To ensure secure and reliable signing practices in your automated build environments, consider the following best practices.
-
Avoid storing PFX files directly on build agents; use AWS CloudHSM or KMS for secure key management.
-
Use timestamping for long-term signature validity.
-
Implement role-based access control via IAM.
-
Consider signing in isolated environments (e.g., CodeBuild or EC2 with least privilege).
The table below outlines common problems, their causes, and recommended solutions.
|
Issue |
Possible Cause |
Suggested Action |
|---|---|---|
|
"No certificate found" |
Incorrect PFX path or missing permissions |
Check certificate path and access rights |
|
"Provider cannot be found" |
Middleware not installed or misconfigured |
Ensure KSP or CNG bridge to AWS is correctly set up |
|
"Signature invalid after 3 days" |
Missing timestamp |
Add /tr and /td flags to the command |
