SignTool - secure Workflow?

we are new at code signing, so im interested in your experiences how to use the sign tool without exposing the certificate to everyone in the company.

Can everyone in your company do code signing? Do you give the certificate to every person in your company?

We want do some automatic workfl开发者_运维百科ow, like the developers drop theire files into a directory and every file get be signed.

Thanks for your advice.

My company has a VBScript wrapper that automates the signing and validation process. The VBScript, signtool.exe, capicom.dll and a PFX (containing the certificate chain and private key) all sit on a password protected network share.

Whenever someone needs to sign a binary, they can simply drag and drop the file onto the VBScript; and it handles the rest. Although, since our build process has become almost completely automated, it has fallen into disuse.

On the down side, it is a VBScript. So the password to the private key is visible, but that was the reason for password protecting the share.

Addendum

You could do something similar where it would sign any files within a folder/share and configure Windows Scheduled Tasks to execute the script every few minutes. After signing, it would need to move the files to a different folder, but that is easy enough. This would allow you to restrict access to the script, certificate, private key and the folder where files are signed.