We are currently signing our code with a certificate obtained last year, before the new requirements for use of a HSM came in. So I want to understand the current state.
We have an automated build pipeline, so entering a PIN for each build is simply impractical. Entering a PIN after each reboot is acceptable, although if e could avoid this, it would be preferable.
I am looking at getting a certificate on a Yubikey, and would need to install some software to support this, although we have not yet bought the certificate, so if alternative HSM hardware works better, then we can select that instead of the Yubikey.
Is there a current document for setting up the signing? It looks like things have been changing quite rapidly in this field, so old documents may not be relevant. I have upgraded to AI 21.2.2, which is currently the latest version.