Code signing using a virtual HSM... can't use Azure

Posted by Icy-Education3432@reddit | ExperiencedDevs | View on Reddit | 7 comments

I'm an indie developer.... I'd rather not use a USB HSM dongle for code signing.

I work in Asia, so I don't qualify for the Azure code signing scheme which requires you to be an American/Canadian company with 3 years of tax records.

Has anyone ever tried using Google Virtual HSM for code signing?

I'm really trying to avoid the dongle because I know I'll lose it...

[-]

OhBeeOneKenOhBee@reddit

Azure key vault can be used from basically anywhere, you're thinking of Azure trusted signing which is a different product

You can order a certificate from comodo or globalsign and store that in AKV, then use that to sign

[-]

mark_nine@reddit

I use Azure Key Vault Code Signing from Signmycode. I'm also based in ASIA.

[-]

glorious_purpose1@reddit

Agree. As far as I know Azure Key Vault does not any geo-restrictions.

[-]

Thabo_Mbete@reddit

What exactly do you want to get from it? As I remember, code signing is to prevent HSM from loading unknown binaries.

[-]

Icy-Education3432@reddit (OP)

It looks more profession to have a publisher name rather than "unknown".

Also, it would be nice to get ride of Smart Screen.

[-]

Thabo_Mbete@reddit

Are you sure you need HSM for any of that? I might be wrong, but I think you need your binaries signed by some publisher for that. Like Microsoft or whatever.

[-]

TheNormalnij@reddit

Afaik. You don't need hsm itself. You need an azure key vault premium to be able to sign your code remotely.

Source: I was f-up with ordering hsm and lost 700€ with two weeks