> We are working on making the functionality available for organizations that were incorporated less than 3 years ago. We don't have an ETA yet to share.
So now you can pay $120/yr for the privilege of being a Windows developer (and no other actual service), just like on (or actually somewhat more than for) iOS?
I just went through this process. It's a racket. It's really poorly documented. I rolled my own. It's a lot of work. It almost inspired me to make a product, but it's not a business I want to be in, especially if Microsoft does eventually relax their 3 year old business requirement for their Trusted Signing product.
My formula was:
Github actions, Sectigo usb key, physical windows machine in the office that runs a self-hosted action runner that does the signing step.
1. Get an EV certificate from a trusted CA [1]. That will run $400-800.
2. Use managed Trusted Signing from Azure. [2] Identity validation takes ~a week. Signing can be done via web or CLI. This does require a tax history of 3+ years. [3]
Using a YubiKey does require that you provide your PIN every time you want to do a signature, which limits how much you can automate things. A YubiHSM would remove that requirement, and might be able to work with a self-hosted GitHub Actions Runner, but it's more expensive, and you'd want confirmation from your CA (Sectigo, for example) that a YubiHSM is OK.
> Using a YubiKey does require that you provide your PIN every time you want to do a signature, which limits how much you can automate things.
AutoHotkey is your friend!
When I set up our code signing machine at AltspaceVR ten years ago, I wrote a simple little AutoHotkey script that watched for the signtool PIN popup and typed in the PIN. It was maybe 15-20 lines of code.
Haven't used them, but for open source, SignPath might be interesting, they do require transparent builds, but do support GitHub Actions: https://about.signpath.io/product/open-source
Some other signing that works in the cloud and has support for GitHub Actions would be DigiCert's KeyLocker (note: every signed binary is counted and by default the subscription only contains 1000 signings): https://www.digicert.com/signing/code-signing-certificates#c...
Based on comments here, Azure Trusted Signing with a personal certificate and their GitHub action worked.
This blog post below is great. It works through the process, including the truly weird/awful UX choices Azure makes. I archived it on wayback in case it ever disappears.
I ultimately concluded the automation was too much work and I didn't want to figure it out. I bought the Sectigo cert (they will sell code signing certs to individuals) with the USB dongle and installed their crappy software (SafeNet Authentication Client), and I manually sign builds from GitHub Actions on my workstation with "signtool."
Azure looked promising, but their trusted signing service won't issue a cert unless your corp is 3 years old. Doesn't look like you can bring your own keys here.
I guess that allows you to get your own cert (example: from DigiKey) for your own HSM (example: YubiKey) and then upload it.
That's what we researched before we abandonded the approach and kept code-signing by manually downloading the build, signing on a specific machine where only one architect had access. What could ever go wrong?
Originally OV allowed file-based certificates (pkcs12) and EV required an HSM. But since June 2023, now file-based certificates are no longer allowed[1], you need to certify that your CSR comes from an HSM (just paperwork, nothing technical) as part of the issuance request.
Smartscreen, AV warnings, etc use a reputation-based system. No amount of money makes you truly immune from warnings, but paying for EV does give you a higher default reputation. Since there is no longer any file-vs-HSM distinction between EV and OV, it is simply a cost for more default reputation. Any business will pay it easily.
(My prediction is that OV/EV will consolidate to a single offering, in the same way that EV for web SSL has been phased-out.)
Azure Trusted Signing is an all-in-one service that creates keys, purchases the certificate, and hosts the HSM for you. It's still OK to do all these things separately e.g. purchase the cert from Globalsign and use Azure Key Vault as the HSM (you have to pay for the 5 USD/mo service for the larger key size, instead of the cheap one).
I’m distributing unsigned binaries not because I care about the $200 for a cert, but I don’t want to spend hours figuring out a signing flow.