Upcoming changes to windows codesigning

[directionless]

Recently, the standards for certificate storage on code signing certs changed. Basically, it needs to be in hardware. There are cloud based things, but we have to figure out how to use them. I did some research before, but I expect the world is smoother now.

https://knowledge.digicert.com/generalinformation/new-private-key-storage-requirement-for-standard-code-signing-certificates-november-2022.html has some info

[RebeccaMahany]

We'll want to close this issue before April 2024.

Cloud KMSes we could consider:

• GCP's Cloud KMS / Cloud HSM: https://cloud.google.com/kms/docs/hsm
• SSL eSigner: https://www.ssl.com/esigner/
• Digicert ONE / Digicert KeyLocker: https://www.digicert.com/digicert-one, https://knowledge.digicert.com/solution/digicert-keylocker.html
• AWS KMS: https://aws.amazon.com/kms/
• Azure Key Vault: https://azure.microsoft.com/en-us/products/key-vault/
• HashiCorp Vault: https://www.vaultproject.io/

Spent a bit looking into Cloud HSM today -- if we want to use Cloud HSM, which fulfills the requirements for storage, it looks like we'd probably need to use jsign instead of signtool. (It might be possible to re-create something like this in our packaging tool, but probably a bit of a pain.) jsign, incidentally, works with all the KMSes listed above.

[directionless]

I know I have some browser tabs about this... 😆

• I think the best one is https://github.com/nextgens/authenticode-sign-action which you found.
• https://www.ssl.com/guide/supported-cloud-hsms-document-signing-ev-code-signing/ has some more info about ssl.com's handling. Interesting to see the pricing
• https://stackoverflow.com/questions/57627916/microsoft-authenticode-code-signing-ev-google-cloud-hsm references osslsigncode (an open source tool I've used before, though jsign) might be easier

I suspect we should land in Google HMS (since that's where everything we do is) and probably try osslsigncode and jsign

I also have this note that https://blog.trailofbits.com/2020/05/27/verifying-windows-binaries-without-windows/ might have a good verification

[directionless]

I think this shipped.