Open alexrp opened 2 years ago
We would likely use SignService to host the code signing in Azure (Azure App Service + Azure Key Vault Managed HSM).
GlobalSign seems like a good place to get an EV code signing certificate.
Spent some time experimenting with SignService and I've mostly figured out how to use it. Just need to wait for #14 in order to actually buy the certificate.
Seems like we can now avoid having to host SignService: https://github.com/dotnet/sign
Need to figure out if we can actually obtain an EV certificate given our legal status under Open Collective Europe.
Need to figure out if we can actually obtain an EV certificate given our legal status under Open Collective Europe.
Talked to Open Collective Europe; the answer is no. We would have to go for an OV certificate, which comes with some downsides. Need to think more on whether this is even worth it. :thinking:
This would allow us to sign our NuGet packages: https://docs.microsoft.com/en-us/nuget/create-packages/sign-a-package
Code signing certificates have to be renewed yearly and are somewhat costly depending on the provider.