Making this more generally supported

[andyfisher100]

Hi @vcsjones ,

I realise that you are a member of staff at GitHub but what are the options of this becoming something supported by Microsoft or GitHub themselves or would you want to keep this as a project that you maintain?

My question comes because I wanted to use this within the company I work for to resolve the CA/BROWSER FORUM updates relating to code singing certificates requiring their private keys to be stored in a hardware crypto module of some kind https://www.entrust.com/blog/2022/09/ca-browser-forum-updates-requirements-for-code-signing-certificate-private-keys/

When proposing this as a solution, a concern was raised that our companies process to release software would be dependant on an open source package seemingly maintained by a single user

What are you thoughts or do you have any reassurances regarding this tools further development?

Thanks in advance

[vcsjones]

I realise that you are a member of staff at GitHub but what are the options of this becoming something supported by Microsoft or GitHub themselves or would you want to keep this as a project that you maintain?

Yep. This project started before I was a (technically) a Microsoft employee.

I have not had any conversation with Microsoft about handing this over to them.

When proposing this as a solution, a concern was raised that our companies process to release software would be dependant on an open source package seemingly maintained by a single user

That's a valid concern! I do want to make a point though: this project is very simple (well, by my standards), and it is that way intentionally. This project doesn't actually do any signing, formatting, or embedding of signatures itself. It really just uses an API in Windows called SignerSignEx3 and brings that together with Azure Key Vault with the Azure SDK. There are many other OSS projects out there that try to do signing "from scratch" but in my experience are 90% done, occasionally has bugs, etc. That is an anti-goal of AzureSignTool: this project is intended to use the real Windows signing APIs.

The maintenance effort here for me fairly low - the lions share of any bugs, fixes, security, etc. are all on the Windows side or the Azure SDK.

Now, there is also the matter of "technical support" which I do my best to help out here. Sometimes signing doesn't work for a myriad of reasons that are unrelated from AzureSignTool (the most common of which is trouble communicating with a timestamping service). I'm not able to commit to any particular SLA of helping troubleshoot problems.

[andyfisher100]

Appreciate the reply

I really enjoy the design of this and it just using the windows signing APIs as you mentioned. I may go back with what you mentioned to my manager and see what the options are again

Thanks

[adamdost-0]

@vcsjones recommend reaching out to Scott Hall in MS around your tool and whether there's a chance to collaborate.