly AzureAuthOptions _options = new();
+
+        [Fact]
+        public void ManagedIdentityOption_Always_HasArityOfZeroOrOne()
+        {
+            Assert.Equal(ArgumentArity.ZeroOrOne, _options.ManagedIdentityOption.Arity);
+        }
+
+        [Fact]
+        public void ManagedIdentityOption_Always_IsNotRequired()
+        {
+            Assert.False(_options.ManagedIdentityOption.IsRequired);
+        }
+
+        [Fact]
+        public void TenantIdOption_Always_HasArityOfExactlyOne()
+        {
+            Assert.Equal(ArgumentArity.ExactlyOne, _options.TenantIdOption.Arity);
+        }
+
+        [Fact]
+        public void TenantIdOption_Always_IsNotRequired()
+        {
+            Assert.False(_options.TenantIdOption.IsRequired);
+        }
+
+        [Fact]
+        public void ClientIdOption_Always_HasArityOfExactlyOne()
+        {
+            Assert.Equal(ArgumentArity.ExactlyOne, _options.ClientIdOption.Arity);
+        }
+
+        [Fact]
+        public void ClientIdOption_Always_IsNotRequired()
+        {
+            Assert.False(_options.ClientIdOption.IsRequired);
+        }
+
+        [Fact]
+        public void ClientSecretOption_Always_HasArityOfExactlyOne()
+        {
+            Assert.Equal(ArgumentArity.ExactlyOne, _options.ClientSecretOption.Arity);
+        }
+
+        [Fact]
+        public void ClientSecretOption_Always_IsNotRequired()
+        {
+            Assert.False(_options.ClientSecretOption.IsRequired);
+        }
+    }
+}
diff --git a/test/Sign.Cli.Test/AzureKeyVaultCommandTests.cs b/test/Sign.Cli.Test/AzureKeyVaultCommandTests.cs
index 8dd507d4..ad9ef79e 100644
--- a/test/Sign.Cli.Test/AzureKeyVaultCommandTests.cs
+++ b/test/Sign.Cli.Test/AzureKeyVaultCommandTests.cs
@@ -44,54 +44,6 @@ public void CertificateOption_Always_IsRequired()
             Assert.True(_command.CertificateOption.IsRequired);
         }
 
-        [Fact]
-        public void ClientIdOption_Always_HasArityOfExactlyOne()
-        {
-            Assert.Equal(ArgumentArity.ExactlyOne, _command.ClientIdOption.Arity);
-        }
-
-        [Fact]
-        public void ClientIdOption_Always_IsNotRequired()
-        {
-            Assert.False(_command.ClientIdOption.IsRequired);
-        }
-
-        [Fact]
-        public void ClientSecretOption_Always_HasArityOfExactlyOne()
-        {
-            Assert.Equal(ArgumentArity.ExactlyOne, _command.ClientSecretOption.Arity);
-        }
-
-        [Fact]
-        public void ClientSecretOption_Always_IsNotRequired()
-        {
-            Assert.False(_command.ClientSecretOption.IsRequired);
-        }
-
-        [Fact]
-        public void ManagedIdentityOption_Always_HasArityOfZeroOrOne()
-        {
-            Assert.Equal(ArgumentArity.ZeroOrOne, _command.ManagedIdentityOption.Arity);
-        }
-
-        [Fact]
-        public void ManagedIdentityOption_Always_IsNotRequired()
-        {
-            Assert.False(_command.ManagedIdentityOption.IsRequired);
-        }
-
-        [Fact]
-        public void TenantIdOption_Always_HasArityOfExactlyOne()
-        {
-            Assert.Equal(ArgumentArity.ExactlyOne, _command.TenantIdOption.Arity);
-        }
-
-        [Fact]
-        public void TenantIdOption_Always_IsNotRequired()
-        {
-            Assert.False(_command.TenantIdOption.IsRequired);
-        }
-
         [Fact]
         public void UrlOption_Always_HasArityOfExactlyOne()
         {
@@ -123,12 +75,12 @@ public ParserTests()
             [InlineData("azure-key-vault -kvu https://keyvault.test a")]
             [InlineData("azure-key-vault -kvu https://keyvault.test -kvc")]
             [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a")]
-            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -kvt")]
-            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -kvt b")]
-            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -kvt b -kvi")]
-            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -kvt b -kvi c")]
-            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -kvt b -kvi c -kvs")]
-            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -kvt b -kvi c -kvs d")]
+            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -azt")]
+            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -azt b")]
+            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -azt b -azi")]
+            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -azt b -azi c")]
+            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -azt b -azi c -azs")]
+            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -azt b -azi c -azs d")]
             public void Command_WhenRequiredArgumentOrOptionsAreMissing_HasError(string command)
             {
                 ParseResult result = _parser.Parse(command);
@@ -137,8 +89,8 @@ public void Command_WhenRequiredArgumentOrOptionsAreMissing_HasError(string comm
             }
 
             [Theory]
-            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -kvm b")]
-            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -kvt b -kvi c -kvs d e")]
+            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -azm b")]
+            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -azt b -azi c -azs d e")]
             public void Command_WhenRequiredArgumentsArePresent_HasNoError(string command)
             {
                 ParseResult result = _parser.Parse(command);
@@ -147,4 +99,4 @@ public void Command_WhenRequiredArgumentsArePresent_HasNoError(string command)
             }
         }
     }
-}
\ No newline at end of file
+}
diff --git a/test/Sign.Cli.Test/SignCommandTests.Globbing.cs b/test/Sign.Cli.Test/SignCommandTests.Globbing.cs
index 74c4a65b..c9e4fd61 100644
--- a/test/Sign.Cli.Test/SignCommandTests.Globbing.cs
+++ b/test/Sign.Cli.Test/SignCommandTests.Globbing.cs
@@ -60,7 +60,7 @@ public void Dispose()
             public async Task Command_WhenFileIsGlobPattern_SignsOnlyMatches()
             {
                 string commandText = $"code azure-key-vault --description {Description} --description-url {DescriptionUrl} "
-                    + $"-kvu {KeyVaultUrl} -kvc {CertificateName} -kvm --timestamp-url {TimestampUrl} "
+                    + $"-kvu {KeyVaultUrl} -kvc {CertificateName} -azm --timestamp-url {TimestampUrl} "
                     + $"-b \"{_temporaryDirectory.Directory.FullName}\" **/*.dll";
 
                 int exitCode = await _parser.InvokeAsync(commandText);
@@ -78,7 +78,7 @@ public async Task Command_WhenFileIsGlobPattern_SignsOnlyMatches()
             public async Task Command_WhenFileIsGlobPatternWithSubdirectory_SignsOnlyMatches()
             {
                 string commandText = $"code azure-key-vault --description {Description} --description-url {DescriptionUrl} "
-                    + $"-kvu {KeyVaultUrl} -kvc {CertificateName} -kvm --timestamp-url {TimestampUrl} "
+                    + $"-kvu {KeyVaultUrl} -kvc {CertificateName} -azm --timestamp-url {TimestampUrl} "
                     + $"-b \"{_temporaryDirectory.Directory.FullName}\" **/e/*.dll";
 
                 int exitCode = await _parser.InvokeAsync(commandText);
@@ -94,7 +94,7 @@ public async Task Command_WhenFileIsGlobPatternWithSubdirectory_SignsOnlyMatches
             public async Task Command_WhenFileIsGlobPatternWithBracedExpansion_SignsOnlyMatches()
             {
                 string commandText = $"code azure-key-vault --description {Description} --description-url {DescriptionUrl} "
-                      + $"-kvu {KeyVaultUrl} -kvc {CertificateName} -kvm --timestamp-url {TimestampUrl} "
+                      + $"-kvu {KeyVaultUrl} -kvc {CertificateName} -azm --timestamp-url {TimestampUrl} "
                       + $"-b \"{_temporaryDirectory.Directory.FullName}\" **/*.{{dll,exe}}";
 
                 int exitCode = await _parser.InvokeAsync(commandText);
@@ -181,4 +181,4 @@ private static void EnsureParentDirectoriesExist(DirectoryInfo directory)
             }
         }
     }
-}
\ No newline at end of file
+}
diff --git a/test/Sign.Cli.Test/SignCommandTests.cs b/test/Sign.Cli.Test/SignCommandTests.cs
index d13467fa..180a1088 100644
--- a/test/Sign.Cli.Test/SignCommandTests.cs
+++ b/test/Sign.Cli.Test/SignCommandTests.cs
@@ -73,7 +73,7 @@ public void Command_WhenArgumentAndOptionsAreMissing_HasError(string command)
         public void Command_WhenRequiredArgumentIsMissing_HasError()
         {
             string command = $"code azure-key-vault --description {Description} --description-url {DescriptionUrl} "
-                + $"-kvu {KeyVaultUrl} -kvc {CertificateName} -kvm --timestamp-url {TimestampUrl}";
+                + $"-kvu {KeyVaultUrl} -kvc {CertificateName} -azm --timestamp-url {TimestampUrl}";
             ParseResult result = _parser.Parse(command);
 
             Assert.NotEmpty(result.Errors);
@@ -83,7 +83,7 @@ public void Command_WhenRequiredArgumentIsMissing_HasError()
         public void Command_WhenAllOptionsAndArgumentAreValid_HasNoError()
         {
             string command = $"code azure-key-vault --description {Description} --description-url {DescriptionUrl} "
-                + $"-kvu {KeyVaultUrl} -kvc {CertificateName} -kvm --timestamp-url {TimestampUrl} {File}";
+                + $"-kvu {KeyVaultUrl} -kvc {CertificateName} -azm --timestamp-url {TimestampUrl} {File}";
             ParseResult result = _parser.Parse(command);
 
             Assert.Empty(result.Errors);
@@ -96,4 +96,4 @@ public void Command_WhenAllOptionsAndArgumentAreValid_HasNoError()
             Assert.Equal(File, result.GetValueForArgument(_azureKeyVaultCommand.FileArgument));
         }
     }
-}
\ No newline at end of file
+}
diff --git a/test/Sign.Cli.Test/TrustedSigningCommandTests.cs b/test/Sign.Cli.Test/TrustedSigningCommandTests.cs
index 49e4b4ec..9060a72a 100644
--- a/test/Sign.Cli.Test/TrustedSigningCommandTests.cs
+++ b/test/Sign.Cli.Test/TrustedSigningCommandTests.cs
@@ -68,54 +68,6 @@ public void CertificateProfileOption_Always_IsRequired()
             Assert.True(_command.CertificateProfileOption.IsRequired);
         }
 
-        [Fact]
-        public void ManagedIdentityOption_Always_HasArityOfZeroOrOne()
-        {
-            Assert.Equal(ArgumentArity.ZeroOrOne, _command.ManagedIdentityOption.Arity);
-        }
-
-        [Fact]
-        public void ManagedIdentityOption_Always_IsNotRequired()
-        {
-            Assert.False(_command.ManagedIdentityOption.IsRequired);
-        }
-
-        [Fact]
-        public void TenantIdOption_Always_HasArityOfExactlyOne()
-        {
-            Assert.Equal(ArgumentArity.ExactlyOne, _command.TenantIdOption.Arity);
-        }
-
-        [Fact]
-        public void TenantIdOption_Always_IsNotRequired()
-        {
-            Assert.False(_command.TenantIdOption.IsRequired);
-        }
-
-        [Fact]
-        public void ClientIdOption_Always_HasArityOfExactlyOne()
-        {
-            Assert.Equal(ArgumentArity.ExactlyOne, _command.ClientIdOption.Arity);
-        }
-
-        [Fact]
-        public void ClientIdOption_Always_IsNotRequired()
-        {
-            Assert.False(_command.ClientIdOption.IsRequired);
-        }
-
-        [Fact]
-        public void ClientSecretOption_Always_HasArityOfExactlyOne()
-        {
-            Assert.Equal(ArgumentArity.ExactlyOne, _command.ClientSecretOption.Arity);
-        }
-
-        [Fact]
-        public void ClientSecretOption_Always_IsNotRequired()
-        {
-            Assert.False(_command.ClientSecretOption.IsRequired);
-        }
-
         public class ParserTests
         {
             private readonly TrustedSigningCommand _command;
@@ -135,12 +87,12 @@ public ParserTests()
             [InlineData("trusted-signing -tse https://trustedsigning.test -tsa")]
             [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a")]
             [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -tst")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -tst c")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -tst c -tsi")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -tst c -tsi d")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -tst c -tsi d -tss")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -tst c -tsi d -tss e")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -azt")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -azt c")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -azt c -azi")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -azt c -azi d")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -azt c -azi d -azs")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -azt c -azi d -azs e")]
             public void Command_WhenRequiredArgumentOrOptionsAreMissing_HasError(string command)
             {
                 ParseResult result = _parser.Parse(command);
@@ -149,8 +101,8 @@ public void Command_WhenRequiredArgumentOrOptionsAreMissing_HasError(string comm
             }
 
             [Theory]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -tsm c")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -tst c -tsi d -tss e f")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -azm c")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -azt c -azi d -azs e f")]
             public void Command_WhenRequiredArgumentsArePresent_HasNoError(string command)
             {
                 ParseResult result = _parser.Parse(command);

From 66669a2389f07fb4a83f5cd522f8fa24e49a24d1 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Tue, 18 Jun 2024 20:24:46 +0200
Subject: [PATCH 06/13] Improved translations.

