We are using an old DV code signing certificate from Comodo for fully automated signing of the desktop .exe, .dll, and .msi files automatically in our Azure DevOps pipeline (we store the certificate in the Azure DevOps Library), but our certificate is going to expire soon.
Since June 1, 2023, there have been new requirements for the code signing certificates; for example, those can be provisioned only to a Hardware Security Module (HSM), so we could not just renew and upload to the Library again. Has anyone solved the renewal of the code signing certificate sing June 1? What is the best option to achieve fully automated builds?
I tried to renew the certificate at Comodo, but only a HW token option is available. I was investigating the Microsoft Azure Key Vault, but I am not sure which of the options we might need some of the services are quite expensive (for example, the HSM Pools for 3 USD / hour), and I am not sure what is needed.
You can use a Microsoft Azure Key Vault. You do not need to use the HSM Pools and can just use the standard KeyVault but it does need to be on the Premium SKU. From what I can tell, the pricing is currently the same for Premium anyway.
It does take some setup to get all of the appropriate access in place to use the certificate but then you will use AzureSignTool instead of SignTool to access the certificate and sign your exe, dll, etc. It does not support as many file extensions as the old SignTool but seems to do most windows executables.
This guide is pretty useful for getting all of the correct access policies in place.