rustypwneddownloader VS AzureSignTool

Just throwing in that the dollar value isn't the only cost. I've been using an automated release workflow tomanage signing, eg

https://github.com/technion/rustypwneddownloader/blob/main/....

This worfklow isn't usable with these new rules, and I'm having a hard time with the assertion that moving builds to my desktop to use a hardware signing key and uploading them in a non automated, non transparent fashion is an improvement on security.

I just grabbed my (very basic app)[https://github.com/technion/rustypwneddownloader] and ran a cargo vet init. Out of the box there were 145 dependencies found (ouch.. that already feels like a bad trajectory).

I've written and released a Rust port of the pwnedpasswordsdownloader: https://github.com/technion/rustypwneddownloader

I never had much luck with ClickOnce, so I was using Squirrel.Windows. I've recently switched to the Clowd.Squirrel fork, since I needed support for AzureSignTool in the build process.

[2] https://github.com/vcsjones/AzureSignTool

The token requirement is a pain. We settled on using Azure Key Vault and AzureSignTool [1]. It costs $5 a month for a HSM key and you can sign things from anywhere.

It's not a protection racket...

[1] https://github.com/vcsjones/AzureSignTool

You can use any certificate authority to generate the security certificate, get a hardware security module (HSM). Then upload your new code signing certificate to Azure Key Vault and use the excellent Azure Sign Tool to pull the certificate from Azure Key Vault into your Azure Pipelines.