Code Signing Certificates in 2026: Hardware Tokens, HSMs, and Modern Developer Workflows
Introduction: Code Signing Certificates in the Hardware-Only Era
By 2026, PFX-based code signing will no longer be part of serious production environments. The transition that started in 2023 is now complete, and hardware-backed cryptography has become the standard for all public code signing certificates. Developer systems and shared build servers do not store the private keys anymore. They are created and kept inside hardware tokens, on-prem HSMs, or managed cloud HSM services that enforce strict access boundaries by default.
The shift was not just a theory, but rather a reaction to frequent key theft incidents that demonstrated the weakness of file-based secrets in real-world software supply chains.
For developers considering various options today, it is essential to know how the certificate authorities are functioning under these limitations. Companies like Sectigo and Comodo have restructured their code signing products and made hardware custody mandatory, thus bringing security controls in line with modern delivery pipelines and doing away with legacy convenience models.
Code Signing Certificates 101: The 2026 Reality
The cryptography that underlies code signing certificates has not changed at all. The whole operation consists of the hashing of the build artifact, the signing of the hash with the private key, and lastly, the operating system using the public certificate of the trusted authority to verify the signature. The only thing that has changed is the security boundary around the private key.
It is mandatory now that the private keys are generated and stored only in hardware modules that are FIPS 140-2 Level 2+ or equivalent Common Criteria EAL4+ certified, which are usually the modules with the highest level of security. The usage of PFX files that are exportable for signing purposes has been prohibited because of the documented misuses and compromises that have taken place over the years.
Hardware Key Storage: What Devs Use in 2026
Private key storage is no longer a design choice. It is an architectural decision that directly affects release velocity, security posture, and developer sanity. After three years of enforced hardware custody, teams have settled into three dominant models, each suited to different operating realities.
Hardware Key Storage Options in 2026
| Option | Best For | 2026 Examples |
|---|---|---|
| USB Hardware Token | Small teams, simple setups | Sectigo / Comodo eToken, DigiCert SafeNet, Yubico |
| On-Prem HSM | Medium+ orgs, high signing volume | Thales Luna, Utimaco, Yubico HSM |
| Cloud HSM / Signing Service | Distributed teams, CI/CD pipelines | Google Cloud HSM, Microsoft Azure Dedicated HSM, Amazon Web Services CloudHSM, Sectigo Certificate Lifecycle Manager |
USB Hardware Tokens
USB tokens are still the choice for small teams and controlled areas. They are the simplest to issue, cost less, and comply with the hardware enforcement rules.
Pros
Easy to deploy
Physical custody is very clear
Cost is lower at the beginning
Cons
Only limited concurrent signing
Physical handling
Not suitable for Continuous Integration (CI)
On-Prem HSMs
On-premise HSMs (Hardware Security Modules) are the option for large-scale signing by organizations, all the while controlling the process strictly within their internal circuitry.
Pros
Excellent coming and going rate
Positively strong about compliance requirements
Complete control internally
Cons
Expensive
Maintenance of infrastructure
Global scaling takes longer
Cloud HSM and Signing Services
Cloud HSM has garnered a 300% increase in adoption since 2023, which is mainly attributed to remote workers and automated pipelines.
Pros
Designed for CI/CD
Available all over the world
Customizable access control
Cons
Service costs are continuous
Provider's availability is the main problem doorway
In the real-world scenario, most present-day teams opt for cloud-based signing in accordance with its top three advantages: speed, scale, and operational sanity, while they reserve tokens or on-prem HSMs for those security requirements that are specialized.
Sectigo vs. Comodo vs. Others: 2026 Developer Guide
Sectigo Code Signing Certificate
A Sectigo code signing certificate is the result of years of changing the original Comodo ecosystem through continuous development and enhancement. Sectigo has built its reputation by having the best combination of trust, cost control, and practical developer support.
Speaking from a workflow angle, developers appreciate:
Heavy and reliable hardware tokens
Windows and Windows driver signing are already well superimposed
Validation timelines predictable
Standard validation generally takes 1-3 business days
EV code signing certificates usually take 3-5 business days for completion
Besides, Sectigo has put a lot of effort into the documentation and tools that greatly match modern continuous integration environments; thereby, it becomes less difficult for teams to incorporate signing in automatic release pipelines without too much peer customization.
Comodo Code Signing Certificate
The Comodo code signing certificate is still relevant in 2026, especially for companies that have to support legacy Windows applications or depend on older platforms. Its compatibility across the board and long-standing trust foundations make it a safe choice for developers working on historical software stacks.
The areas where Comodo is likely to attract:
Support for legacy Windows applications
Tools that are familiar to established build systems
Reliable, conventional signing procedures
What Developers Really Compare in 2026
A major trend that has developed among all certification authorities is that the professional teams, when it comes to certificates, rely on essentially the same set of real factors:
The reliability of hardware tokens and their replacement policies
Speed of issuance, particularly in the case of EV renewals
CI/CD integration instructions that require no additional work to function properly
Response times of support during validation or production incidents
EV vs. Standard Code Signing: Hardware-Backed Reality
The debate around EV versus standard code signing is no longer about whether hardware is required. That question was settled years ago. Since 2023, all publicly trusted code signing certificates operate under hardware-backed key storage. The real difference today lies in validation depth, reputation signals, and how quickly trust is established in the real world.
Standard (OV) vs EV Code Signing Certificates in 2026
| Aspect | Standard (OV) | EV Code Signing Certificates |
|---|---|---|
| Validation | Organization-level verification | Legal and operational verification |
| SmartScreen Reputation | Builds gradually over time | Stronger initial trust signals |
| Hardware Required | Hardware token or HSM | Hardware token or HSM (premium options) |
| Typical Cost (2026) | $200–$400 per year | $400–$800 per year |
What This Means in Practice
The main point of differentiation for EV is identity assurance and reputation behavior. This is crucial for new publishers, commercial software vendors, and teams that frequently release updates and thus rely on predictable installation behavior.
Standard OV certificates still provide a sturdy choice for internal applications, smaller s's, or software with an already installed base. On the other side, EV is the choice when reputation, visibility, and trust signals must work immediately, not over time.
Production Signing Workflows That Scale
Signing in a production environment is primarily about established patterns that can withstand the pressure of actual release, rather than tools. After years of the hardware-only approach, the security, throughput, and sanity of operations have led to three workflows as the point of balance.
Pattern 1: Token on a Dedicated Signing Host (Small Teams)
Small-sized teams with well-controlled release cycles usually keep signing on a single, very secure machine. The hardware token is always connected to that host, access is very limited, and signing is done only when needed, so releases get queued.
A typical GitHub Actions workflow in 2026 looks like this:
- name: Sign with Sectigo token
run: signtool sign /ksm /t http://timestamp.sectigo.com app.exe
Why teams choose this
Lowest operational complexity
Clear physical custody of the hardware token
Very suitable for low-frequency releases
Trade-offs
Limited concurrency
Manual coordination of the signing host
Not good as the release velocity increases
Pattern 2: HSM via PKCS#11 (Medium Teams)
The signing process moves into the centralized HSM infrastructure when the teams grow. The signing operations are abstracted by the PKCS#11 interface so that the hardware need not be known at all, and thus multiple signing requests from different build systems can be made without revealing the private key.
A usual flow on Windows is as follows:
signtool sign /sm /n "Sectigo Code Signing" /fd sha256 /tr http://timestamp.digicert.com app.exe
The following are the reasons why teams accept this method:
Throughput is higher in comparison to token-based models
Access control and logging are centralized
Environments that require heavy regulation are a good match for this method
On the other hand, there are the following disadvantages:
Infrastructural costs are higher
Security teams have to be involved
It takes longer to scale globally
Pattern 3: Cloud HSM API (Scale)
The physical limitations vanish entirely at scale. Cloud HSM and signing APIs let distributed teams sign from anywhere, and the access is managed through policy-based controls and short-lived credentials. The high-volume CI/CD pipelines have adopted this model as the leading one.
curl -X POST "https://signing.sectigo.com/api/v2/sign" \
-H "Authorization: Bearer \$HSM_TOKEN" \
--data-binary @app.exe
The following are the reasons why teams accept this method:
It is made for automation
Available worldwide
Logging and access are very detailed
On the other hand, there are the following disadvantages:
The cost of service is continuously
Dependence on the provider's uptime
CI/CD Integration: Tried-and-True Patterns
The integration of code signing certificates into the CI/CD pipelines has been considered as a standard practice through the hard lessons learned from the 2023 hardware mandate which was just a step towards the future automated, but now the question is not whether they can be automated but instead how reliable they are under heavy load, in different regions, and at peak times of release.
GitHub Actions
The most common pattern for teams using GitHub Actions is a self-hosted runner. Smaller setups attach a hardware token directly to the runner, while more mature teams connect the runner to a cloud HSM or signing service.
What will work for you in 2026:
Grounded runners with limited access
Temporary credentials for cloud HSM calls
Clear distinction between build and signing steps
GitLab
GitLab has become a very good choice for companies that want to keep strict control over their infrastructures. Numerous squads adopt PKCS#11 to link either HSMs located in their own premises or in the cloud, whereas some connect HSMs in the cloud to their worldwide operations.
Common benefits:
Built-in support for secure runners
Seamless integration with HSM- backed workflows
Consistent performance at medium to large scale
Jenkins and Azure DevOps
In the case of large organizations, Jenkins and Azure DevOps are still the leading solutions. Both tools have well-developed HSM plugins and enterprise signing workflows that have been in place for a long time.
2026 Gotchas That Are Now Solved
It has taken several years of development, but one can say that the issues that plagued the beginning are now almost completely eradicated:
Dedicated runners help to circumvent USB passthrough reliability problems
HSM load balancing guarantees uniform signing throughput
Dual-region cloud HSM failover secures release pipelines against regional outages
SmartScreen Reputation: What Works in 2026
Windows SmartScreen has undergone a grand mutation from just simple publisher checks to a much more sophisticated position in the overall reputation scoring of Windows 11 and Windows 12. This scoring is no longer based on a single certificate flag but rather on a composite signal formed from various layers that go through the whole certificate chain, as well as file-level reputation, download velocity, and post-install behavioral analysis before deciding whether to show the warning or not.
At a high level, SmartScreen evaluates:
Trustworthiness of the certificate chain
The file has been seen and installed safely before
Execution behavior after installation
Signing identity is consistent across releases
Developer Security Checklist: Hardware-Only Best Practices
It is the process failure that will be most prevalent around code signing besides the technical issues. Teams are aware that the use of hardware is paramount. The difference between strong and weak organizations is how well they apply that fact to their people, systems, and response plans.
Physical Security
Keys with hardware backing still require physical diligence. When not in use, USB tokens must be locked away in extremely safe and secure places. The on-premises HSMs should be placed in server rooms that are not only locked but also have limited access and entry logs that are monitored.
Access Control
Signing authority should always be restricted to only a specified degree. Mature teams assign a special signer role that is given only the least permissions necessary for starting and performing a signing operation. Access to that role is ensured by using multi-factor authentication and, in a lot of instances, approval workflows for high-risk releases.
Always Timestamp
Timestamping is mandatory, and it is a pact that the signing of binaries will still be trusted even after the expiration of a certificate. By the year 2026, a typical practice is to enforce timestamping at the pipeline level, whereby it cannot be omitted accidentally.
Example:
/tr http://timestamp.sectigo.com /td sha256
Audit Everything
There should be a log of every signing event. This should include the person who initiated the process, the artifact that was signed, and the time it was done. The logs are very important for compliance reviews and incident investigations. If there is no way to trace a signature, then there is no way to defend it.
Incident Response
The use of hardware minimizes risks but does not eliminate them. Teams are always ready for such an event. If a token or an HSM credential is thought to be exposed, the response will be: revoke the certificate, immediately reissue it, and inform the customers affected within 24 hours. Here, the trust that is gained through quickness is more than through perfection.
Migration Complete: PFX → Hardware Signing
The signing migration that was based on PFX is practically over. The majority of production teams have moved completely to the new hardware signing method more than two years ago, or even more. This was due to platform enforcement and frequent security incidents related to exportable keys. Hardware signing is not a "new model" anymore; it is simply the way reliable software is delivered.
Late Adopter Migration Checklist
1. Audit the usage of PFX files that remain
To start with, identify any old legacy building jobs, internal tools, or forgotten scripts that have been kept referring to PFX files. Generally, these cases are very few, and most of the time, they are associated with older automation that has not been completely turned off yet.
2. Choose hardware and perform the whole testing
The selection of the right hardware token model, physical HSM, or virtual HSM must be done first, and then the total signing procedure must be carried out. This includes the operations of key generation, access management, time stamping, and confirmation on the platforms concerned.
3. Revise CI/CD pipelines
Eliminate the file-based signing procedures and introduce the hardware-backed patterns that are proportionate to your team size and release frequency. Run tests on parallel builds, failure scenarios, and recovery routes before the production system is permitted for use.
4. Document new signing SOPs
Finally, review the internal documentation. Having signing procedures, rules on access, and steps for incident response is a must for the developers' onboarding and for the consistency to be maintained over time.
At this point, migration is no longer a matter of technology but rather a task of doing the final clean up of operational operations in a world that is completely the hardware-only type.
Top comments (0)