---
 src/Sign.Cli/TrustedSigningResources.Designer.cs     | 4 ++--
 src/Sign.Cli/TrustedSigningResources.resx            | 4 ++--
 src/Sign.Cli/xlf/TrustedSigningResources.cs.xlf      | 8 ++++----
 src/Sign.Cli/xlf/TrustedSigningResources.de.xlf      | 8 ++++----
 src/Sign.Cli/xlf/TrustedSigningResources.es.xlf      | 8 ++++----
 src/Sign.Cli/xlf/TrustedSigningResources.fr.xlf      | 8 ++++----
 src/Sign.Cli/xlf/TrustedSigningResources.it.xlf      | 8 ++++----
 src/Sign.Cli/xlf/TrustedSigningResources.ja.xlf      | 8 ++++----
 src/Sign.Cli/xlf/TrustedSigningResources.ko.xlf      | 8 ++++----
 src/Sign.Cli/xlf/TrustedSigningResources.pl.xlf      | 8 ++++----
 src/Sign.Cli/xlf/TrustedSigningResources.pt-BR.xlf   | 8 ++++----
 src/Sign.Cli/xlf/TrustedSigningResources.ru.xlf      | 8 ++++----
 src/Sign.Cli/xlf/TrustedSigningResources.tr.xlf      | 8 ++++----
 src/Sign.Cli/xlf/TrustedSigningResources.zh-Hans.xlf | 8 ++++----
 src/Sign.Cli/xlf/TrustedSigningResources.zh-Hant.xlf | 8 ++++----
 15 files changed, 56 insertions(+), 56 deletions(-)

diff --git a/src/Sign.Cli/TrustedSigningResources.Designer.cs b/src/Sign.Cli/TrustedSigningResources.Designer.cs
index c6fd3d14..cd73ba54 100644
--- a/src/Sign.Cli/TrustedSigningResources.Designer.cs
+++ b/src/Sign.Cli/TrustedSigningResources.Designer.cs
@@ -79,7 +79,7 @@ internal static string CertificateProfileOptionDescription {
         }
         
         /// <summary>
-        ///   Looks up a localized string similar to Use Trusted Signing.
+        ///   Looks up a localized string similar to Use Trusted Signing..
         /// </summary>
         internal static string CommandDescription {
             get {
@@ -88,7 +88,7 @@ internal static string CommandDescription {
         }
         
         /// <summary>
-        ///   Looks up a localized string similar to The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources..
+        ///   Looks up a localized string similar to The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in..
         /// </summary>
         internal static string EndpointOptionDescription {
             get {
diff --git a/src/Sign.Cli/TrustedSigningResources.resx b/src/Sign.Cli/TrustedSigningResources.resx
index 5226f388..e899487e 100644
--- a/src/Sign.Cli/TrustedSigningResources.resx
+++ b/src/Sign.Cli/TrustedSigningResources.resx
@@ -124,9 +124,9 @@
     <value>The Certificate Profile name.</value>
   </data>
   <data name="CommandDescription" xml:space="preserve">
-    <value>Use Trusted Signing</value>
+    <value>Use Trusted Signing.</value>
   </data>
   <data name="EndpointOptionDescription" xml:space="preserve">
-    <value>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</value>
+    <value>The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</value>
   </data>
 </root>
\ No newline at end of file
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.cs.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.cs.xlf
index 3a1efdef..d0a3847e 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.cs.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.cs.xlf
@@ -13,13 +13,13 @@
         <note />
       </trans-unit>
       <trans-unit id="CommandDescription">
-        <source>Use Trusted Signing</source>
-        <target state="new">Use Trusted Signing</target>
+        <source>Use Trusted Signing.</source>
+        <target state="new">Use Trusted Signing.</target>
         <note />
       </trans-unit>
       <trans-unit id="EndpointOptionDescription">
-        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
-        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <source>The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</source>
+        <target state="new">The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</target>
         <note />
       </trans-unit>
     </body>
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.de.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.de.xlf
index f529142c..4439175b 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.de.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.de.xlf
@@ -13,13 +13,13 @@
         <note />
       </trans-unit>
       <trans-unit id="CommandDescription">
-        <source>Use Trusted Signing</source>
-        <target state="new">Use Trusted Signing</target>
+        <source>Use Trusted Signing.</source>
+        <target state="new">Use Trusted Signing.</target>
         <note />
       </trans-unit>
       <trans-unit id="EndpointOptionDescription">
-        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
-        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <source>The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</source>
+        <target state="new">The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</target>
         <note />
       </trans-unit>
     </body>
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.es.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.es.xlf
index c10a72e2..1f919d4f 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.es.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.es.xlf
@@ -13,13 +13,13 @@
         <note />
       </trans-unit>
       <trans-unit id="CommandDescription">
-        <source>Use Trusted Signing</source>
-        <target state="new">Use Trusted Signing</target>
+        <source>Use Trusted Signing.</source>
+        <target state="new">Use Trusted Signing.</target>
         <note />
       </trans-unit>
       <trans-unit id="EndpointOptionDescription">
-        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
-        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <source>The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</source>
+        <target state="new">The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</target>
         <note />
       </trans-unit>
     </body>
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.fr.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.fr.xlf
index 0baec48c..0862ceb8 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.fr.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.fr.xlf
@@ -13,13 +13,13 @@
         <note />
       </trans-unit>
       <trans-unit id="CommandDescription">
-        <source>Use Trusted Signing</source>
-        <target state="new">Use Trusted Signing</target>
+        <source>Use Trusted Signing.</source>
+        <target state="new">Use Trusted Signing.</target>
         <note />
       </trans-unit>
       <trans-unit id="EndpointOptionDescription">
-        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
-        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <source>The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</source>
+        <target state="new">The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</target>
         <note />
       </trans-unit>
     </body>
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.it.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.it.xlf
index 60483744..3918f419 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.it.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.it.xlf
@@ -13,13 +13,13 @@
         <note />
       </trans-unit>
       <trans-unit id="CommandDescription">
-        <source>Use Trusted Signing</source>
-        <target state="new">Use Trusted Signing</target>
+        <source>Use Trusted Signing.</source>
+        <target state="new">Use Trusted Signing.</target>
         <note />
       </trans-unit>
       <trans-unit id="EndpointOptionDescription">
-        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
-        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <source>The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</source>
+        <target state="new">The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</target>
         <note />
       </trans-unit>
     </body>
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.ja.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.ja.xlf
index 31145fa7..acd4bfb0 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.ja.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.ja.xlf
@@ -13,13 +13,13 @@
         <note />
       </trans-unit>
       <trans-unit id="CommandDescription">
-        <source>Use Trusted Signing</source>
-        <target state="new">Use Trusted Signing</target>
+        <source>Use Trusted Signing.</source>
+        <target state="new">Use Trusted Signing.</target>
         <note />
       </trans-unit>
       <trans-unit id="EndpointOptionDescription">
-        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
-        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <source>The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</source>
+        <target state="new">The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</target>
         <note />
       </trans-unit>
     </body>
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.ko.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.ko.xlf
index 85317288..7ea9fab3 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.ko.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.ko.xlf
@@ -13,13 +13,13 @@
         <note />
       </trans-unit>
       <trans-unit id="CommandDescription">
-        <source>Use Trusted Signing</source>
-        <target state="new">Use Trusted Signing</target>
+        <source>Use Trusted Signing.</source>
+        <target state="new">Use Trusted Signing.</target>
         <note />
       </trans-unit>
       <trans-unit id="EndpointOptionDescription">
-        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
-        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <source>The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</source>
+        <target state="new">The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</target>
         <note />
       </trans-unit>
     </body>
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.pl.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.pl.xlf
index dbad6e6e..8c408c4c 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.pl.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.pl.xlf
@@ -13,13 +13,13 @@
         <note />
       </trans-unit>
       <trans-unit id="CommandDescription">
-        <source>Use Trusted Signing</source>
-        <target state="new">Use Trusted Signing</target>
+        <source>Use Trusted Signing.</source>
+        <target state="new">Use Trusted Signing.</target>
         <note />
       </trans-unit>
       <trans-unit id="EndpointOptionDescription">
-        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
-        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <source>The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</source>
+        <target state="new">The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</target>
         <note />
       </trans-unit>
     </body>
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.pt-BR.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.pt-BR.xlf
index ae5787f6..a6cfbb08 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.pt-BR.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.pt-BR.xlf
@@ -13,13 +13,13 @@
         <note />
       </trans-unit>
       <trans-unit id="CommandDescription">
-        <source>Use Trusted Signing</source>
-        <target state="new">Use Trusted Signing</target>
+        <source>Use Trusted Signing.</source>
+        <target state="new">Use Trusted Signing.</target>
         <note />
       </trans-unit>
       <trans-unit id="EndpointOptionDescription">
-        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
-        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <source>The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</source>
+        <target state="new">The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</target>
         <note />
       </trans-unit>
     </body>
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.ru.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.ru.xlf
index 72e96ab9..624f84c9 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.ru.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.ru.xlf
@@ -13,13 +13,13 @@
         <note />
       </trans-unit>
       <trans-unit id="CommandDescription">
-        <source>Use Trusted Signing</source>
-        <target state="new">Use Trusted Signing</target>
+        <source>Use Trusted Signing.</source>
+        <target state="new">Use Trusted Signing.</target>
         <note />
       </trans-unit>
       <trans-unit id="EndpointOptionDescription">
-        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
-        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <source>The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</source>
+        <target state="new">The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</target>
         <note />
       </trans-unit>
     </body>
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.tr.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.tr.xlf
index 6a610f02..82ff9092 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.tr.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.tr.xlf
@@ -13,13 +13,13 @@
         <note />
       </trans-unit>
       <trans-unit id="CommandDescription">
-        <source>Use Trusted Signing</source>
-        <target state="new">Use Trusted Signing</target>
+        <source>Use Trusted Signing.</source>
+        <target state="new">Use Trusted Signing.</target>
         <note />
       </trans-unit>
       <trans-unit id="EndpointOptionDescription">
-        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
-        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <source>The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</source>
+        <target state="new">The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</target>
         <note />
       </trans-unit>
     </body>
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hans.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hans.xlf
index 9a2520a0..1fc298d2 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hans.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hans.xlf
@@ -13,13 +13,13 @@
         <note />
       </trans-unit>
       <trans-unit id="CommandDescription">
-        <source>Use Trusted Signing</source>
-        <target state="new">Use Trusted Signing</target>
+        <source>Use Trusted Signing.</source>
+        <target state="new">Use Trusted Signing.</target>
         <note />
       </trans-unit>
       <trans-unit id="EndpointOptionDescription">
-        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
-        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <source>The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</source>
+        <target state="new">The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</target>
         <note />
       </trans-unit>
     </body>
diff --git a/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hant.xlf b/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hant.xlf
index ee7ccd9e..697c4168 100644
--- a/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hant.xlf
+++ b/src/Sign.Cli/xlf/TrustedSigningResources.zh-Hant.xlf
@@ -13,13 +13,13 @@
         <note />
       </trans-unit>
       <trans-unit id="CommandDescription">
-        <source>Use Trusted Signing</source>
-        <target state="new">Use Trusted Signing</target>
+        <source>Use Trusted Signing.</source>
+        <target state="new">Use Trusted Signing.</target>
         <note />
       </trans-unit>
       <trans-unit id="EndpointOptionDescription">
-        <source>The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</source>
-        <target state="new">The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.</target>
+        <source>The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</source>
+        <target state="new">The Trusted Signing Account endpoint. The value must be a URI that aligns to the region that your Trusted Signing Account and Certificate Profile were created in.</target>
         <note />
       </trans-unit>
     </body>

From bf64312549bf093fac2744284bdb1e6c55f68c44 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Tue, 18 Jun 2024 20:29:21 +0200
Subject: [PATCH 07/13] Changes due to review comments.

---
 src/Sign.SignatureProviders.TrustedSigning/RSATrustedSigning.cs | 2 +-
 .../TrustedSigningService.cs                                    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Sign.SignatureProviders.TrustedSigning/RSATrustedSigning.cs b/src/Sign.SignatureProviders.TrustedSigning/RSATrustedSigning.cs
index a1fc7f0d..f59af6fe 100644
--- a/src/Sign.SignatureProviders.TrustedSigning/RSATrustedSigning.cs
+++ b/src/Sign.SignatureProviders.TrustedSigning/RSATrustedSigning.cs
@@ -47,7 +47,7 @@ public override void ImportParameters(RSAParameters parameters)
 
         public override byte[] SignHash(byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
         {
-            var signatureAlgorithm = GetSignatureAlgorithm(hash, padding);
+            SignatureAlgorithm signatureAlgorithm = GetSignatureAlgorithm(hash, padding);
             SignRequest request = new(signatureAlgorithm, hash);
             CertificateProfileSignOperation operation = _client.StartSign(_accountName, _certificateProfileName, request);
             Response<SignStatus> response = operation.WaitForCompletion();
diff --git a/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningService.cs b/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningService.cs
index 7cabeb1c..8be55573 100644
--- a/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningService.cs
+++ b/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningService.cs
@@ -61,7 +61,7 @@ public async Task<X509Certificate2> GetCertificateAsync(CancellationToken cancel
                 return new X509Certificate2(_publicKey);
             }
 
-            await _mutex.WaitAsync();
+            await _mutex.WaitAsync(cancellationToken);
             try
             {
                 if (_publicKey is null)

From 3ddb6808e0a6fa7a72474965edbe4f34ba8d8d38 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Tue, 18 Jun 2024 20:50:26 +0200
Subject: [PATCH 08/13] Use a different short option name for the
 --trusted-signing-certificate-profile option.

