We are currently signing our code with a certificate obtained last year, before the new requirements for use of a HSM came in. So I want to understand the current state.
We have an automated build pipeline, so entering a PIN for each build is simply impractical. Entering a PIN after each reboot is acceptable, although if e could avoid this, it would be preferable.
I am looking at getting a certificate on a Yubikey, and would need to install some software to support this, although we have not yet bought the certificate, so if alternative HSM hardware works better, then we can select that instead of the Yubikey.
Is there a current document for setting up the signing? It looks like things have been changing quite rapidly in this field, so old documents may not be relevant. I have upgraded to AI 21.2.2, which is currently the latest version.
Suggested Articles
-
SimonMatthews
- Posts: 3
- Joined: Wed Dec 13, 2023 12:15 am
Re: Status of Code Signing
Hello Simon and welcome to our forums,
This is something that we have on our TODO list of investigations.
Unfortunately, we were not able to find much so far. We've purchased a YubiKey and tried many things, including their PIN policy (they have a pin policy that which you can set and then the PIN should be asked for just once).
We will continue investigating this and as soon as I will have more information, I will let you know.
Thank you for your further patience on this!
Best regards,
Catalin
This is something that we have on our TODO list of investigations.
Unfortunately, we were not able to find much so far. We've purchased a YubiKey and tried many things, including their PIN policy (they have a pin policy that which you can set and then the PIN should be asked for just once).
We will continue investigating this and as soon as I will have more information, I will let you know.
Thank you for your further patience on this!
Best regards,
Catalin