Retry on `Azure.RequestFailedException`?

[bgrainger]

Problem
One of our CI/CD builds failed recently because SignTool failed. (Private build, can't link to it.)

The ultimate cause appears to be a service error with Azure Trusted Signing. We "fixed" the problem by re-running the build; when it tried again, it succeeded.

Describe the solution you'd like
Is it reasonable for sign to retry a few times for transient Azure Trusted Signing issues (i.e., not 401, etc.)?

Describe alternatives you've considered
Could check the return value from sign (if there is a value that specifically indicates this problem) and call it again in our build script.

Additional context

fail: Sign.Core.IDataFormatSigner[0]
        Service request failed.
        Status: 500 (Internal Server Error)
        
        Content:
        {"errorDetail":{"code":"InternalError","message":"An internal error has occurred.","target":null}}
        
        Headers:
        Date: Wed, 05 Nov 2025 16:47:24 GMT
        Transfer-Encoding: chunked
        Connection: keep-alive
        Cache-Control: no-cache,no-store
        Pragma: no-cache
        api-supported-versions: REDACTED
        x-azure-ref: REDACTED
        X-Cache: REDACTED
        Content-Type: application/json
        Expires: -1
        
        Azure.RequestFailedException: Service request failed.
        Status: 500 (Internal Server Error)
        
        Content:
        {"errorDetail":{"code":"InternalError","message":"An internal error has occurred.","target":null}}
        
        Headers:
        Date: Wed, 05 Nov 2025 16:47:24 GMT
        Transfer-Encoding: chunked
        Connection: keep-alive
        Cache-Control: no-cache,no-store
        Pragma: no-cache
        api-supported-versions: REDACTED
        x-azure-ref: REDACTED
        X-Cache: REDACTED
        Content-Type: application/json
        Expires: -1
        
           at Azure.CodeSigning.CertificateProfileRestClient.Sign(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
           at Azure.CodeSigning.CertificateProfileClient.StartSign(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
           at Sign.SignatureProviders.TrustedSigning.RSATrustedSigning.SignHash(Byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding) in /_/src/Sign.SignatureProviders.TrustedSigning/RSATrustedSigning.cs:line 63
           at AzureSign.Core.AuthenticodeKeyVaultSigner.SignCallback(IntPtr pCertContext, IntPtr pvExtra, UInt32 algId, Byte[] pDigestToSign, UInt32 dwDigestToSign, CRYPTOAPI_BLOB& blob)
           at AzureSign.Core.Interop.mssign32.SignerSignEx3(SignerSignEx3Flags dwFlags, SIGNER_SUBJECT_INFO* pSubjectInfo, SIGNER_CERT* pSignerCert, SIGNER_SIGNATURE_INFO* pSignatureInfo, IntPtr pProviderInfo, SignerSignTimeStampFlags dwTimestampFlags, Byte* pszTimestampAlgorithmOid, Char* pwszHttpTimeStamp, IntPtr psRequest, Void* pSipData, IntPtr* ppSignerContext, IntPtr pCryptoPolicy, SIGN_INFO* pSignInfo, IntPtr pReserved)
           at AzureSign.Core.AuthenticodeKeyVaultSigner.SignFile(ReadOnlySpan`1 path, ReadOnlySpan`1 description, ReadOnlySpan`1 descriptionUrl, Nullable`1 pageHashing, ILogger logger)
           at Sign.Core.AzureSignToolSigner.RunSignTool(AuthenticodeKeyVaultSigner signer, FileInfo file, SignOptions options) in /_/src/Sign.Core/DataFormatSigners/AzureSignToolSigner.cs:line 177
  fail: Sign.Core.IDataFormatSigner[0]
        Service request failed.
        Status: 500 (Internal Server Error)

[dtivel]

@bgrainger, yes, I think it's reasonable for Sign CLI to retry here for retriable errors.