---
 src/Sign.Cli/TrustedSigningCommand.cs          |  2 +-
 .../TrustedSigningCommandTests.cs              | 18 +++++++++---------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/src/Sign.Cli/TrustedSigningCommand.cs b/src/Sign.Cli/TrustedSigningCommand.cs
index 0935551f..91b523a4 100644
--- a/src/Sign.Cli/TrustedSigningCommand.cs
+++ b/src/Sign.Cli/TrustedSigningCommand.cs
@@ -15,7 +15,7 @@ internal sealed class TrustedSigningCommand : Command
     {
         internal Option<Uri> EndpointOption { get; } = new(["-tse", "--trusted-signing-endpoint"], TrustedSigningResources.EndpointOptionDescription);
         internal Option<string> AccountOption { get; } = new(["-tsa", "--trusted-signing-account"], TrustedSigningResources.AccountOptionDescription);
-        internal Option<string> CertificateProfileOption { get; } = new(["-tsc", "--trusted-signing-certificate-profile"], TrustedSigningResources.CertificateProfileOptionDescription);
+        internal Option<string> CertificateProfileOption { get; } = new(["-tscp", "--trusted-signing-certificate-profile"], TrustedSigningResources.CertificateProfileOptionDescription);
         internal AzureAuthOptions AzureAuthOptions { get; } = new();
 
         internal Argument<string?> FileArgument { get; } = new("file(s)", Resources.FilesArgumentDescription);
diff --git a/test/Sign.Cli.Test/TrustedSigningCommandTests.cs b/test/Sign.Cli.Test/TrustedSigningCommandTests.cs
index 9060a72a..03b07388 100644
--- a/test/Sign.Cli.Test/TrustedSigningCommandTests.cs
+++ b/test/Sign.Cli.Test/TrustedSigningCommandTests.cs
@@ -86,13 +86,13 @@ public ParserTests()
             [InlineData("trusted-signing -tse https://trustedsigning.test")]
             [InlineData("trusted-signing -tse https://trustedsigning.test -tsa")]
             [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -azt")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -azt c")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -azt c -azi")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -azt c -azi d")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -azt c -azi d -azs")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -azt c -azi d -azs e")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -azt")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -azt c")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -azt c -azi")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -azt c -azi d")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -azt c -azi d -azs")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -azt c -azi d -azs e")]
             public void Command_WhenRequiredArgumentOrOptionsAreMissing_HasError(string command)
             {
                 ParseResult result = _parser.Parse(command);
@@ -101,8 +101,8 @@ public void Command_WhenRequiredArgumentOrOptionsAreMissing_HasError(string comm
             }
 
             [Theory]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -azm c")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tsc b -azt c -azi d -azs e f")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -azm c")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -azt c -azi d -azs e f")]
             public void Command_WhenRequiredArgumentsArePresent_HasNoError(string command)
             {
                 ParseResult result = _parser.Parse(command);

From c785523e16ce54ba91d212d6b225852fe773e831 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Tue, 18 Jun 2024 21:19:58 +0200
Subject: [PATCH 09/13] Inject the logger in the constructor of the
 TrustedSigningService instead of an IServiceProvider.

---
 .../TrustedSigningService.cs                  | 11 +++--
 .../TrustedSigningServiceProvider.cs          |  5 ++-
 .../TrustedSigningServiceTests.cs             | 41 ++++++++-----------
 3 files changed, 25 insertions(+), 32 deletions(-)

diff --git a/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningService.cs b/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningService.cs
index 8be55573..419cd7c3 100644
--- a/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningService.cs
+++ b/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningService.cs
@@ -10,7 +10,6 @@
 using Azure.CodeSigning;
 using Azure.CodeSigning.Models;
 using Azure.Core;
-using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Sign.Core;
 
@@ -28,23 +27,23 @@ internal sealed class TrustedSigningService : ISignatureAlgorithmProvider, ICert
         private X509Certificate2? _publicKey;
 
         public TrustedSigningService(
-            IServiceProvider serviceProvider,
             TokenCredential tokenCredential,
             Uri endpointUrl,
             string accountName,
-            string certificateProfileName)
+            string certificateProfileName,
+            ILogger<TrustedSigningService> logger)
         {
-            ArgumentNullException.ThrowIfNull(serviceProvider, nameof(serviceProvider));
             ArgumentNullException.ThrowIfNull(tokenCredential, nameof(tokenCredential));
             ArgumentNullException.ThrowIfNull(endpointUrl, nameof(endpointUrl));
             ArgumentException.ThrowIfNullOrEmpty(accountName, nameof(accountName));
             ArgumentException.ThrowIfNullOrEmpty(certificateProfileName, nameof(certificateProfileName));
+            ArgumentNullException.ThrowIfNull(logger, nameof(logger));
 
-            _client = new CertificateProfileClient(tokenCredential, endpointUrl);
             _accountName = accountName;
             _certificateProfileName = certificateProfileName;
+            _logger = logger;
 
-            _logger = serviceProvider.GetRequiredService<ILogger<TrustedSigningService>>();
+            _client = new CertificateProfileClient(tokenCredential, endpointUrl);
         }
 
         public void Dispose()
diff --git a/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningServiceProvider.cs b/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningServiceProvider.cs
index dbb01f63..aca0bd90 100644
--- a/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningServiceProvider.cs
+++ b/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningServiceProvider.cs
@@ -3,6 +3,8 @@
 // See the LICENSE.txt file in the project root for more information.
 
 using Azure.Core;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 using Sign.Core;
 
 namespace Sign.SignatureProviders.TrustedSigning
@@ -61,7 +63,8 @@ private TrustedSigningService GetService(IServiceProvider serviceProvider)
                     return _trustedSigningService;
                 }
 
-                _trustedSigningService = new TrustedSigningService(serviceProvider, _tokenCredential, _endpointUrl, _accountName, _certificateProfileName);
+                ILogger<TrustedSigningService> logger = serviceProvider.GetRequiredService<ILogger<TrustedSigningService>>();
+                _trustedSigningService = new TrustedSigningService(_tokenCredential, _endpointUrl, _accountName, _certificateProfileName, logger);
             }
 
             return _trustedSigningService;
diff --git a/test/Sign.SignatureProviders.TrustedSigning.Test/TrustedSigningServiceTests.cs b/test/Sign.SignatureProviders.TrustedSigning.Test/TrustedSigningServiceTests.cs
index 6015a736..e78d4215 100644
--- a/test/Sign.SignatureProviders.TrustedSigning.Test/TrustedSigningServiceTests.cs
+++ b/test/Sign.SignatureProviders.TrustedSigning.Test/TrustedSigningServiceTests.cs
@@ -3,10 +3,8 @@
 // See the LICENSE.txt file in the project root for more information.
 
 using Azure.Core;
-using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Moq;
-using Sign.TestInfrastructure;
 
 namespace Sign.SignatureProviders.TrustedSigning.Test
 {
@@ -16,29 +14,13 @@ public class TrustedSigningServiceTests
         private readonly static Uri EndpointUrl = new("https://trustedsigning.test");
         private const string AccountName = "a";
         private const string CertificateProfileName = "b";
-        private readonly IServiceProvider serviceProvider;
-
-        public TrustedSigningServiceTests()
-        {
-            ServiceCollection services = new();
-            services.AddSingleton<ILogger<TrustedSigningService>>(new TestLogger<TrustedSigningService>());
-            serviceProvider = services.BuildServiceProvider();
-        }
-
-        [Fact]
-        public void Constructor_WhenServiceProviderIsNull_Throws()
-        {
-            ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
-                () => new TrustedSigningService(serviceProvider: null!, TokenCredential, EndpointUrl, AccountName, CertificateProfileName));
-
-            Assert.Equal("serviceProvider", exception.ParamName);
-        }
+        private readonly static ILogger<TrustedSigningService> Logger = Mock.Of<ILogger<TrustedSigningService>>();
 
         [Fact]
         public void Constructor_WhenTokenCredentialIsNull_Throws()
         {
             ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
-                () => new TrustedSigningService(serviceProvider, tokenCredential: null!, EndpointUrl, AccountName, CertificateProfileName));
+                () => new TrustedSigningService(tokenCredential: null!, EndpointUrl, AccountName, CertificateProfileName, Logger));
 
             Assert.Equal("tokenCredential", exception.ParamName);
         }
@@ -47,7 +29,7 @@ public void Constructor_WhenTokenCredentialIsNull_Throws()
         public void Constructor_WhenEndpointUrlIsNull_Throws()
         {
             ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
-                () => new TrustedSigningService(serviceProvider, TokenCredential, endpointUrl: null!, AccountName, CertificateProfileName));
+                () => new TrustedSigningService(TokenCredential, endpointUrl: null!, AccountName, CertificateProfileName, Logger));
 
             Assert.Equal("endpointUrl", exception.ParamName);
         }
@@ -56,7 +38,7 @@ public void Constructor_WhenEndpointUrlIsNull_Throws()
         public void Constructor_WhenAccountNameIsNull_Throws()
         {
             ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
-                () => new TrustedSigningService(serviceProvider, TokenCredential, EndpointUrl, accountName: null!, CertificateProfileName));
+                () => new TrustedSigningService(TokenCredential, EndpointUrl, accountName: null!, CertificateProfileName, Logger));
 
             Assert.Equal("accountName", exception.ParamName);
         }
@@ -65,7 +47,7 @@ public void Constructor_WhenAccountNameIsNull_Throws()
         public void Constructor_WhenAccountNameIsEmpty_Throws()
         {
             ArgumentException exception = Assert.Throws<ArgumentException>(
-                () => new TrustedSigningService(serviceProvider, TokenCredential, EndpointUrl, accountName: string.Empty, CertificateProfileName));
+                () => new TrustedSigningService(TokenCredential, EndpointUrl, accountName: string.Empty, CertificateProfileName, Logger));
 
             Assert.Equal("accountName", exception.ParamName);
         }
@@ -74,7 +56,7 @@ public void Constructor_WhenAccountNameIsEmpty_Throws()
         public void Constructor_WhenCertificateProfileNameIsNull_Throws()
         {
             ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
-                () => new TrustedSigningService(serviceProvider, TokenCredential, EndpointUrl, AccountName, certificateProfileName: null!));
+                () => new TrustedSigningService(TokenCredential, EndpointUrl, AccountName, certificateProfileName: null!, Logger));
 
             Assert.Equal("certificateProfileName", exception.ParamName);
         }
@@ -83,9 +65,18 @@ public void Constructor_WhenCertificateProfileNameIsNull_Throws()
         public void Constructor_WhenCertificateProfileNameIsEmpty_Throws()
         {
             ArgumentException exception = Assert.Throws<ArgumentException>(
-                () => new TrustedSigningService(serviceProvider, TokenCredential, EndpointUrl, AccountName, certificateProfileName: string.Empty));
+                () => new TrustedSigningService(TokenCredential, EndpointUrl, AccountName, certificateProfileName: string.Empty, Logger));
 
             Assert.Equal("certificateProfileName", exception.ParamName);
         }
+
+        [Fact]
+        public void Constructor_WhenLoggerIsNull_Throws()
+        {
+            ArgumentNullException exception = Assert.Throws<ArgumentNullException>(
+                () => new TrustedSigningService(TokenCredential, EndpointUrl, AccountName, CertificateProfileName, logger: null!));
+
+            Assert.Equal("logger", exception.ParamName);
+        }
     }
 }

From 3a5db7e4c763d5b6ba46b79f4bbfd9b19ddc56cb Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Tue, 18 Jun 2024 23:24:16 +0200
Subject: [PATCH 10/13] Use certificate instead of public key in the naming and
 dded comment to make it more clear that the certificate chain is in
 root->leaf order.

