This impacts all binaries that were signed with a code signing certificate.

I was not aware of this company but that might be an option.

+1, I have had a very positive experience using SignPath for my OSS projects. I've been using them for over two years now, and they have consistently been fantastic to work with (always responsive when I have questions).

Note that you will need to use AppVeyor for building the signed binaries/installers due to the way they implement origin verification, but this is fairly easy to get going if you're already familiar with Github Actions. I believe the installer also needs to be .MSI format.

Stefan from SignPath here. Thanks Brandon! <3

Some restrictions apply to free certificates issued to "SignPath Foundation":

• We absolutely require transparent, verifiable builds for those, and currently this means AppVeyor. However, our GitHub actions connector will be available very soon.
• While there are some advantages for standard formats like MSI, MSIX, AppX etc, we can also handle other installers.

However, since ImageMagick has a registered LLC, we could get a certificate in your name with no restrictions. We can sponsor it for the first year, then you can either implement our verifiable process (on GHA) and get a free cert, or find another sponsor for the cert (<< $600) and keep using SignPath for free.

If that sounds good, just contact support@signpath.io.

I wonder if this could be used to sign drivers as well...

You would need a registered organization that can get both an EV certificate and be vetted by Microsoft for driver attestation signing.

SignPath cannot directly provide this. If your OSS project doesn't have an organization such as Image Magick's LLC or some foundation, you'll have to find a sponsor who trusts you with their name.

Sometimes project members or users have their own company or can convince their employer to step in.

The problem is that the certificate sponsor will be associates with any security breach in your drivers, or even be considered liable, so they often hesitate. SignPath can help by providing the platform that will allow your sponsor to control use of their certificate through effective OSS- friendly security policies.

That would still require us to do a lot of extra work ourselves and that is why we are looking for a cloud based solution.

Thanks for the information. That sounds like a cheaper option. And yesterday someone also pointed this tool out to me: https://github.com/dotnet/sign that uses AzureSignTools.

I moved from that to Azure Code Signing. Let me reach out to Microsoft and that team for you. Standby.

Thanks but I also just send out an email to AzureCodeSigningTAP myself to ask what would be possible.

This is what I do (GlobalSign + Azure Key Vault) — I wrote up an article on it https://melatonin.dev/blog/how-to-code-sign-windows-installers-with-an-ev-cert-on-github-actions/

here is the guide I was using: https://seankilleen.com/2020/05/how-to-use-azuresigntool-to-sign-files-with-azure-devops-using-a-certificate-in-azure-keyvault/
to install AzureSignTools in github actions:

      - if: matrix.platform == 'windows-latest'
        uses: actions/setup-dotnet@v3
        with:
          dotnet-version: '6.0.x'
      - if: matrix.platform == 'windows-latest'
        name: install AzureSignTools
        run: dotnet tool install --global azuresigntool

and then to sign:

azuresigntool sign -kvu ${process.env.AKV_URL} -kvi ${process.env.AKV_CLIENT_ID} -kvs ${process.env.AKV_CLIENT_SECRET} -kvt ${process.env.AKV_TENANT_ID} -kvc ${process.env.AKV_CERT_NAME} -tr ${tsServer} -ifl ${signFileListPath}

(process.env is JS access to env vars)

The cost of a certificate certificate has still quadrupled in price but at least I now know options that are cheaper than digicert.

So mine certificate expired in Jan 2024. And now I have the same issue! The certs must be issued on a device and cannot be moved to Azure Key Vault. This is bummer.

Thanks for your reply. I have already sent an e-mail to AzureCodeSigningTAP at microsoft.com this morning (local time) that will also probably go to ianjmcm but thanks for reaching out to me here.

Hey @Jaxelr
Could you please invite me to Azure Code Signing too?

hi @Jaxelr , our main OSS project https://github.com/NetOfficeFw is not stuck because our certificate expired on Jan 2024 and we cannot get a new one into Azure Key Vault. I already contacted the AzureCodeSigningTAP in Dec 2023 but was told I have to wait for public release.

Can we get access to Azure Code Signing for the NetOfficeFw project? We must release new bugfixes and the missing certificate does not allows us to publish nuget packages - they must be signed because the previous packages were signed.

We have not thought about and we are now exploring the options that were offered here.