top | item 46182861

(no title)

TobbenTM | 2 months ago

You certainly don't need a hardware token, you can store it in any FIPS 140 Level 2+ stores. This includes stuff like Azure KeyVault and AWS KMS.

Azure Trusted Signing is 100% the best choice, but if for whatever reason you cannot use it, you can still use your own cloud store and hook in the signing tools. I wrote an article on using AWS KMS earlier this year: https://moonbase.sh/articles/signing-windows-binaries-using-...

TLDR: Doing this yourself requires a ~400-500$/year EV cert and miniscule cloud costs

discuss

jonathanlydall|2 months ago

Can confirm this, we use Azure KeyVault and are able to have Azure Pipelines use it to sign our release builds.

We’re (for the moment) a South African entity, so can’t use Azure Trusted Signing, but DigiCert has no issue with us using Azure KeyVault for our EV code signing certificate.

I had ours renewed just this week as it happens. Cost something like USD 840 before tax, don’t have a choice though and in the grand scheme of things it’s not a huge expense for a company.