---
 .../RSATrustedSigning.cs                      |  8 ++++----
 .../TrustedSigningService.cs                  | 19 ++++++++++---------
 2 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/src/Sign.SignatureProviders.TrustedSigning/RSATrustedSigning.cs b/src/Sign.SignatureProviders.TrustedSigning/RSATrustedSigning.cs
index f59af6fe..d6fdebaa 100644
--- a/src/Sign.SignatureProviders.TrustedSigning/RSATrustedSigning.cs
+++ b/src/Sign.SignatureProviders.TrustedSigning/RSATrustedSigning.cs
@@ -15,22 +15,22 @@ internal sealed class RSATrustedSigning : RSA
         private readonly CertificateProfileClient _client;
         private readonly string _accountName;
         private readonly string _certificateProfileName;
-        private readonly X509Certificate2 _publicKey;
+        private readonly X509Certificate2 _certificate;
 
         public RSATrustedSigning(
             CertificateProfileClient client,
             string accountName,
             string certificateProfileName,
-            X509Certificate2 publicKey)
+            X509Certificate2 certificate)
         {
             _client = client;
             _accountName = accountName;
             _certificateProfileName = certificateProfileName;
-            _publicKey = publicKey;
+            _certificate = certificate;
         }
 
         private RSA PublicKey
-            => _publicKey.GetRSAPublicKey()!;
+            => _certificate.GetRSAPublicKey()!;
 
         public override RSAParameters ExportParameters(bool includePrivateParameters)
         {
diff --git a/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningService.cs b/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningService.cs
index 419cd7c3..da9761aa 100644
--- a/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningService.cs
+++ b/src/Sign.SignatureProviders.TrustedSigning/TrustedSigningService.cs
@@ -24,7 +24,7 @@ internal sealed class TrustedSigningService : ISignatureAlgorithmProvider, ICert
         private readonly string _certificateProfileName;
         private readonly ILogger<TrustedSigningService> _logger;
         private readonly SemaphoreSlim _mutex = new(1);
-        private X509Certificate2? _publicKey;
+        private X509Certificate2? _certificate;
 
         public TrustedSigningService(
             TokenCredential tokenCredential,
@@ -49,21 +49,21 @@ public TrustedSigningService(
         public void Dispose()
         {
             _mutex.Dispose();
-            _publicKey?.Dispose();
+            _certificate?.Dispose();
             GC.SuppressFinalize(this);
         }
 
         public async Task<X509Certificate2> GetCertificateAsync(CancellationToken cancellationToken)
         {
-            if (_publicKey is not null)
+            if (_certificate is not null)
             {
-                return new X509Certificate2(_publicKey);
+                return new X509Certificate2(_certificate);
             }
 
             await _mutex.WaitAsync(cancellationToken);
             try
             {
-                if (_publicKey is null)
+                if (_certificate is null)
                 {
                     Stopwatch stopwatch = Stopwatch.StartNew();
 
@@ -76,7 +76,8 @@ public async Task<X509Certificate2> GetCertificateAsync(CancellationToken cancel
                     X509Certificate2Collection collection = [];
                     collection.Import(rawData);
 
-                    _publicKey = collection[collection.Count - 1];
+                    // This should contain the certificate chain in root->leaf order.
+                    _certificate = collection[collection.Count - 1];
 
                     _logger.LogTrace(Resources.FetchedCertificate, stopwatch.Elapsed.TotalMilliseconds);
                 }
@@ -86,13 +87,13 @@ public async Task<X509Certificate2> GetCertificateAsync(CancellationToken cancel
                 _mutex.Release();
             }
 
-            return new X509Certificate2(_publicKey);
+            return new X509Certificate2(_certificate);
         }
 
         public async Task<RSA> GetRsaAsync(CancellationToken cancellationToken)
         {
-            X509Certificate2 publicKey = await GetCertificateAsync(cancellationToken);
-            return new RSATrustedSigning(_client, _accountName, _certificateProfileName, publicKey);
+            X509Certificate2 certificate = await GetCertificateAsync(cancellationToken);
+            return new RSATrustedSigning(_client, _accountName, _certificateProfileName, certificate);
         }
     }
 }

From 9e930d036362ddae7f0f0ec9de25c01d8a59ad0d Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Thu, 20 Jun 2024 17:37:16 +0200
Subject: [PATCH 11/13] Create separate resource file for the
 Sign.SignatureProviders.TrustedSigning library.

---
 .../Resources.Designer.cs                     |  81 +++++++++++
 .../Resources.resx                            | 127 ++++++++++++++++++
 ...n.SignatureProviders.TrustedSigning.csproj |  14 ++
 .../xlf/Resources.cs.xlf                      |  17 +++
 .../xlf/Resources.de.xlf                      |  17 +++
 .../xlf/Resources.es.xlf                      |  17 +++
 .../xlf/Resources.fr.xlf                      |  17 +++
 .../xlf/Resources.it.xlf                      |  17 +++
 .../xlf/Resources.ja.xlf                      |  17 +++
 .../xlf/Resources.ko.xlf                      |  17 +++
 .../xlf/Resources.pl.xlf                      |  17 +++
 .../xlf/Resources.pt-BR.xlf                   |  17 +++
 .../xlf/Resources.ru.xlf                      |  17 +++
 .../xlf/Resources.tr.xlf                      |  17 +++
 .../xlf/Resources.zh-Hans.xlf                 |  17 +++
 .../xlf/Resources.zh-Hant.xlf                 |  17 +++
 16 files changed, 443 insertions(+)
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/Resources.Designer.cs
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/Resources.resx
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.cs.xlf
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.de.xlf
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.es.xlf
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.fr.xlf
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.it.xlf
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.ja.xlf
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.ko.xlf
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.pl.xlf
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.pt-BR.xlf
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.ru.xlf
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.tr.xlf
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.zh-Hans.xlf
 create mode 100644 src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.zh-Hant.xlf

diff --git a/src/Sign.SignatureProviders.TrustedSigning/Resources.Designer.cs b/src/Sign.SignatureProviders.TrustedSigning/Resources.Designer.cs
new file mode 100644
index 00000000..a7210e20
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/Resources.Designer.cs
@@ -0,0 +1,81 @@
+//------------------------------------------------------------------------------
+// <auto-generated>
+//     This code was generated by a tool.
+//     Runtime Version:4.0.30319.42000
+//
+//     Changes to this file may cause incorrect behavior and will be lost if
+//     the code is regenerated.
+// </auto-generated>
+//------------------------------------------------------------------------------
+
+namespace Sign.SignatureProviders.TrustedSigning {
+    using System;
+    
+    
+    /// <summary>
+    ///   A strongly-typed resource class, for looking up localized strings, etc.
+    /// </summary>
+    // This class was auto-generated by the StronglyTypedResourceBuilder
+    // class via a tool like ResGen or Visual Studio.
+    // To add or remove a member, edit your .ResX file then rerun ResGen
+    // with the /str option, or rebuild your VS project.
+    [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "17.0.0.0")]
+    [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
+    [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
+    internal class Resources {
+        
+        private static global::System.Resources.ResourceManager resourceMan;
+        
+        private static global::System.Globalization.CultureInfo resourceCulture;
+        
+        [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
+        internal Resources() {
+        }
+        
+        /// <summary>
+        ///   Returns the cached ResourceManager instance used by this class.
+        /// </summary>
+        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+        internal static global::System.Resources.ResourceManager ResourceManager {
+            get {
+                if (object.ReferenceEquals(resourceMan, null)) {
+                    global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Sign.SignatureProviders.TrustedSigning.Resources", typeof(Resources).Assembly);
+                    resourceMan = temp;
+                }
+                return resourceMan;
+            }
+        }
+        
+        /// <summary>
+        ///   Overrides the current thread's CurrentUICulture property for all
+        ///   resource lookups using this strongly typed resource class.
+        /// </summary>
+        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+        internal static global::System.Globalization.CultureInfo Culture {
+            get {
+                return resourceCulture;
+            }
+            set {
+                resourceCulture = value;
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to Fetched certificate. [{milliseconds} ms].
+        /// </summary>
+        internal static string FetchedCertificate {
+            get {
+                return ResourceManager.GetString("FetchedCertificate", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to Fetching certificate from Trusted Signing certificate profile..
+        /// </summary>
+        internal static string FetchingCertificate {
+            get {
+                return ResourceManager.GetString("FetchingCertificate", resourceCulture);
+            }
+        }
+    }
+}
diff --git a/src/Sign.SignatureProviders.TrustedSigning/Resources.resx b/src/Sign.SignatureProviders.TrustedSigning/Resources.resx
new file mode 100644
index 00000000..821cb271
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/Resources.resx
@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="utf-8"?>
+<root>
+  <!-- 
+    Microsoft ResX Schema 
+    
+    Version 2.0
+    
+    The primary goals of this format is to allow a simple XML format 
+    that is mostly human readable. The generation and parsing of the 
+    various data types are done through the TypeConverter classes 
+    associated with the data types.
+    
+    Example:
+    
+    ... ado.net/XML headers & schema ...
+    <resheader name="resmimetype">text/microsoft-resx</resheader>
+    <resheader name="version">2.0</resheader>
+    <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
+    <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
+    <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
+    <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
+    <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
+        <value>[base64 mime encoded serialized .NET Framework object]</value>
+    </data>
+    <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
+        <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
+        <comment>This is a comment</comment>
+    </data>
+                
+    There are any number of "resheader" rows that contain simple 
+    name/value pairs.
+    
+    Each data row contains a name, and value. The row also contains a 
+    type or mimetype. Type corresponds to a .NET class that support 
+    text/value conversion through the TypeConverter architecture. 
+    Classes that don't support this are serialized and stored with the 
+    mimetype set.
+    
+    The mimetype is used for serialized objects, and tells the 
+    ResXResourceReader how to depersist the object. This is currently not 
+    extensible. For a given mimetype the value must be set accordingly:
+    
+    Note - application/x-microsoft.net.object.binary.base64 is the format 
+    that the ResXResourceWriter will generate, however the reader can 
+    read any of the formats listed below.
+    
+    mimetype: application/x-microsoft.net.object.binary.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
+            : and then encoded with base64 encoding.
+    
+    mimetype: application/x-microsoft.net.object.soap.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
+            : and then encoded with base64 encoding.
+
+    mimetype: application/x-microsoft.net.object.bytearray.base64
+    value   : The object must be serialized into a byte array 
+            : using a System.ComponentModel.TypeConverter
+            : and then encoded with base64 encoding.
+    -->
+  <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
+    <xsd:element name="root" msdata:IsDataSet="true">
+      <xsd:complexType>
+        <xsd:choice maxOccurs="unbounded">
+          <xsd:element name="metadata">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" />
+              </xsd:sequence>
+              <xsd:attribute name="name" use="required" type="xsd:string" />
+              <xsd:attribute name="type" type="xsd:string" />
+              <xsd:attribute name="mimetype" type="xsd:string" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="assembly">
+            <xsd:complexType>
+              <xsd:attribute name="alias" type="xsd:string" />
+              <xsd:attribute name="name" type="xsd:string" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="data">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+                <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
+              <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
+              <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="resheader">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" />
+            </xsd:complexType>
+          </xsd:element>
+        </xsd:choice>
+      </xsd:complexType>
+    </xsd:element>
+  </xsd:schema>
+  <resheader name="resmimetype">
+    <value>text/microsoft-resx</value>
+  </resheader>
+  <resheader name="version">
+    <value>2.0</value>
+  </resheader>
+  <resheader name="reader">
+    <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <resheader name="writer">
+    <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <data name="FetchedCertificate" xml:space="preserve">
+    <value>Fetched certificate. [{milliseconds} ms]</value>
+    <comment>{Placeholder="{milliseconds}"} is a decimal number representing the number of milliseconds elapsed, and "ms" is the unit abbreviation for milliseconds.</comment>
+  </data>
+  <data name="FetchingCertificate" xml:space="preserve">
+    <value>Fetching certificate from Trusted Signing certificate profile.</value>
+  </data>
+</root>
\ No newline at end of file
diff --git a/src/Sign.SignatureProviders.TrustedSigning/Sign.SignatureProviders.TrustedSigning.csproj b/src/Sign.SignatureProviders.TrustedSigning/Sign.SignatureProviders.TrustedSigning.csproj
index b8e2cef0..cba0188b 100644
--- a/src/Sign.SignatureProviders.TrustedSigning/Sign.SignatureProviders.TrustedSigning.csproj
+++ b/src/Sign.SignatureProviders.TrustedSigning/Sign.SignatureProviders.TrustedSigning.csproj
@@ -19,4 +19,18 @@
     <InternalsVisibleTo Include="Sign.SignatureProviders.TrustedSigning.Test" />
   </ItemGroup>
 
