Code signing with HashiCorp Vault and GitHub Actions

This blog post discusses leveraging HashiCorp Vault as a trusted Certificate Authority (CA) to issue short-lived code signing certificates for a GitHub Actions workflow that signs PowerShell scripts using Microsoft Authenticode. The solution uses a two-tier public key infrastructure (PKI), with OpenSSL operating the root CA and Vault operating the code signing issuing CA. The process involves generating an Elliptic Curve P-521 key pair, issuing a self-signed root certificate, provisioning resources in Vault using HashiCorp Terraform module, and having the root CA issue a certificate for Vault's code signing CA. The sample GitHub workflow provided can be used to test this code signing pipeline concept. This approach offers benefits such as automating PKI management, reducing manual verification processes, and ensuring internal software distribution security.