I am trying to better understand the new EV Code Signing certificate requirements set by the CA/B Forum per June 1st 2023. https://www.sectigo.com/knowledge-base/detail/Changes-to-Sectigo-Code-Signing-Offerings/kA03l000000BoIs
As i understand the key will be shipped via a USB Key, allowing me to use it on my physical computer.
In our case, we sign all assemblies we create as part of our CI pipelines using virualized (windows) build servers in our datacenter. Any assembly generated by the server is signed with a certificate. I am managing the CI pipelines for our group of 100 developers, running hundres of builds per day, totaling to at least (many) thousands of signing activies per day, spread over 20 build servers.
I can understand that changes were needed to secure these type of certificates, but with the current implement i wonder if im using it right.
I think that leaves me with initial questions
- What is the recommended way these days to sign windows desktop applications? Should we sign all assemblies, or only sign the exe's?
- How are we expected to run code signing on our virtualized build servers, i read about a netHSM device, is this the solution?
- Assuming the netHSM is the solution, does anyway have experience with this? Is it slower than the current pfx based code signing certificates?
I hope someone can share their experiences. Just to emphasize, i am intrested in the "digital signature" part of signing, not strong name signing.