+  <ItemGroup>
+    <Compile Update="Resources.Designer.cs">
+      <DesignTime>True</DesignTime>
+      <AutoGen>True</AutoGen>
+      <DependentUpon>Resources.resx</DependentUpon>
+    </Compile>
+  </ItemGroup>
+
+  <ItemGroup>
+    <EmbeddedResource Update="Resources.resx">
+      <Generator>ResXFileCodeGenerator</Generator>
+      <LastGenOutput>Resources.Designer.cs</LastGenOutput>
+    </EmbeddedResource>
+  </ItemGroup>
 </Project>
\ No newline at end of file
diff --git a/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.cs.xlf b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.cs.xlf
new file mode 100644
index 00000000..555039b1
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.cs.xlf
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="cs" original="../Resources.resx">
+    <body>
+      <trans-unit id="FetchedCertificate">
+        <source>Fetched certificate. [{milliseconds} ms]</source>
+        <target state="new">Fetched certificate. [{milliseconds} ms]</target>
+        <note>{Placeholder="{milliseconds}"} is a decimal number representing the number of milliseconds elapsed, and "ms" is the unit abbreviation for milliseconds.</note>
+      </trans-unit>
+      <trans-unit id="FetchingCertificate">
+        <source>Fetching certificate from Trusted Signing certificate profile.</source>
+        <target state="new">Fetching certificate from Trusted Signing certificate profile.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.de.xlf b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.de.xlf
new file mode 100644
index 00000000..ae313658
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.de.xlf
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="de" original="../Resources.resx">
+    <body>
+      <trans-unit id="FetchedCertificate">
+        <source>Fetched certificate. [{milliseconds} ms]</source>
+        <target state="new">Fetched certificate. [{milliseconds} ms]</target>
+        <note>{Placeholder="{milliseconds}"} is a decimal number representing the number of milliseconds elapsed, and "ms" is the unit abbreviation for milliseconds.</note>
+      </trans-unit>
+      <trans-unit id="FetchingCertificate">
+        <source>Fetching certificate from Trusted Signing certificate profile.</source>
+        <target state="new">Fetching certificate from Trusted Signing certificate profile.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.es.xlf b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.es.xlf
new file mode 100644
index 00000000..447121e7
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.es.xlf
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="es" original="../Resources.resx">
+    <body>
+      <trans-unit id="FetchedCertificate">
+        <source>Fetched certificate. [{milliseconds} ms]</source>
+        <target state="new">Fetched certificate. [{milliseconds} ms]</target>
+        <note>{Placeholder="{milliseconds}"} is a decimal number representing the number of milliseconds elapsed, and "ms" is the unit abbreviation for milliseconds.</note>
+      </trans-unit>
+      <trans-unit id="FetchingCertificate">
+        <source>Fetching certificate from Trusted Signing certificate profile.</source>
+        <target state="new">Fetching certificate from Trusted Signing certificate profile.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.fr.xlf b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.fr.xlf
new file mode 100644
index 00000000..c67d7ea0
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.fr.xlf
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="fr" original="../Resources.resx">
+    <body>
+      <trans-unit id="FetchedCertificate">
+        <source>Fetched certificate. [{milliseconds} ms]</source>
+        <target state="new">Fetched certificate. [{milliseconds} ms]</target>
+        <note>{Placeholder="{milliseconds}"} is a decimal number representing the number of milliseconds elapsed, and "ms" is the unit abbreviation for milliseconds.</note>
+      </trans-unit>
+      <trans-unit id="FetchingCertificate">
+        <source>Fetching certificate from Trusted Signing certificate profile.</source>
+        <target state="new">Fetching certificate from Trusted Signing certificate profile.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.it.xlf b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.it.xlf
new file mode 100644
index 00000000..2025d598
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.it.xlf
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="it" original="../Resources.resx">
+    <body>
+      <trans-unit id="FetchedCertificate">
+        <source>Fetched certificate. [{milliseconds} ms]</source>
+        <target state="new">Fetched certificate. [{milliseconds} ms]</target>
+        <note>{Placeholder="{milliseconds}"} is a decimal number representing the number of milliseconds elapsed, and "ms" is the unit abbreviation for milliseconds.</note>
+      </trans-unit>
+      <trans-unit id="FetchingCertificate">
+        <source>Fetching certificate from Trusted Signing certificate profile.</source>
+        <target state="new">Fetching certificate from Trusted Signing certificate profile.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.ja.xlf b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.ja.xlf
new file mode 100644
index 00000000..a0e3a21c
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.ja.xlf
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="ja" original="../Resources.resx">
+    <body>
+      <trans-unit id="FetchedCertificate">
+        <source>Fetched certificate. [{milliseconds} ms]</source>
+        <target state="new">Fetched certificate. [{milliseconds} ms]</target>
+        <note>{Placeholder="{milliseconds}"} is a decimal number representing the number of milliseconds elapsed, and "ms" is the unit abbreviation for milliseconds.</note>
+      </trans-unit>
+      <trans-unit id="FetchingCertificate">
+        <source>Fetching certificate from Trusted Signing certificate profile.</source>
+        <target state="new">Fetching certificate from Trusted Signing certificate profile.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.ko.xlf b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.ko.xlf
new file mode 100644
index 00000000..5e435f06
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.ko.xlf
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="ko" original="../Resources.resx">
+    <body>
+      <trans-unit id="FetchedCertificate">
+        <source>Fetched certificate. [{milliseconds} ms]</source>
+        <target state="new">Fetched certificate. [{milliseconds} ms]</target>
+        <note>{Placeholder="{milliseconds}"} is a decimal number representing the number of milliseconds elapsed, and "ms" is the unit abbreviation for milliseconds.</note>
+      </trans-unit>
+      <trans-unit id="FetchingCertificate">
+        <source>Fetching certificate from Trusted Signing certificate profile.</source>
+        <target state="new">Fetching certificate from Trusted Signing certificate profile.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.pl.xlf b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.pl.xlf
new file mode 100644
index 00000000..fcbe4a67
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.pl.xlf
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="pl" original="../Resources.resx">
+    <body>
+      <trans-unit id="FetchedCertificate">
+        <source>Fetched certificate. [{milliseconds} ms]</source>
+        <target state="new">Fetched certificate. [{milliseconds} ms]</target>
+        <note>{Placeholder="{milliseconds}"} is a decimal number representing the number of milliseconds elapsed, and "ms" is the unit abbreviation for milliseconds.</note>
+      </trans-unit>
+      <trans-unit id="FetchingCertificate">
+        <source>Fetching certificate from Trusted Signing certificate profile.</source>
+        <target state="new">Fetching certificate from Trusted Signing certificate profile.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.pt-BR.xlf b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.pt-BR.xlf
new file mode 100644
index 00000000..ee948091
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.pt-BR.xlf
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="pt-BR" original="../Resources.resx">
+    <body>
+      <trans-unit id="FetchedCertificate">
+        <source>Fetched certificate. [{milliseconds} ms]</source>
+        <target state="new">Fetched certificate. [{milliseconds} ms]</target>
+        <note>{Placeholder="{milliseconds}"} is a decimal number representing the number of milliseconds elapsed, and "ms" is the unit abbreviation for milliseconds.</note>
+      </trans-unit>
+      <trans-unit id="FetchingCertificate">
+        <source>Fetching certificate from Trusted Signing certificate profile.</source>
+        <target state="new">Fetching certificate from Trusted Signing certificate profile.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.ru.xlf b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.ru.xlf
new file mode 100644
index 00000000..c751fa2b
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.ru.xlf
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="ru" original="../Resources.resx">
+    <body>
+      <trans-unit id="FetchedCertificate">
+        <source>Fetched certificate. [{milliseconds} ms]</source>
+        <target state="new">Fetched certificate. [{milliseconds} ms]</target>
+        <note>{Placeholder="{milliseconds}"} is a decimal number representing the number of milliseconds elapsed, and "ms" is the unit abbreviation for milliseconds.</note>
+      </trans-unit>
+      <trans-unit id="FetchingCertificate">
+        <source>Fetching certificate from Trusted Signing certificate profile.</source>
+        <target state="new">Fetching certificate from Trusted Signing certificate profile.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.tr.xlf b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.tr.xlf
new file mode 100644
index 00000000..5663ea3e
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.tr.xlf
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="tr" original="../Resources.resx">
+    <body>
+      <trans-unit id="FetchedCertificate">
+        <source>Fetched certificate. [{milliseconds} ms]</source>
+        <target state="new">Fetched certificate. [{milliseconds} ms]</target>
+        <note>{Placeholder="{milliseconds}"} is a decimal number representing the number of milliseconds elapsed, and "ms" is the unit abbreviation for milliseconds.</note>
+      </trans-unit>
+      <trans-unit id="FetchingCertificate">
+        <source>Fetching certificate from Trusted Signing certificate profile.</source>
+        <target state="new">Fetching certificate from Trusted Signing certificate profile.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.zh-Hans.xlf b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.zh-Hans.xlf
new file mode 100644
index 00000000..02f43e30
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.zh-Hans.xlf
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="zh-Hans" original="../Resources.resx">
+    <body>
+      <trans-unit id="FetchedCertificate">
+        <source>Fetched certificate. [{milliseconds} ms]</source>
+        <target state="new">Fetched certificate. [{milliseconds} ms]</target>
+        <note>{Placeholder="{milliseconds}"} is a decimal number representing the number of milliseconds elapsed, and "ms" is the unit abbreviation for milliseconds.</note>
+      </trans-unit>
+      <trans-unit id="FetchingCertificate">
+        <source>Fetching certificate from Trusted Signing certificate profile.</source>
+        <target state="new">Fetching certificate from Trusted Signing certificate profile.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file
diff --git a/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.zh-Hant.xlf b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.zh-Hant.xlf
new file mode 100644
index 00000000..89b64b0d
--- /dev/null
+++ b/src/Sign.SignatureProviders.TrustedSigning/xlf/Resources.zh-Hant.xlf
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
+  <file datatype="xml" source-language="en" target-language="zh-Hant" original="../Resources.resx">
+    <body>
+      <trans-unit id="FetchedCertificate">
+        <source>Fetched certificate. [{milliseconds} ms]</source>
+        <target state="new">Fetched certificate. [{milliseconds} ms]</target>
+        <note>{Placeholder="{milliseconds}"} is a decimal number representing the number of milliseconds elapsed, and "ms" is the unit abbreviation for milliseconds.</note>
+      </trans-unit>
+      <trans-unit id="FetchingCertificate">
+        <source>Fetching certificate from Trusted Signing certificate profile.</source>
+        <target state="new">Fetching certificate from Trusted Signing certificate profile.</target>
+        <note />
+      </trans-unit>
+    </body>
+  </file>
+</xliff>
\ No newline at end of file

From ce905d089b3012fe501c2f194923bcfce45eeb89 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Thu, 20 Jun 2024 17:45:18 +0200
Subject: [PATCH 12/13] Updated comment to make it more clear why the reference
 was added.

---
 .../Sign.SignatureProviders.TrustedSigning.csproj           | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/Sign.SignatureProviders.TrustedSigning/Sign.SignatureProviders.TrustedSigning.csproj b/src/Sign.SignatureProviders.TrustedSigning/Sign.SignatureProviders.TrustedSigning.csproj
index cba0188b..f83b9212 100644
--- a/src/Sign.SignatureProviders.TrustedSigning/Sign.SignatureProviders.TrustedSigning.csproj
+++ b/src/Sign.SignatureProviders.TrustedSigning/Sign.SignatureProviders.TrustedSigning.csproj
@@ -5,7 +5,11 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <!-- This can probably be removed here and in Directory.Packages.props once we upgrade to a different Trusted Signing library -->
+    <!--
+    NuGet package Azure.CodeSigning.Sdk 0.1.96 depends on NuGet package Azure.Core 1.25.0 or later. However, Azure.CodeSigning.dll
+    (in the Azure.CodeSigning.Sdk package) actually references Azure.Core.dll 1.27.0. When this mismatch is resolved, this explicit
+    package reference can be removed here and in the Directory.Packages.props.
+    -->
     <PackageReference Include="Azure.Core" />
     <PackageReference Include="Azure.CodeSigning.Sdk" />
   </ItemGroup>

From 57ad13aff610291da3f79e526d2c05e40cc09ef5 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Thu, 20 Jun 2024 23:29:22 +0200
Subject: [PATCH 13/13] Renamed the class that contains the options for the
 credentials and default to DefaultAzureCredential instead.

