| ▲ | TobbenTM a day ago | |
You certainly don't need a hardware token, you can store it in any FIPS 140 Level 2+ stores. This includes stuff like Azure KeyVault and AWS KMS. Azure Trusted Signing is 100% the best choice, but if for whatever reason you cannot use it, you can still use your own cloud store and hook in the signing tools. I wrote an article on using AWS KMS earlier this year: https://moonbase.sh/articles/signing-windows-binaries-using-... TLDR: Doing this yourself requires a ~400-500$/year EV cert and miniscule cloud costs | ||
| ▲ | jonathanlydall a day ago | parent [-] | |
Can confirm this, we use Azure KeyVault and are able to have Azure Pipelines use it to sign our release builds. We’re (for the moment) a South African entity, so can’t use Azure Trusted Signing, but DigiCert has no issue with us using Azure KeyVault for our EV code signing certificate. I had ours renewed just this week as it happens. Cost something like USD 840 before tax, don’t have a choice though and in the grand scheme of things it’s not a huge expense for a company. | ||