Our company uses EV codesigning certificate on eToken usb dongle, but we are currently planning to move our build and signing procedures to virtual server in cloud, everything is fine, except one thing, it is codesigning process, GlobalSign allows certificates to be stored either on usb dongle or HSM. I think HSM will do the job, can somebody advise best practice for cloud HSM? I found, that google cloud offers Google Cloud HSM but how to connect signtool.exe with this service?
If you don't mind using another signing tool, Jsign supports Google Cloud HSM out of the box (no PKCS#11 module is required):
jsign --storetype GOOGLECLOUD --storepass <api-access-token> \
--keystore projects/first-rain-123/locations/global/keyRings/mykeyring \
--alias test --certfile full-chain.pem application.exe
(disclaimer: I'm the main author of this open source project)
The difficult part is to get GlobalSign to issue a certificate for the private key stored in Google Cloud HSM (this typically involves an audit process to certify the key was properly generated by an HSM, or providing an attestation certificate).