---
 ...thOptions.cs => AzureCredentialOptions.cs} | 34 ++++++++-----------
 src/Sign.Cli/AzureKeyVaultCommand.cs          |  6 ++--
 src/Sign.Cli/Resources.Designer.cs            | 26 +++++++-------
 src/Sign.Cli/Resources.resx                   | 15 ++++----
 src/Sign.Cli/TrustedSigningCommand.cs         |  6 ++--
 src/Sign.Cli/xlf/Resources.cs.xlf             | 26 +++++++-------
 src/Sign.Cli/xlf/Resources.de.xlf             | 26 +++++++-------
 src/Sign.Cli/xlf/Resources.es.xlf             | 26 +++++++-------
 src/Sign.Cli/xlf/Resources.fr.xlf             | 26 +++++++-------
 src/Sign.Cli/xlf/Resources.it.xlf             | 26 +++++++-------
 src/Sign.Cli/xlf/Resources.ja.xlf             | 26 +++++++-------
 src/Sign.Cli/xlf/Resources.ko.xlf             | 26 +++++++-------
 src/Sign.Cli/xlf/Resources.pl.xlf             | 26 +++++++-------
 src/Sign.Cli/xlf/Resources.pt-BR.xlf          | 26 +++++++-------
 src/Sign.Cli/xlf/Resources.ru.xlf             | 26 +++++++-------
 src/Sign.Cli/xlf/Resources.tr.xlf             | 26 +++++++-------
 src/Sign.Cli/xlf/Resources.zh-Hans.xlf        | 26 +++++++-------
 src/Sign.Cli/xlf/Resources.zh-Hant.xlf        | 26 +++++++-------
 ...ests.cs => AzureCredentialOptionsTests.cs} |  4 +--
 .../AzureKeyVaultCommandTests.cs              | 16 ++++-----
 .../SignCommandTests.Globbing.cs              |  6 ++--
 test/Sign.Cli.Test/SignCommandTests.cs        |  4 +--
 .../TrustedSigningCommandTests.cs             | 16 ++++-----
 23 files changed, 232 insertions(+), 239 deletions(-)
 rename src/Sign.Cli/{AzureAuthOptions.cs => AzureCredentialOptions.cs} (51%)
 rename test/Sign.Cli.Test/{AzureAuthOptionsTests.cs => AzureCredentialOptionsTests.cs} (93%)

diff --git a/src/Sign.Cli/AzureAuthOptions.cs b/src/Sign.Cli/AzureCredentialOptions.cs
similarity index 51%
rename from src/Sign.Cli/AzureAuthOptions.cs
rename to src/Sign.Cli/AzureCredentialOptions.cs
index e217a396..c6380457 100644
--- a/src/Sign.Cli/AzureAuthOptions.cs
+++ b/src/Sign.Cli/AzureCredentialOptions.cs
@@ -4,18 +4,18 @@
 
 using System.CommandLine;
 using System.CommandLine.Invocation;
+using System.CommandLine.IO;
 using Azure.Core;
 using Azure.Identity;
-using Sign.Core;
 
 namespace Sign.Cli
 {
-    internal sealed class AzureAuthOptions
+    internal sealed class AzureCredentialOptions
     {
-        internal Option<bool> ManagedIdentityOption { get; } = new(["-azm", "--azure-managed-identity"], getDefaultValue: () => false, Resources.ManagedIdentityOptionDescription);
-        internal Option<string?> TenantIdOption { get; } = new(["-azt", "--azure-tenant-id"], Resources.TenantIdOptionDescription);
-        internal Option<string?> ClientIdOption { get; } = new(["-azi", "--azure-client-id"], Resources.ClientIdOptionDescription);
-        internal Option<string?> ClientSecretOption { get; } = new(["-azs", "--azure-client-secret"], Resources.ClientSecretOptionDescription);
+        internal Option<bool?> ManagedIdentityOption { get; } = new(["-kvm", "--azure-key-vault-managed-identity"], Resources.ManagedIdentityOptionDescription);
+        internal Option<string?> TenantIdOption { get; } = new(["-kvt", "--azure-key-vault-tenant-id"], Resources.TenantIdOptionDescription);
+        internal Option<string?> ClientIdOption { get; } = new(["-kvi", "--azure-key-vault-client-id"], Resources.ClientIdOptionDescription);
+        internal Option<string?> ClientSecretOption { get; } = new(["-kvs", "--azure-key-vault-client-secret"], Resources.ClientSecretOptionDescription);
 
         internal void AddOptionsToCommand(Command command)
         {
@@ -27,31 +27,25 @@ internal void AddOptionsToCommand(Command command)
 
         internal TokenCredential? CreateTokenCredential(InvocationContext context)
         {
-            bool useManagedIdentity = context.ParseResult.GetValueForOption(ManagedIdentityOption);
+            bool? useManagedIdentity = context.ParseResult.GetValueForOption(ManagedIdentityOption);
 
-            if (useManagedIdentity)
+            if (useManagedIdentity is not null)
             {
-                return new DefaultAzureCredential();
+                context.Console.Out.WriteLine(Resources.ManagedIdentityOptionObsolete);
             }
 
             string? tenantId = context.ParseResult.GetValueForOption(TenantIdOption);
             string? clientId = context.ParseResult.GetValueForOption(ClientIdOption);
             string? secret = context.ParseResult.GetValueForOption(ClientSecretOption);
 
-            if (string.IsNullOrEmpty(tenantId) ||
-                string.IsNullOrEmpty(clientId) ||
-                string.IsNullOrEmpty(secret))
+            if (!string.IsNullOrEmpty(tenantId) &&
+                !string.IsNullOrEmpty(clientId) &&
+                !string.IsNullOrEmpty(secret))
             {
-                context.Console.Error.WriteFormattedLine(
-                    Resources.InvalidClientSecretCredential,
-                    TenantIdOption,
-                    ClientIdOption,
-                    ClientSecretOption);
-                context.ExitCode = ExitCode.NoInputsFound;
-                return null;
+                return new ClientSecretCredential(tenantId, clientId, secret);
             }
 
-            return new ClientSecretCredential(tenantId, clientId, secret);
+            return new DefaultAzureCredential();
         }
     }
 }
diff --git a/src/Sign.Cli/AzureKeyVaultCommand.cs b/src/Sign.Cli/AzureKeyVaultCommand.cs
index 925ead0b..ef423635 100644
--- a/src/Sign.Cli/AzureKeyVaultCommand.cs
+++ b/src/Sign.Cli/AzureKeyVaultCommand.cs
@@ -15,7 +15,7 @@ internal sealed class AzureKeyVaultCommand : Command
     {
         internal Option<Uri> UrlOption { get; } = new(["-kvu", "--azure-key-vault-url"], AzureKeyVaultResources.UrlOptionDescription);
         internal Option<string> CertificateOption { get; } = new(["-kvc", "--azure-key-vault-certificate"], AzureKeyVaultResources.CertificateOptionDescription);
-        internal AzureAuthOptions AzureAuthOptions { get; } = new();
+        internal AzureCredentialOptions AzureCredentialOptions { get; } = new();
 
         internal Argument<string?> FileArgument { get; } = new("file(s)", Resources.FilesArgumentDescription);
 
@@ -30,7 +30,7 @@ internal AzureKeyVaultCommand(CodeCommand codeCommand, IServiceProviderFactory s
 
             AddOption(UrlOption);
             AddOption(CertificateOption);
-            AzureAuthOptions.AddOptionsToCommand(this);
+            AzureCredentialOptions.AddOptionsToCommand(this);
 
             AddArgument(FileArgument);
 
@@ -54,7 +54,7 @@ internal AzureKeyVaultCommand(CodeCommand codeCommand, IServiceProviderFactory s
                     return;
                 }
 
-                TokenCredential? credential = AzureAuthOptions.CreateTokenCredential(context);
+                TokenCredential? credential = AzureCredentialOptions.CreateTokenCredential(context);
                 if (credential is null)
                 {
                     return;
diff --git a/src/Sign.Cli/Resources.Designer.cs b/src/Sign.Cli/Resources.Designer.cs
index c8ec3319..f58b91f0 100644
--- a/src/Sign.Cli/Resources.Designer.cs
+++ b/src/Sign.Cli/Resources.Designer.cs
@@ -88,7 +88,7 @@ internal static string CertificateStoreCommandDescription {
         }
         
         /// <summary>
-        ///   Looks up a localized string similar to Client ID to authenticate to Azure Key Vault..
+        ///   Looks up a localized string similar to Client ID to authenticate to Azure..
         /// </summary>
         internal static string ClientIdOptionDescription {
             get {
@@ -97,7 +97,7 @@ internal static string ClientIdOptionDescription {
         }
         
         /// <summary>
-        ///   Looks up a localized string similar to Client secret to authenticate to Azure Key Vault..
+        ///   Looks up a localized string similar to Client secret to authenticate to Azure..
         /// </summary>
         internal static string ClientSecretOptionDescription {
             get {
@@ -177,15 +177,6 @@ internal static string InvalidCertificateFingerprintValue {
             }
         }
         
-        /// <summary>
-        ///   Looks up a localized string similar to If not using a managed identity, all of these options are required: {0}, {1}, and {2}..
-        /// </summary>
-        internal static string InvalidClientSecretCredential {
-            get {
-                return ResourceManager.GetString("InvalidClientSecretCredential", resourceCulture);
-            }
-        }
-        
         /// <summary>
         ///   Looks up a localized string similar to Invalid value for {0}. The value must be &apos;sha256&apos;, &apos;sha384&apos;, or &apos;sha512&apos;..
         /// </summary>
@@ -223,7 +214,7 @@ internal static string InvalidUrlValue {
         }
         
         /// <summary>
-        ///   Looks up a localized string similar to Managed identity to authenticate to Azure Key Vault..
+        ///   Looks up a localized string similar to Managed identity to authenticate to Azure Key. (obsolete).
         /// </summary>
         internal static string ManagedIdentityOptionDescription {
             get {
@@ -231,6 +222,15 @@ internal static string ManagedIdentityOptionDescription {
             }
         }
         
+        /// <summary>
+        ///   Looks up a localized string similar to The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified..
+        /// </summary>
+        internal static string ManagedIdentityOptionObsolete {
+            get {
+                return ResourceManager.GetString("ManagedIdentityOptionObsolete", resourceCulture);
+            }
+        }
+        
         /// <summary>
         ///   Looks up a localized string similar to Maximum concurrency..
         /// </summary>
@@ -295,7 +295,7 @@ internal static string SomeFilesDoNotExist {
         }
         
         /// <summary>
-        ///   Looks up a localized string similar to Tenant ID to authenticate to Azure Key Vault..
+        ///   Looks up a localized string similar to Tenant ID to authenticate to Azure..
         /// </summary>
         internal static string TenantIdOptionDescription {
             get {
diff --git a/src/Sign.Cli/Resources.resx b/src/Sign.Cli/Resources.resx
index 584c3ec0..daf1555d 100644
--- a/src/Sign.Cli/Resources.resx
+++ b/src/Sign.Cli/Resources.resx
@@ -127,10 +127,10 @@
     <value>Use Windows Certificate Store or a local certificate file.</value>
   </data>
   <data name="ClientIdOptionDescription" xml:space="preserve">
-    <value>Client ID to authenticate to Azure Key Vault.</value>
+    <value>Client ID to authenticate to Azure.</value>
   </data>
   <data name="ClientSecretOptionDescription" xml:space="preserve">
-    <value>Client secret to authenticate to Azure Key Vault.</value>
+    <value>Client secret to authenticate to Azure.</value>
   </data>
   <data name="CodeCommandDescription" xml:space="preserve">
     <value>Sign binaries and containers.</value>
@@ -159,10 +159,6 @@
     <value>Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</value>
     <comment>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</comment>
   </data>
-  <data name="InvalidClientSecretCredential" xml:space="preserve">
-    <value>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</value>
-    <comment>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</comment>
-  </data>
   <data name="InvalidDigestValue" xml:space="preserve">
     <value>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</value>
     <comment>{Locked="sha256", "sha384", "sha512"} are cryptographic hash algorithm names and should not be localized.  {NumberedPlaceholder="{0}"} is an option name (e.g.:  --file-digest) and should not be localized.</comment>
@@ -179,7 +175,10 @@
     <comment>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</comment>
   </data>
   <data name="ManagedIdentityOptionDescription" xml:space="preserve">
-    <value>Managed identity to authenticate to Azure Key Vault.</value>
+    <value>Managed identity to authenticate to Azure Key. (obsolete)</value>
+  </data>
+  <data name="ManagedIdentityOptionObsolete" xml:space="preserve">
+    <value>The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</value>
   </data>
   <data name="MaxConcurrencyOptionDescription" xml:space="preserve">
     <value>Maximum concurrency.</value>
@@ -205,7 +204,7 @@
     <comment>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</comment>
   </data>
   <data name="TenantIdOptionDescription" xml:space="preserve">
-    <value>Tenant ID to authenticate to Azure Key Vault.</value>
+    <value>Tenant ID to authenticate to Azure.</value>
   </data>
   <data name="TimestampDigestOptionDescription" xml:space="preserve">
     <value>Digest algorithm for the RFC 3161 timestamp server. Allowed values are sha256, sha384, and sha512.</value>
diff --git a/src/Sign.Cli/TrustedSigningCommand.cs b/src/Sign.Cli/TrustedSigningCommand.cs
index 91b523a4..0c2809d8 100644
--- a/src/Sign.Cli/TrustedSigningCommand.cs
+++ b/src/Sign.Cli/TrustedSigningCommand.cs
@@ -16,7 +16,7 @@ internal sealed class TrustedSigningCommand : Command
         internal Option<Uri> EndpointOption { get; } = new(["-tse", "--trusted-signing-endpoint"], TrustedSigningResources.EndpointOptionDescription);
         internal Option<string> AccountOption { get; } = new(["-tsa", "--trusted-signing-account"], TrustedSigningResources.AccountOptionDescription);
         internal Option<string> CertificateProfileOption { get; } = new(["-tscp", "--trusted-signing-certificate-profile"], TrustedSigningResources.CertificateProfileOptionDescription);
-        internal AzureAuthOptions AzureAuthOptions { get; } = new();
+        internal AzureCredentialOptions AzureCredentialOptions { get; } = new();
 
         internal Argument<string?> FileArgument { get; } = new("file(s)", Resources.FilesArgumentDescription);
 
@@ -33,7 +33,7 @@ internal TrustedSigningCommand(CodeCommand codeCommand, IServiceProviderFactory
             AddOption(EndpointOption);
             AddOption(AccountOption);
             AddOption(CertificateProfileOption);
-            AzureAuthOptions.AddOptionsToCommand(this);
+            AzureCredentialOptions.AddOptionsToCommand(this);
 
