Signed Windows Installer

[dlemstra]

Today our code signing certificate will expire. For many years LeaderSSL sponsored us with a code singing certificate but they are no longer able to do so. Since June of 2023 the CA/B Forum requires that OV code signing private keys be stored on a FIPS 140-2 Level 2 or Common Criteria Level EAL4+ certified device. This means we are no longer able to export our code signing certificate with its private key and use this in GitHub actions. We would now either need to have our own GitHub agent and hardware token or use a cloud solution (e.g. digicert). Our preference would be to use a cloud solution that integrates with GitHub. Digicert seems to be our only option now but a certificate there would cost $629 (tax excluded) for a single year. If your organization requires a signed installer then please consider sponsoring us with a code signing certificate. Please reach out to @dlemstra for questions or in case of a sponsorship.

[urban-warrior]

@dlemstra says "Thanks for all the options that were offered. We decided to use Azure Code Signing and this means we are now able to sign our binaries again. You can read here how easy it was to set this up here: https://github.com/dlemstra/github-stories/tree/main/2023/ImageMagick%20now%20uses%20Azure%20Code%20Signing."