Window code signing certificate source recommendations

[Paul Dupuis]

On 10/10/2023 8:53 AM, matthias rebbe via use-livecode wrote:
> Hello Paul,
>
> unfortunately this is the "new" standard. Since 1st June 2023 private keys has to be stored on a Token.
> https://www.sslpoint.com/new-private-key-storage-requirement-for-standard-code-signing-certificates/
>
> There is no way anymore to export a certificate for example to .pfx.
> And much more of a pain, it is not possible anymore to code sign Windows app under macOS or at least i was not able to so so far.
>
> I have a "cloud" certificate from Certum which i purchased from SSL Point (https://www.sslpoint.com <https://www.sslpoint.com/>)
>
> With this type of certificate the private key is not stored on a USB token. This "cloud" certifcate  works similar to a usb token. I also have to install some software. This software allow me to login to the "cloud" and after successful login i can use that certificate
> with Microsoft's signtool and JARsigner.
> https://www.files.certum.eu/documents/manual_en/Code-Signing-signing-the-code-using-tools-like-Singtool-and-Jarsigner_v2.3.pdf
>
> So to automate your signing, you just have to keep a Windows PC running and make sure that you are logged in to the "Cloud". As long as the software is logged in you have access to the certificate.
> I don't know if this is also the case with the USB Token. Could not test it, because i do not have a usb token. ;)
>
>
> Regards,
> Matthias

First, thank you for the very informative reply (with links!)

Second, this "new" standard STINKS!

The cloud cert sound interesting, but we recently renewed out macOS cert 
and now we've just renewed our Windows cert, so, short of trying to get 
money back from Comodo and switching to the "cloud", I guess I am stuck 
with the "new" crappy standard.

I do not see how large software companies that automate build, signing, 
and even QA testing can accept this change. But they must of the 
suppliers of certs would not go this route for loss of income.