blowfishfugu
commented
5 months ago It's not uncommon to build on cloud or onpremise using a vm-buildagent. Both types of hardware are not physical accessible (and have no token-interface). In a distributed devops-environment it's also not uncommon the person in hold of the USB-key is on holiday or ill, or on the other side of the globe. This and certainly some other usecases proof the Token-based concept impractical, in the end people won't sign at all and ship untrusted software. Speaking as an employee of a company having multiple libraries and executables in their buildchain (let's assume 200 per product), signing each manually would be insane and waste of time. nobody will compensate for the forced changes in CI/CD-cycle. GitHub Actions as well as Azure-Devops provide storage of secrets and well documented best practices to do so (i.e. https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices)
Therefore I'd love to vote up this issue, tokens-only involves impact on opensource as on every signed project on the planet. Maybe cabforum was aware of it or not, but please reconsider and overthink the standard.
Are you aware the requirement to deliver code signing certificates only on a FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent tokens prohibits open source developers from singing their software?
The prices for cloud based HSM are prohibitive and having certificates on a single local USB key makes it impossible to build a transparent build pipeline for software releases.
We were able to transparently build software in GitHub Actions and code sign the releases.
This is no longer possible as we must employ a person who will download the release, sign it locally and upload the release.