Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I haven't tried it but have been looking into the same problem. This is probably the best bet (does require an Azure account though): https://github.com/Azure/trusted-signing-action


Azure looked promising, but their trusted signing service won't issue a cert unless your corp is 3 years old. Doesn't look like you can bring your own keys here.


Microsoft Learn:

Import HSM-protected keys to Key Vault (BYOK) https://learn.microsoft.com/en-us/azure/key-vault/keys/hsm-p...

I guess that allows you to get your own cert (example: from DigiKey) for your own HSM (example: YubiKey) and then upload it.

That's what we researched before we abandonded the approach and kept code-signing by manually downloading the build, signing on a specific machine where only one architect had access. What could ever go wrong?


> unless your corp is 3 years old

...and you need to have a corporation?

I thought corporations were pseudo-humans. Turns out it may be the other way around.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: