Feature: Advanced Signing Support (Cloud HSM / PKCS#11)

## Objective
Support enterprise-grade code signing using hardware tokens or Cloud HSMs (Azure Key Vault, AWS KMS) instead of local PFX files.

## Rationale
Local file-based certificates are becoming insecure/deprecated. Automation requires headless signing via cloud providers.

## Strategy
- **Abstraction**: Update `tools/sign-dev.sh` (rename to `sign-provider.sh`) to act as a dispatcher.
- **Providers**:
  - `local`: Existing behavior (PFX file).
  - `azure`: Uses `az sign` or `jsign` with Azure Key Vault credentials.
  - `pkcs11`: Uses `osslsigncode` with hardware token drivers.
- **Config**: Driven by env vars (`WBAB_SIGN_PROVIDER`, `WBAB_AZURE_CLIENT_ID`, etc.).

## Acceptance Criteria
- Signing script supports at least one Cloud HSM provider (Azure preferred).
- Local signing remains the default for development.
- Secrets are securely injected via environment variables, never stored.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feature: Advanced Signing Support (Cloud HSM / PKCS#11) #6

Objective

Rationale

Strategy

Acceptance Criteria

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Feature: Advanced Signing Support (Cloud HSM / PKCS#11) #6

Description

Objective

Rationale

Strategy

Acceptance Criteria

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions