Thanks for this video, David - greater primer; we're investigating code signing now and just learned of the changes related to HSM requirements as of June 2023. Sincerely appreciate the knowledge shared here. Stay safe!
These HSM changes are great for large companies that have unlimited resources they can dedicate to it. Which small companies or open source developers have the time and energy to implement these complicated processes?
In the simplest case, you get a USB device with your certificate purchase, and you plug it into the computer that needs to do signing and configure the vendor software that provides access to the certificates. If it's a cloud hosted machine you can setup a VPN connection to an network where the physical machine is located, and script your signing process to sign on the remote machine. There's a little more to it than that, but code signing is still pretty easy to do. You don't necessarily need your own HSM
@@DX7Dev Thanks David, But How we can actually store and retrieve the purchased code signing certificate in the AWS HSM and I'm only able to see an options of siging a file only by using key pair that we generated in the HSM itself.
Security best practices are always a struggle between the ideal and the practical. This is one instance where the ideal has won and using code signing is becoming less and less practical.
Thank you for sharing this valuable information! I have a question: I'm a beginner developer with no experience in code signing (I haven't purchased any certificates yet). I'm currently developing software using Tauri, which will run on both Windows and macOS. As a single developer not working with a team or a company, which certificate authority do you recommend for purchasing a certificate for my app? Any recommendations would be greatly appreciated.
Thanks for this video, David - greater primer; we're investigating code signing now and just learned of the changes related to HSM requirements as of June 2023. Sincerely appreciate the knowledge shared here. Stay safe!
These HSM changes are great for large companies that have unlimited resources they can dedicate to it. Which small companies or open source developers have the time and energy to implement these complicated processes?
In the simplest case, you get a USB device with your certificate purchase, and you plug it into the computer that needs to do signing and configure the vendor software that provides access to the certificates. If it's a cloud hosted machine you can setup a VPN connection to an network where the physical machine is located, and script your signing process to sign on the remote machine. There's a little more to it than that, but code signing is still pretty easy to do. You don't necessarily need your own HSM
@@DX7Dev Thanks David, But How we can actually store and retrieve the purchased code signing certificate in the AWS HSM and I'm only able to see an options of siging a file only by using key pair that we generated in the HSM itself.
Security best practices are always a struggle between the ideal and the practical. This is one instance where the ideal has won and using code signing is becoming less and less practical.
Thank you for sharing this valuable information!
I have a question: I'm a beginner developer with no experience in code signing (I haven't purchased any certificates yet). I'm currently developing software using Tauri, which will run on both Windows and macOS. As a single developer not working with a team or a company, which certificate authority do you recommend for purchasing a certificate for my app? Any recommendations would be greatly appreciated.