Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

HSM code signing certs, rant, & recommend where to buy?

  • 17-05-2023 9:53am
    #1
    Registered Users, Registered Users 2 Posts: 990 ✭✭✭


    Hi -- given:

    | On June 1, 2023, Microsoft will require that all code signing certificates be generated and stored on a Hardware Security Module (HSM) or a cloud-based HSM

    ...all the sellers of code signing certs are now bumping their prices x3 or x4 and physically shipping out USB hardware. Seems like we're going back in time.

    This is going to significantly add pain to automation, CI/CD, and make it a lot more expensive if using a "Key Management Service". E.g., anyone using Github Action Runners or AWS for builds, will now have to re-think their process. I'm surprised there isn't more noise online about this.

    Anyway -- my question is -- can anyone recommend a place to purchase a code-signing HSM (or equivalent cloud service; for same cost)?

    The marketplace seems like a bit of a quagmire with wildly differing prices, lots of re-selling, poor documentation (particularly on the tools/APIs to actually interface with any given HSM, etc.), American sites as opposed to European, etc.

    Note that code-signing for me is a nice-to-have, I don't want to spend a fortune on it given I make mostly free-software, just for fun.



Comments

  • Registered Users, Registered Users 2 Posts: 1 AnnaShipman1986


    Hey,

    Indeed the CA/B forum has beefed up security for issuing code signing by mandating HSM tokens for issuing all code signing certificates.

    I used to get code signing certs from CA earlier but now since costs are high due to token based process, I discovered affordable and authorised code signing vendor SignMyCode.com offering the same Sectigo based code signing certificates and also other from CAs like Comodo, DigiCert and Certera at relatively affordable pricing starting at just $169.99/year which is quite reasonable compared to CA's plus a good customer support team to assist with new process for getting my code signing cert.



  • Registered Users, Registered Users 2 Posts: 1,722 ✭✭✭rock22


    I have little understanding of this signing process. I do a small amount of c# development , just for my own use. Recently I tried to run a program I had published last year and it failed to open. I know I signed it with some sort of temporary key, without really understanding what I was doing.

    Do the changes you refer to now mean that creating programs for own use using Visual Studio and C# is no longer possible? Or is therea way around this , if the program is not sold or published ?



  • Registered Users, Registered Users 2 Posts: 990 ✭✭✭rat_race


    No, you should be able to run non-signed or self-signed EXEs, no problem -- with just a warning confirmation from Windows, etc. Perhaps you have a stricter policy setup, or something. But all in all, the problem you're seeing should be unrelated to this.

    What's changing is that certs issued by trusted CAs now require that certs are on these HSMs. That's all, Windows isn't changing. The whole purpose of signing code with a CA-issued cert is that Windows doesn't present such an alarming "unverified publisher" warning, instead it asks the user if they trust the verified publisher, etc.



  • Registered Users, Registered Users 2 Posts: 1,722 ✭✭✭rock22


    Thanks rat_race.

    Not sure hat the problem is. The program worked fine a year ago. Now nothing happens hen i click on it. I need to investigate further.

    thanks for answering



  • Registered Users, Registered Users 2 Posts: 990 ✭✭✭rat_race


    No probs. Run it from a command prompt and see if there's some output to give a clue. Absolutely nothing happening is unlikely to be caused by a cert/codesigning issue.



  • Advertisement
  • Registered Users, Registered Users 2 Posts: 990 ✭✭✭rat_race


    This message spam (and the author of that message owns that site). Anyone reading here, please avoid the site.



  • Registered Users, Registered Users 2 Posts: 2,236 ✭✭✭techguy


    Sorry to hijack your post with this question OP - but I guess the answer might help you out.

    How can Microsoft actually tell if the signed object originated from an actual HSM and it wasn't just signed using some tooling on a computer? Is there some meta data they will look at for example, the make / model of the HSM in the root certs?

    OP, what kind of stuff are you looking to sign? Marketplace apps or what? I highly doubt you need to sign locally developed apps like that if you just want to run them on your local machine or environment etc.



  • Registered Users, Registered Users 2 Posts: 990 ✭✭✭rat_race


    Hi. Just reading this now.

    It's not that Microsoft "can tell" as such, it's more the new regulation that has come into place, whereby the CAs won't give out new certs for Windows code-signing on anything but HSMs, going forward. So anyone with an existing cert who needs to renew, or those requiring one for the first time like myself, will need to go the HSM route.

    Yeah, if it was just for myself locally it wouldn't be an issue as I could simply add self-signed certs as trusted — or put up with the nag/warning screen for anything un-signed. But it's not that, I am signing Windows binaries for public distribution (website download) — not from any app store, and I don't want the red-flag warnings for users (as it's very off-putting / cheap).

    FYI, I have done all of this and it's working fine — though, costly.



Advertisement