Code-signing in 2025...
Posted by IceMichaelStorm@reddit | ExperiencedDevs | View on Reddit | 15 comments
The question is simple, but I have not yet found a satisfying answer. So I would love to hear how you solve it...
Code signing companies have decided in some kind of forum that you cannot export code signing certificates into pkcs#12 files anymore. This means, if you want to codesign an executable under Windows, you now NEED a dongle. Previously, this was only true for EV code signigng certificates, but now it's apparently also the case with non-EV code signing certificates.
Needless to say this is a nightmare. We aim to have all our CI/CD pipelines within the cloud, either at AWS, GKS, Azure, or maybe even barebone but hosted in a data center and not physically at our site.
Now we even have a Windows machine (as we seem to be forced to?) but these stupid dongles need their own UI where you need to put the password in. Autohotkey can help but it does not play well with gitlab or github runners that usually use non-interactive sessions. So you need to have an interactive session which works but is less convenient, too...
So... how do you deal in your enterprise with this burden? I have many ideas but ALL, sorry, suck...
beth_maloney@reddit
Pretty sure you can store the certificate in Azure keyvault instead. Standard tier should work. Haven't tried myself as we're no longer signing binaries.
IceMichaelStorm@reddit (OP)
that’s the change they made, you cannot export it anymore
beth_maloney@reddit
You can't export it anymore but you can create it in the keyvault. Azure keyvault meets the requirements (it also supports ev certificates).
SlotDesigner@reddit
I went through this about a year ago and managed to automate no touch signing with a windows batch file. I don't recall the details now, but looking at my notes I use a DigiCert token and Microsoft signtool.exe. This link was critical to getting it going
https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken/
Also useful
https://stackoverflow.com/questions/76595490/avoiding-repeated-password-prompt-when-signing-with-ev-code-signing-certificate
IceMichaelStorm@reddit (OP)
Yeah but see, they export the cert. That is exactly what they decided: you cannot do this anymore
SlotDesigner@reddit
I’m currently signing with this, I did several times today. I used to store the certificates on my PC, then they introduced this change and I needed a hardware token. This time I don’t think it’s exporting the cert, but I can’t remember how the details of it works as it was a year ago I set it up.
That’s always been the problem with code signing over the years. I document the process, but by the time I need to buy new certificates something has changed and it’s difficult to get it going again.
IceMichaelStorm@reddit (OP)
yeah I think your current certs work but I found noone offering no-dongle solutions anymore. And export they said is disabled… so yeah, seems like they changed their mind to print more money
Redundancy_@reddit
They don't require a dongle specifically, but FIPS 140-2, which prevents export of the original private certificate.
You can achieve this in a few ways:
You can use a coffee signing service like Microsoft Trusted Signing Service, which covers the whole thing.
You can use a HSM device, which can be a small physical dongle.
You can use a cloud service like Azure Key Vault.
You can use network HSMs from various vendors. You can use network HSMs and integrate with a secrets manager like Hashicorp vault (using the transit secrets engine).
bloodcheesi@reddit
Had the same problem a couple of weeks ago, we switched to Microsoft/Azure Trusted Signing
https://learn.microsoft.com/en-us/azure/trusted-signing/overview
Works really nice for CI.
zacker150@reddit
AWS has a solution for you
DeadlyVapour@reddit
I honestly don't understand what the question is.
What do you mean by some external company discussing something on an unrelated forum, causes you do change your architecture?
Secondly. Why does code signing require windows? Did I fall into a different timeline where only a single HSM vendor exist?
Thirdly. Have you considered separating out the code signing from the CI/CD aspect? Using a code signing server? That way you only need a few HSMs rather than one per build server.
roodammy44@reddit
I switched to signing as a service with Digicert Keylocker. It costs a fortune and I had to reduce signing to the absolute minimum, but it works well with CI.
BorderKeeper@reddit
We used a dongle and then switched to signpath for CI/CD reasons and didn’t have issues since. We sign an MSI we produce and all underlying libraries and executables it contains.
Drivers still need a manual workflow but that’s always been like that with Microsoft.
IceMichaelStorm@reddit (OP)
So sorry for asking back here, but does this mean you still need to have a dongle or does signpath provide their own wrapper around that somehow?
BorderKeeper@reddit
I don’t know if my team lead sent them the dongle or not, but I think she still has it I asked her on slack so I can let you know when I know. We don’t use it anymore in any case though everyone in our team can sign now using signpath API or directly through their website.