docs: document Microsoft Azure Trusted Signing as fallback to SignPath #156
Description
Purpose
Document Microsoft Azure Trusted Signing as a backup option if the SignPath Foundation application is rejected or doesn't work out.
Background
If SignPath (#152) isn't viable, Azure Trusted Signing provides an alternative path to Windows code signing with immediate SmartScreen reputation.
Azure Trusted Signing Details
| Aspect | Details |
|---|---|
| Cost | $9.99/month (~$120/year) |
| SmartScreen | Immediate reputation (no warning buildup) |
| HSM | Cloud-based, no hardware token needed |
| Integration | GitHub Actions support available |
| Availability | USA, Canada, EU, UK only |
Advantages Over Traditional Certificates
- No hardware security module (HSM) shipping/management
- Simpler than traditional OV/EV certificate workflows
- Microsoft-backed identity validation through Entra
When to Consider
- SignPath application rejected
- SignPath integration proves too complex
- Need faster turnaround than SignPath approval process
Documentation to Add
If this becomes relevant, add to installation docs:
## Windows Code Signing
Windows builds are signed using Microsoft Azure Trusted Signing, which provides
immediate SmartScreen reputation. You should not see security warnings when
installing Kindling.References
- Azure Trusted Signing
- GitHub Action for Azure Trusted Signing
- Note: Since June 2023, all Windows code signing requires HSM storage—Azure handles this automatically
This is a backlog item. Only implement if SignPath (#152) doesn't work out.