HSM code signing certs, rant, & recommend where to buy?

rat_race

Hi -- given:

| On June 1, 2023, Microsoft will require that all code signing certificates be generated and stored on a Hardware Security Module (HSM) or a cloud-based HSM

...all the sellers of code signing certs are now bumping their prices x3 or x4 and physically shipping out USB hardware. Seems like we're going back in time.

This is going to significantly add pain to automation, CI/CD, and make it a lot more expensive if using a "Key Management Service". E.g., anyone using Github Action Runners or AWS for builds, will now have to re-think their process. I'm surprised there isn't more noise online about this.

Anyway -- my question is -- can anyone recommend a place to purchase a code-signing HSM (or equivalent cloud service; for same cost)?

The marketplace seems like a bit of a quagmire with wildly differing prices, lots of re-selling, poor documentation (particularly on the tools/APIs to actually interface with any given HSM, etc.), American sites as opposed to European, etc.

Note that code-signing for me is a nice-to-have, I don't want to spend a fortune on it given I make mostly free-software, just for fun.

AnnaShipman1986

https://www.boards.ie/discussion/2058296768/hsm-code-signing-certs-rant-recommend-where-to-buy

Hey,

Indeed the CA/B forum has beefed up security for issuing code signing by mandating HSM tokens for issuing all code signing certificates.

I used to get code signing certs from CA earlier but now since costs are high due to token based process, I discovered affordable and authorised code signing vendor SignMyCode.com offering the same Sectigo based code signing certificates and also other from CAs like Comodo, DigiCert and Certera at relatively affordable pricing starting at just $169.99/year which is quite reasonable compared to CA's plus a good customer support team to assist with new process for getting my code signing cert.

rock22

I have little understanding of this signing process. I do a small amount of c# development , just for my own use. Recently I tried to run a program I had published last year and it failed to open. I know I signed it with some sort of temporary key, without really understanding what I was doing.

Do the changes you refer to now mean that creating programs for own use using Visual Studio and C# is no longer possible? Or is therea way around this , if the program is not sold or published ?

rat_race

https://www.boards.ie/discussion/comment/120880517#Comment_120880517

No, you should be able to run non-signed or self-signed EXEs, no problem -- with just a warning confirmation from Windows, etc. Perhaps you have a stricter policy setup, or something. But all in all, the problem you're seeing should be unrelated to this.

What's changing is that certs issued by trusted CAs now require that certs are on these HSMs. That's all, Windows isn't changing. The whole purpose of signing code with a CA-issued cert is that Windows doesn't present such an alarming "unverified publisher" warning, instead it asks the user if they trust the verified publisher, etc.

rock22

Thanks rat_race.

Not sure hat the problem is. The program worked fine a year ago. Now nothing happens hen i click on it. I need to investigate further.

thanks for answering

rat_race

No probs. Run it from a command prompt and see if there's some output to give a clue. Absolutely nothing happening is unlikely to be caused by a cert/codesigning issue.