             AddArgument(FileArgument);
 
@@ -48,7 +48,7 @@ internal TrustedSigningCommand(CodeCommand codeCommand, IServiceProviderFactory
                     return;
                 }
 
-                TokenCredential? credential = AzureAuthOptions.CreateTokenCredential(context);
+                TokenCredential? credential = AzureCredentialOptions.CreateTokenCredential(context);
                 if (credential is null)
                 {
                     return;
diff --git a/src/Sign.Cli/xlf/Resources.cs.xlf b/src/Sign.Cli/xlf/Resources.cs.xlf
index a99251cf..db722b16 100644
--- a/src/Sign.Cli/xlf/Resources.cs.xlf
+++ b/src/Sign.Cli/xlf/Resources.cs.xlf
@@ -18,13 +18,13 @@
         <note />
       </trans-unit>
       <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <source>Client ID to authenticate to Azure.</source>
+        <target state="new">Client ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <source>Client secret to authenticate to Azure.</source>
+        <target state="new">Client secret to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="CodeCommandDescription">
@@ -67,11 +67,6 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">Neplatná hodnota pro {0}. Hodnota musí být sha256, sha384 nebo sha512.</target>
@@ -93,8 +88,13 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <source>Managed identity to authenticate to Azure Key. (obsolete)</source>
+        <target state="new">Managed identity to authenticate to Azure Key. (obsolete)</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionObsolete">
+        <source>The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</source>
+        <target state="new">The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</target>
         <note />
       </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
@@ -133,8 +133,8 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <source>Tenant ID to authenticate to Azure.</source>
+        <target state="new">Tenant ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
diff --git a/src/Sign.Cli/xlf/Resources.de.xlf b/src/Sign.Cli/xlf/Resources.de.xlf
index 26495085..b00461c5 100644
--- a/src/Sign.Cli/xlf/Resources.de.xlf
+++ b/src/Sign.Cli/xlf/Resources.de.xlf
@@ -18,13 +18,13 @@
         <note />
       </trans-unit>
       <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <source>Client ID to authenticate to Azure.</source>
+        <target state="new">Client ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <source>Client secret to authenticate to Azure.</source>
+        <target state="new">Client secret to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="CodeCommandDescription">
@@ -67,11 +67,6 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">Ungültiger Wert für {0}. Der Wert muss "sha256", "sha384" oder "sha512" sein.</target>
@@ -93,8 +88,13 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <source>Managed identity to authenticate to Azure Key. (obsolete)</source>
+        <target state="new">Managed identity to authenticate to Azure Key. (obsolete)</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionObsolete">
+        <source>The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</source>
+        <target state="new">The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</target>
         <note />
       </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
@@ -133,8 +133,8 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <source>Tenant ID to authenticate to Azure.</source>
+        <target state="new">Tenant ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
diff --git a/src/Sign.Cli/xlf/Resources.es.xlf b/src/Sign.Cli/xlf/Resources.es.xlf
index 81f81854..8035034b 100644
--- a/src/Sign.Cli/xlf/Resources.es.xlf
+++ b/src/Sign.Cli/xlf/Resources.es.xlf
@@ -18,13 +18,13 @@
         <note />
       </trans-unit>
       <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <source>Client ID to authenticate to Azure.</source>
+        <target state="new">Client ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <source>Client secret to authenticate to Azure.</source>
+        <target state="new">Client secret to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="CodeCommandDescription">
@@ -67,11 +67,6 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">Valor no válido para {0}. El valor debe ser 'sha256', 'sha384' o 'sha512'.</target>
@@ -93,8 +88,13 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <source>Managed identity to authenticate to Azure Key. (obsolete)</source>
+        <target state="new">Managed identity to authenticate to Azure Key. (obsolete)</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionObsolete">
+        <source>The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</source>
+        <target state="new">The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</target>
         <note />
       </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
@@ -133,8 +133,8 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <source>Tenant ID to authenticate to Azure.</source>
+        <target state="new">Tenant ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
diff --git a/src/Sign.Cli/xlf/Resources.fr.xlf b/src/Sign.Cli/xlf/Resources.fr.xlf
index 2adf3653..e23944ea 100644
--- a/src/Sign.Cli/xlf/Resources.fr.xlf
+++ b/src/Sign.Cli/xlf/Resources.fr.xlf
@@ -18,13 +18,13 @@
         <note />
       </trans-unit>
       <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <source>Client ID to authenticate to Azure.</source>
+        <target state="new">Client ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <source>Client secret to authenticate to Azure.</source>
+        <target state="new">Client secret to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="CodeCommandDescription">
@@ -67,11 +67,6 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">Valeur invalide pour {0}. La valeur doit être 'sha256', 'sha384' ou 'sha512'.</target>
@@ -93,8 +88,13 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <source>Managed identity to authenticate to Azure Key. (obsolete)</source>
+        <target state="new">Managed identity to authenticate to Azure Key. (obsolete)</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionObsolete">
+        <source>The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</source>
+        <target state="new">The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</target>
         <note />
       </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
@@ -133,8 +133,8 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <source>Tenant ID to authenticate to Azure.</source>
+        <target state="new">Tenant ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
diff --git a/src/Sign.Cli/xlf/Resources.it.xlf b/src/Sign.Cli/xlf/Resources.it.xlf
index 7e67bd87..dc084deb 100644
--- a/src/Sign.Cli/xlf/Resources.it.xlf
+++ b/src/Sign.Cli/xlf/Resources.it.xlf
@@ -18,13 +18,13 @@
         <note />
       </trans-unit>
       <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <source>Client ID to authenticate to Azure.</source>
+        <target state="new">Client ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <source>Client secret to authenticate to Azure.</source>
+        <target state="new">Client secret to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="CodeCommandDescription">
@@ -67,11 +67,6 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">Valore non valido per {0}. Il valore deve essere 'sha256', 'sha384' o 'sha512'.</target>
@@ -93,8 +88,13 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <source>Managed identity to authenticate to Azure Key. (obsolete)</source>
+        <target state="new">Managed identity to authenticate to Azure Key. (obsolete)</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionObsolete">
+        <source>The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</source>
+        <target state="new">The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</target>
         <note />
       </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
@@ -133,8 +133,8 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <source>Tenant ID to authenticate to Azure.</source>
+        <target state="new">Tenant ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
diff --git a/src/Sign.Cli/xlf/Resources.ja.xlf b/src/Sign.Cli/xlf/Resources.ja.xlf
index 8dc8e043..575b64b7 100644
--- a/src/Sign.Cli/xlf/Resources.ja.xlf
+++ b/src/Sign.Cli/xlf/Resources.ja.xlf
@@ -18,13 +18,13 @@
         <note />
       </trans-unit>
       <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <source>Client ID to authenticate to Azure.</source>
+        <target state="new">Client ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <source>Client secret to authenticate to Azure.</source>
+        <target state="new">Client secret to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="CodeCommandDescription">
@@ -67,11 +67,6 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">{0} の値が無効です。値は 'sha256'、'sha384'、または 'sha512' である必要があります。</target>
@@ -93,8 +88,13 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <source>Managed identity to authenticate to Azure Key. (obsolete)</source>
+        <target state="new">Managed identity to authenticate to Azure Key. (obsolete)</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionObsolete">
+        <source>The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</source>
+        <target state="new">The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</target>
         <note />
       </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
@@ -133,8 +133,8 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <source>Tenant ID to authenticate to Azure.</source>
+        <target state="new">Tenant ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
diff --git a/src/Sign.Cli/xlf/Resources.ko.xlf b/src/Sign.Cli/xlf/Resources.ko.xlf
index 8b6933b4..a0e3d012 100644
--- a/src/Sign.Cli/xlf/Resources.ko.xlf
+++ b/src/Sign.Cli/xlf/Resources.ko.xlf
@@ -18,13 +18,13 @@
         <note />
       </trans-unit>
       <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <source>Client ID to authenticate to Azure.</source>
+        <target state="new">Client ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <source>Client secret to authenticate to Azure.</source>
+        <target state="new">Client secret to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="CodeCommandDescription">
@@ -67,11 +67,6 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">{0}에 대한 값이 잘못되었습니다. 값은 'sha256', 'sha384' 또는 'sha512'.여야 합니다.</target>
@@ -93,8 +88,13 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <source>Managed identity to authenticate to Azure Key. (obsolete)</source>
+        <target state="new">Managed identity to authenticate to Azure Key. (obsolete)</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionObsolete">
+        <source>The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</source>
+        <target state="new">The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</target>
         <note />
       </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
@@ -133,8 +133,8 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <source>Tenant ID to authenticate to Azure.</source>
+        <target state="new">Tenant ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
diff --git a/src/Sign.Cli/xlf/Resources.pl.xlf b/src/Sign.Cli/xlf/Resources.pl.xlf
index 747ed164..f172e0a4 100644
--- a/src/Sign.Cli/xlf/Resources.pl.xlf
+++ b/src/Sign.Cli/xlf/Resources.pl.xlf
@@ -18,13 +18,13 @@
         <note />
       </trans-unit>
       <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <source>Client ID to authenticate to Azure.</source>
+        <target state="new">Client ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <source>Client secret to authenticate to Azure.</source>
+        <target state="new">Client secret to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="CodeCommandDescription">
@@ -67,11 +67,6 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">Nieprawidłowa wartość dla {0}. Wartością musi być „sha256”, „sha384”, lub „sha512”.</target>
@@ -93,8 +88,13 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <source>Managed identity to authenticate to Azure Key. (obsolete)</source>
+        <target state="new">Managed identity to authenticate to Azure Key. (obsolete)</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionObsolete">
+        <source>The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</source>
+        <target state="new">The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</target>
         <note />
       </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
@@ -133,8 +133,8 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <source>Tenant ID to authenticate to Azure.</source>
+        <target state="new">Tenant ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
diff --git a/src/Sign.Cli/xlf/Resources.pt-BR.xlf b/src/Sign.Cli/xlf/Resources.pt-BR.xlf
index 1743b3cf..2d8996d8 100644
--- a/src/Sign.Cli/xlf/Resources.pt-BR.xlf
+++ b/src/Sign.Cli/xlf/Resources.pt-BR.xlf
@@ -18,13 +18,13 @@
         <note />
       </trans-unit>
       <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <source>Client ID to authenticate to Azure.</source>
+        <target state="new">Client ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <source>Client secret to authenticate to Azure.</source>
+        <target state="new">Client secret to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="CodeCommandDescription">
@@ -67,11 +67,6 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">Valor inválido para {0}. O valor deve ser 'sha256', 'sha384' ou 'sha512'.</target>
@@ -93,8 +88,13 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <source>Managed identity to authenticate to Azure Key. (obsolete)</source>
+        <target state="new">Managed identity to authenticate to Azure Key. (obsolete)</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionObsolete">
+        <source>The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</source>
+        <target state="new">The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</target>
         <note />
       </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
@@ -133,8 +133,8 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <source>Tenant ID to authenticate to Azure.</source>
+        <target state="new">Tenant ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
diff --git a/src/Sign.Cli/xlf/Resources.ru.xlf b/src/Sign.Cli/xlf/Resources.ru.xlf
index c02a0735..aa52487a 100644
--- a/src/Sign.Cli/xlf/Resources.ru.xlf
+++ b/src/Sign.Cli/xlf/Resources.ru.xlf
@@ -18,13 +18,13 @@
         <note />
       </trans-unit>
       <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <source>Client ID to authenticate to Azure.</source>
+        <target state="new">Client ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <source>Client secret to authenticate to Azure.</source>
+        <target state="new">Client secret to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="CodeCommandDescription">
@@ -67,11 +67,6 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">Недопустимое значение для {0}. Необходимо использовать "sha256", "sha384" или "sha512".</target>
@@ -93,8 +88,13 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <source>Managed identity to authenticate to Azure Key. (obsolete)</source>
+        <target state="new">Managed identity to authenticate to Azure Key. (obsolete)</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionObsolete">
+        <source>The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</source>
+        <target state="new">The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</target>
         <note />
       </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
@@ -133,8 +133,8 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <source>Tenant ID to authenticate to Azure.</source>
+        <target state="new">Tenant ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
diff --git a/src/Sign.Cli/xlf/Resources.tr.xlf b/src/Sign.Cli/xlf/Resources.tr.xlf
index 8c634b67..2016ae4b 100644
--- a/src/Sign.Cli/xlf/Resources.tr.xlf
+++ b/src/Sign.Cli/xlf/Resources.tr.xlf
@@ -18,13 +18,13 @@
         <note />
       </trans-unit>
       <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <source>Client ID to authenticate to Azure.</source>
+        <target state="new">Client ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <source>Client secret to authenticate to Azure.</source>
+        <target state="new">Client secret to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="CodeCommandDescription">
@@ -67,11 +67,6 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">{0} için geçersiz değer. Değer 'sha256', 'sha384' veya 'sha512' olmalıdır.</target>
@@ -93,8 +88,13 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <source>Managed identity to authenticate to Azure Key. (obsolete)</source>
+        <target state="new">Managed identity to authenticate to Azure Key. (obsolete)</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionObsolete">
+        <source>The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</source>
+        <target state="new">The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</target>
         <note />
       </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
@@ -133,8 +133,8 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <source>Tenant ID to authenticate to Azure.</source>
+        <target state="new">Tenant ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
diff --git a/src/Sign.Cli/xlf/Resources.zh-Hans.xlf b/src/Sign.Cli/xlf/Resources.zh-Hans.xlf
index df1a27be..3a62e4f7 100644
--- a/src/Sign.Cli/xlf/Resources.zh-Hans.xlf
+++ b/src/Sign.Cli/xlf/Resources.zh-Hans.xlf
@@ -18,13 +18,13 @@
         <note />
       </trans-unit>
       <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <source>Client ID to authenticate to Azure.</source>
+        <target state="new">Client ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <source>Client secret to authenticate to Azure.</source>
+        <target state="new">Client secret to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="CodeCommandDescription">
@@ -67,11 +67,6 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">{0} 的值无效。值必须为 "sha256"、"sha384" 或 "sha512"。</target>
@@ -93,8 +88,13 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <source>Managed identity to authenticate to Azure Key. (obsolete)</source>
+        <target state="new">Managed identity to authenticate to Azure Key. (obsolete)</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionObsolete">
+        <source>The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</source>
+        <target state="new">The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</target>
         <note />
       </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
@@ -133,8 +133,8 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <source>Tenant ID to authenticate to Azure.</source>
+        <target state="new">Tenant ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
diff --git a/src/Sign.Cli/xlf/Resources.zh-Hant.xlf b/src/Sign.Cli/xlf/Resources.zh-Hant.xlf
index 774b847b..a6145466 100644
--- a/src/Sign.Cli/xlf/Resources.zh-Hant.xlf
+++ b/src/Sign.Cli/xlf/Resources.zh-Hant.xlf
@@ -18,13 +18,13 @@
         <note />
       </trans-unit>
       <trans-unit id="ClientIdOptionDescription">
-        <source>Client ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Client ID to authenticate to Azure Key Vault.</target>
+        <source>Client ID to authenticate to Azure.</source>
+        <target state="new">Client ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="ClientSecretOptionDescription">
-        <source>Client secret to authenticate to Azure Key Vault.</source>
-        <target state="new">Client secret to authenticate to Azure Key Vault.</target>
+        <source>Client secret to authenticate to Azure.</source>
+        <target state="new">Client secret to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="CodeCommandDescription">
@@ -67,11 +67,6 @@
         <target state="new">Invalid value for {0}. The value must be a SHA-256, SHA-384, or SHA-512 certificate fingerprint (in hexadecimal).</target>
         <note>{NumberedPlaceholder="{0}"} is the option name (e.g.:  --certificate-fingerprint).  {Locked="SHA-256", "SHA-384", "SHA-512"} are cryptographic hash algorithms.</note>
       </trans-unit>
-      <trans-unit id="InvalidClientSecretCredential">
-        <source>If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</source>
-        <target state="new">If not using a managed identity, all of these options are required: {0}, {1}, and {2}.</target>
-        <note>{NumberedPlaceholder="{0}", "{1}", "{2}"} are option names and should not be localized.</note>
-      </trans-unit>
       <trans-unit id="InvalidDigestValue">
         <source>Invalid value for {0}. The value must be 'sha256', 'sha384', or 'sha512'.</source>
         <target state="translated">{0} 的值無效。值必須是 'sha256'、'sha384' 或 'sha512'。</target>
@@ -93,8 +88,13 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --timestamp-url) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="ManagedIdentityOptionDescription">
-        <source>Managed identity to authenticate to Azure Key Vault.</source>
-        <target state="new">Managed identity to authenticate to Azure Key Vault.</target>
+        <source>Managed identity to authenticate to Azure Key. (obsolete)</source>
+        <target state="new">Managed identity to authenticate to Azure Key. (obsolete)</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="ManagedIdentityOptionObsolete">
+        <source>The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</source>
+        <target state="new">The -kvm and --azure-key-vault-managed-identity options are obsolete and should no longer be specified.</target>
         <note />
       </trans-unit>
       <trans-unit id="MaxConcurrencyOptionDescription">
@@ -133,8 +133,8 @@
         <note>{NumberedPlaceholder="{0}"} is an option name (e.g.:  --base-directory) and should not be localized.</note>
       </trans-unit>
       <trans-unit id="TenantIdOptionDescription">
-        <source>Tenant ID to authenticate to Azure Key Vault.</source>
-        <target state="new">Tenant ID to authenticate to Azure Key Vault.</target>
+        <source>Tenant ID to authenticate to Azure.</source>
+        <target state="new">Tenant ID to authenticate to Azure.</target>
         <note />
       </trans-unit>
       <trans-unit id="TimestampDigestOptionDescription">
diff --git a/test/Sign.Cli.Test/AzureAuthOptionsTests.cs b/test/Sign.Cli.Test/AzureCredentialOptionsTests.cs
similarity index 93%
rename from test/Sign.Cli.Test/AzureAuthOptionsTests.cs
rename to test/Sign.Cli.Test/AzureCredentialOptionsTests.cs
index 97218b10..c267d2e7 100644
--- a/test/Sign.Cli.Test/AzureAuthOptionsTests.cs
+++ b/test/Sign.Cli.Test/AzureCredentialOptionsTests.cs
@@ -6,9 +6,9 @@
 
