-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upcoming changes to windows codesigning #1283
Comments
We'll want to close this issue before April 2024. Cloud KMSes we could consider:
Spent a bit looking into Cloud HSM today -- if we want to use Cloud HSM, which fulfills the requirements for storage, it looks like we'd probably need to use jsign instead of signtool. (It might be possible to re-create something like this in our packaging tool, but probably a bit of a pain.) jsign, incidentally, works with all the KMSes listed above. |
I know I have some browser tabs about this... 😆
I suspect we should land in Google HMS (since that's where everything we do is) and probably try I also have this note that https://blog.trailofbits.com/2020/05/27/verifying-windows-binaries-without-windows/ might have a good verification |
I think this shipped. |
Recently, the standards for certificate storage on code signing certs changed. Basically, it needs to be in hardware. There are cloud based things, but we have to figure out how to use them. I did some research before, but I expect the world is smoother now.
https://knowledge.digicert.com/generalinformation/new-private-key-storage-requirement-for-standard-code-signing-certificates-november-2022.html has some info
The text was updated successfully, but these errors were encountered: