Hey, is there any chance you could do a writeup on how you did things? due to the lack of information you mention, I think it might be useful for a lot of people there, including me.
I'm probably not gonna get to a full post anytime soon, but I'll summarize here. This is from memory, so I may have some things wrong.
1. DigiCert CS certificate. You can validate your organization before paying anything, but it felt like we ended up in a low-priority queue because of that. After not hearing back for 2-3 weeks, I emailed support, then got validated in a day or two.
2. Azure KeyVault: "Premium" pricing model, since you need RSA 3072-bit or RSA 4096-bit HSM-backed keys. Generate a CSR here. There are a couple of annoying steps such as getting the access control setup right, but nothing too complicated.
3. Once you have a validated org and paid for the CS certificate, you can upload the CSR to DigiCert, and download the certificate.
4. "Merge" the certificate on Azure KeyVault.
5. Create an "application" on Azure which gives you API credentials. You need to copy a whole bunch of IDs:
# key vault:
azure-key-vault-url
azure-key-vault-certificate
# client application:
azure-key-vault-tenant-id
azure-key-vault-client-id
azure-key-vault-client-secret
You use the above with AzureSignTool to do the signing, e.g. from you CI system.
It's not the way the OP did it, but there's a blog post here on how to ship apps using cloud signing with the Conveyor tool. The title talks about Electron but it should work for any kind of app (not tested with .net)
So now that this powerful user is gone and the software is still out of convention, we are stuck with an unfriendly behavior on an extremely popular software because of.... Inertia and this makes a cool story?
Well, from your feedback, the law seem to have had the required effect combining supression of disguised employment, assigning the right responsibility to parties involved and avoiding dilution of said responsibility.