 namespace Sign.Cli.Test
 {
-    public class AzureAuthOptionsTests
+    public class AzureCredentialOptionsTests
     {
-        private readonly AzureAuthOptions _options = new();
+        private readonly AzureCredentialOptions _options = new();
 
         [Fact]
         public void ManagedIdentityOption_Always_HasArityOfZeroOrOne()
diff --git a/test/Sign.Cli.Test/AzureKeyVaultCommandTests.cs b/test/Sign.Cli.Test/AzureKeyVaultCommandTests.cs
index ad9ef79e..eb3190e4 100644
--- a/test/Sign.Cli.Test/AzureKeyVaultCommandTests.cs
+++ b/test/Sign.Cli.Test/AzureKeyVaultCommandTests.cs
@@ -75,12 +75,12 @@ public ParserTests()
             [InlineData("azure-key-vault -kvu https://keyvault.test a")]
             [InlineData("azure-key-vault -kvu https://keyvault.test -kvc")]
             [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a")]
-            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -azt")]
-            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -azt b")]
-            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -azt b -azi")]
-            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -azt b -azi c")]
-            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -azt b -azi c -azs")]
-            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -azt b -azi c -azs d")]
+            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -kvt")]
+            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -kvt b")]
+            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -kvt b -kvi")]
+            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -kvt b -kvi c")]
+            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -kvt b -kvi c -kvs")]
+            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -kvt b -kvi c -kvs d")]
             public void Command_WhenRequiredArgumentOrOptionsAreMissing_HasError(string command)
             {
                 ParseResult result = _parser.Parse(command);
@@ -89,8 +89,8 @@ public void Command_WhenRequiredArgumentOrOptionsAreMissing_HasError(string comm
             }
 
             [Theory]
-            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -azm b")]
-            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -azt b -azi c -azs d e")]
+            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a b")]
+            [InlineData("azure-key-vault -kvu https://keyvault.test -kvc a -kvt b -kvi c -kvs d e")]
             public void Command_WhenRequiredArgumentsArePresent_HasNoError(string command)
             {
                 ParseResult result = _parser.Parse(command);
diff --git a/test/Sign.Cli.Test/SignCommandTests.Globbing.cs b/test/Sign.Cli.Test/SignCommandTests.Globbing.cs
index c9e4fd61..248d8de9 100644
--- a/test/Sign.Cli.Test/SignCommandTests.Globbing.cs
+++ b/test/Sign.Cli.Test/SignCommandTests.Globbing.cs
@@ -60,7 +60,7 @@ public void Dispose()
             public async Task Command_WhenFileIsGlobPattern_SignsOnlyMatches()
             {
                 string commandText = $"code azure-key-vault --description {Description} --description-url {DescriptionUrl} "
-                    + $"-kvu {KeyVaultUrl} -kvc {CertificateName} -azm --timestamp-url {TimestampUrl} "
+                    + $"-kvu {KeyVaultUrl} -kvc {CertificateName} --timestamp-url {TimestampUrl} "
                     + $"-b \"{_temporaryDirectory.Directory.FullName}\" **/*.dll";
 
                 int exitCode = await _parser.InvokeAsync(commandText);
@@ -78,7 +78,7 @@ public async Task Command_WhenFileIsGlobPattern_SignsOnlyMatches()
             public async Task Command_WhenFileIsGlobPatternWithSubdirectory_SignsOnlyMatches()
             {
                 string commandText = $"code azure-key-vault --description {Description} --description-url {DescriptionUrl} "
-                    + $"-kvu {KeyVaultUrl} -kvc {CertificateName} -azm --timestamp-url {TimestampUrl} "
+                    + $"-kvu {KeyVaultUrl} -kvc {CertificateName} --timestamp-url {TimestampUrl} "
                     + $"-b \"{_temporaryDirectory.Directory.FullName}\" **/e/*.dll";
 
                 int exitCode = await _parser.InvokeAsync(commandText);
@@ -94,7 +94,7 @@ public async Task Command_WhenFileIsGlobPatternWithSubdirectory_SignsOnlyMatches
             public async Task Command_WhenFileIsGlobPatternWithBracedExpansion_SignsOnlyMatches()
             {
                 string commandText = $"code azure-key-vault --description {Description} --description-url {DescriptionUrl} "
-                      + $"-kvu {KeyVaultUrl} -kvc {CertificateName} -azm --timestamp-url {TimestampUrl} "
+                      + $"-kvu {KeyVaultUrl} -kvc {CertificateName} --timestamp-url {TimestampUrl} "
                       + $"-b \"{_temporaryDirectory.Directory.FullName}\" **/*.{{dll,exe}}";
 
                 int exitCode = await _parser.InvokeAsync(commandText);
diff --git a/test/Sign.Cli.Test/SignCommandTests.cs b/test/Sign.Cli.Test/SignCommandTests.cs
index 180a1088..88808b7c 100644
--- a/test/Sign.Cli.Test/SignCommandTests.cs
+++ b/test/Sign.Cli.Test/SignCommandTests.cs
@@ -73,7 +73,7 @@ public void Command_WhenArgumentAndOptionsAreMissing_HasError(string command)
         public void Command_WhenRequiredArgumentIsMissing_HasError()
         {
             string command = $"code azure-key-vault --description {Description} --description-url {DescriptionUrl} "
-                + $"-kvu {KeyVaultUrl} -kvc {CertificateName} -azm --timestamp-url {TimestampUrl}";
+                + $"-kvu {KeyVaultUrl} -kvc {CertificateName} --timestamp-url {TimestampUrl}";
             ParseResult result = _parser.Parse(command);
 
             Assert.NotEmpty(result.Errors);
@@ -83,7 +83,7 @@ public void Command_WhenRequiredArgumentIsMissing_HasError()
         public void Command_WhenAllOptionsAndArgumentAreValid_HasNoError()
         {
             string command = $"code azure-key-vault --description {Description} --description-url {DescriptionUrl} "
-                + $"-kvu {KeyVaultUrl} -kvc {CertificateName} -azm --timestamp-url {TimestampUrl} {File}";
+                + $"-kvu {KeyVaultUrl} -kvc {CertificateName} --timestamp-url {TimestampUrl} {File}";
             ParseResult result = _parser.Parse(command);
 
             Assert.Empty(result.Errors);
diff --git a/test/Sign.Cli.Test/TrustedSigningCommandTests.cs b/test/Sign.Cli.Test/TrustedSigningCommandTests.cs
index 03b07388..26928217 100644
--- a/test/Sign.Cli.Test/TrustedSigningCommandTests.cs
+++ b/test/Sign.Cli.Test/TrustedSigningCommandTests.cs
@@ -87,12 +87,12 @@ public ParserTests()
             [InlineData("trusted-signing -tse https://trustedsigning.test -tsa")]
             [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a")]
             [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -azt")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -azt c")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -azt c -azi")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -azt c -azi d")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -azt c -azi d -azs")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -azt c -azi d -azs e")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -kvt")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -kvt c")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -kvt c -kvi")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -kvt c -kvi d")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -kvt c -kvi d -kvs")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -kvt c -kvi d -kvs e")]
             public void Command_WhenRequiredArgumentOrOptionsAreMissing_HasError(string command)
             {
                 ParseResult result = _parser.Parse(command);
@@ -101,8 +101,8 @@ public void Command_WhenRequiredArgumentOrOptionsAreMissing_HasError(string comm
             }
 
             [Theory]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -azm c")]
-            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -azt c -azi d -azs e f")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b c")]
+            [InlineData("trusted-signing -tse https://trustedsigning.test -tsa a -tscp b -kvt c -kvi d -kvs e f")]
             public void Command_WhenRequiredArgumentsArePresent_HasNoError(string command)
             {
                 ParseResult result = _parser.Parse(command);