We’re currently building and signing our exe’s and msi’s in GitHub, but are now needing to renew our code signing certificate under the new-fangled rules.
Does anyone have experience (good or bad) with using DigiCert’s KeyLocker cloud-based solution which avoids using a hardware usb token?
FYI in case others may be interested, we’re now investigating Azure Trusted Signing instead.
For those who already have tokens, we have a server product coming in a few weeks that will make code signing with tokens trivial - no more password prompts. We have tested with SafeNet and Yubikey tokens so far - but should work with others that have a pkcs#11 dll (most do).
If you are interested in beta testing pm me (we’re working on the installer at the moment).
We use Azure Key Vault to store our signing cert and we use the AzureSignTool to do the actual signing.
Maybe we should switch to using Trusted Signing.
Our experience: We submitted requirements for Azure Trusted Signing verification yesterday morning.
We received a “Validation Pass” status this morning.
Our devops integrated Trusted Signing into our GitHub workflow this afternoon.
Initial testing indicates all successful.
The quick verification may have been helped by having a significant Azure presence already.
1 Like