rustypwneddownloader VS PowerShell-OpenAuthenticode

Just throwing in that the dollar value isn't the only cost. I've been using an automated release workflow tomanage signing, eg

https://github.com/technion/rustypwneddownloader/blob/main/....

This worfklow isn't usable with these new rules, and I'm having a hard time with the assertion that moving builds to my desktop to use a hardware signing key and uploading them in a non automated, non transparent fashion is an improvement on security.

I just grabbed my (very basic app)[https://github.com/technion/rustypwneddownloader] and ran a cargo vet init. Out of the box there were 145 dependencies found (ouch.. that already feels like a bad trajectory).

I've written and released a Rust port of the pwnedpasswordsdownloader: https://github.com/technion/rustypwneddownloader

I’ve found the easiest option available here is through using Azure KeyVault to store the keys. I use a custom module to sign my PowerShell scripts and dlls [1] for this because I can integrate it with OIDC to sign the code using the keys stored in the Azure HSM. While the builtin pwsh Set-Authenticode cmdlet can’t do this currently there are other options that rely on Window’s authenticode APIs like AzureSignTool [2] that I highly recommend.

While I’m unsure if Azure is suitable for actual companies I think the risk is ok for what I need it for and the API quality as well as OIDC support make it quite nice to use with GHA.

[1] https://github.com/jborean93/PowerShell-OpenAuthenticode