{"id":40972,"date":"2023-10-30T14:23:04","date_gmt":"2023-10-30T18:23:04","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=40972"},"modified":"2023-10-30T14:23:04","modified_gmt":"2023-10-30T18:23:04","slug":"code-signing-woes","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2023\/10\/30\/code-signing-woes\/","title":{"rendered":"Code Signing Woes"},"content":{"rendered":"

Dirk Lemstra<\/a> (via Hacker News<\/a>, tweet<\/a>):<\/p>\n

Today [ImageMagick’s Windows] code signing certificate will expire. For many years LeaderSSL<\/a> sponsored us with a code singing certificate but they are no longer able to do so. Since June of 2023 the CA\/B Forum requires that OV code signing private keys be stored on a FIPS 140-2 Level 2 or Common Criteria Level EAL4+ certified device. This means we are no longer able to export our code signing certificate with its private key and use this in GitHub actions. We would now either need to have our own GitHub agent and hardware token or use a cloud solution (e.g. digicert<\/a>). Our preference would be to use a cloud solution that integrates with GitHub. Digicert seems to be our only option now but a certificate there would cost $629<\/a> (tax excluded) for a single year.<\/p><\/blockquote>\n\n

Marc-André Moreau<\/a>:<\/p>\n

Windows code signing has one big problem: it’s too expensive 🫰 and difficult to deal with for most open source projects, where it’s often coming out of someone’s personal money, not from a business that can well afford it<\/p><\/blockquote>\n\n

Gerardo Grignoli<\/a>:<\/p>\n

\n

TIL that Code Signing policies had changed for the worst. Signing is now more expensive, requires a physical device and no longer can be a automated step on build agents such as GitHub Actions. 😵‍💫<\/p>\n<\/blockquote>\n\n

Marc-André Moreau<\/a>:<\/p>\n

\n

Code signing now requires the private key to be stored in an HSM, but you can use Azure Key Vault for that, after which you can switch to AzureSignTool or one of the many alternatives that can call Azure Key Vault during the signing operations.<\/p>\n<\/blockquote>\n\n

It sounds like code signing on Windows is even worse than on the Mac. We “only” have to pay $99\/year, but then some percentage of our customers are scared away by spurious “‘App’ is damaged and can’t be opened. You should move it to the Trash.” errors.<\/p>\n\n

Previously:<\/p>\n