I'm trying to figure out how best to set up Authenticode signing at my workplace. The security implications are stressing me out.
My initial thought is that the person who controls the key should install it to the build server and secure it so that only the build account can access it.
This seems reasonably secure, but it actually isn't. Yes, you can't steal the cert at this point, but if you can create a build you can get the build account to sign any binary.
Does anyone who is familiar with the process give me some pointers?