I was afraid of the HSM at first but for an open source developer (rather than a big company) I found it wasn't a big deal. I can't sign in GitHub Actions and I have a USB stick that lights up when I sign releases, but it hasn't been a blocker. I got mine from Sectigo Store. This isn't hypothetical, I really did it, I've got the HSM, it works. It wasn't difficult. It just cost some money and a little bit of time. "Nigh impossible" is a tremendous exaggeration. I'll concede "annoying and expensive" perhaps. If you've got the money, you can get the HSM. You don't have to re-buy the HSM when you renew your certificate.
The Microsoft Store account was painful to set up, I'll note. My developer account had also been cancelled by Microsoft for unknown reasons, and I ultimately had to set up a brand new one. New email, new name. My new account has my middle initial because I couldn't clash with the existing, closed account. My first and last name alone are banished forever from the store.
The "same thing", as you concede, isn't the same thing. Quantity has a quality of its own: one happens all the time and we're reading an article about it happening right now. In the comments there's another prominent maintainer who it happened to, and it happened to me personally! That's three right here! The other happens so infrequently that people in this same HN thread are complaining that it isn't happening enough. Can you find an example that's like Veracrypt and WireGuard? In practice, it seems they rarely do this, even when they should. You can actually view the list under "Manage computer certificates" > "Untrusted Certificates." On my computer the entire list is 20 certificates.
I'm standing by my suggestion, 100%. These aren't equivalent risks at all.
Thanks for sharing your experience. I have been code signing releases for over a decade as an indie publisher myself, until I found myself effectively iced out by the HSM requirement, the increased cost, and the shortened cert lifetimes, which, as someone with certain executive order dysfunctions, I already had a hard time being on top of with the old (multi-year) lifetimes.
I just migrated to MS artifact signing and, thank the lord, had an actually easier time getting verified than I did with the Sectigo and Comodo in the past. I’m sure I’m not representative of anyone else’s experience but having already had a developer account (with a different email and without an Azure account!) that I had already been using for the Microsoft Store might have helped, as well as the fact that I had a well-established business history (I’ve heard businesses younger than 3 years can’t get verified??), but reading all the comments here makes me very uneasy about the future.
It’s good to know the HSM route isn’t a complete non-starter. The main reason I panned it is that when I started looking into this I found that a number of companies that had previously offered the HSM route had done a bait and switch and were now keeping custody unless you were big enterprise (meaning willing to put up with 10k/yr fees). I did find a few that would allow OSS devs to sign their work, but read horror stories on Reddit and elsewhere about their freezing the account and issuing no refunds if you ask them to issue the cert in the name of your LLC or corporation instead of with your personal name (which I expressly did not want). Also, they actually were more expensive than Azure artifact signing even after the HSM cost was taken out.
I believe you. I also found that many CAs will not deal with a solo developer; that's real. But Sectigo continues to offer HSMs to solo developers. The link I used is [1], you buy the HSM along with your first certificate and they ship it to you. $300/year for the cert, $90 one-time for the HSM. That's not cheap but I think for specific developers looking for an escape from the store, it's a good price for freedom. The HSM is a USB stick with an LED on the back. The software is called "SafeNet Authentication Client" and it sets up the certificate access in your Windows Certificate Store so that signtool can use it. Prompts for the password every time (annoying).
[1] https://comodosslstore.com/code-signing/comodo-individual-co...
The sectigo HSM is just a USB stick they actually mail you, so it's not onerous.