On Friday, 4 November 2022 at 13:01:09 UTC, Iain Buclaw wrote:
What does in a hardware token mean for us? Is it required to
have it to hand every time we have to sign a beta, rc, final
release binary? Does it bound us to a specific OS because of
locked in proprietary tools?
Unfortunately I don't know.
In what way would it hamper the ability to sign built binaries
on a virtual machine, in a remote server, behind a read-only
console UI?
Probably in a big way.
Previously, I would just commit the .pfx//.p12, this will be soon
impossible (granted, this lower security to commit the cert).
This won't be possible, perhaps already is.
The Certum "cloud" solution needs a desktop app AND a phone APP
(Android/iPhone), and is unsuitable for CI.
All this just for Windows code signing.
My prediction is that in a few years Microsoft will stop this
nightmare and do like Apple and you will just cloud-sign stuff
with a microsoft.com account. This will be a lot better.
---- THAT SAID ----
Now, codesigning certificates do not preovide automatic warning
removal. Every Windows program has an Authenticode score, having
an EV just gets you a high score from the get go, but you still
have reputation. So the only thing you buy is freedom from the
warning pop-up and the user gets some safety. An OV gets no
initial reputation, and the word on the street is that when you
change cert every 3 years you must regain that reputation.
One could perhaps use a self-signed certificate that will allow
to reuse that Authenticode reputation, I'm not sure.
