Is it possible to soften impact of recent changes to code signing process?

Code signing industry recently adopted CAB forum recommendations wrt code signing. Now private keys can only stored on hardware (USB key) provided (or managed) by CA.

I see following downsides to this:

• most will choose option of storing keys with CA -- this means CA will be holding your private keys and control every application of your certificate.
  • it will know hash sum of every file you've signed and the moment when you signed it
  • it will give your keys to government(s)
  • it can refuse to sign (e.g. for political reasons)
  • "all keys in one basket" problem
  • your build process needs working internet connection
  • your build process has to rely on CAs infrastructure to work correctly
  • CA can force you to upgrade at it's whim
  • ... most of this applies to those choosing hardware option (you get a black box controlled by CA)
• we use DigiCert and are forced to update build server OS because their platform (logic that forwards hash sums to CA server for signing) supports Windows 10 minimum
  • ... and they will likely force us to upgrade in future
  • upgrading OS brings a lot of headaches -- broken builds due to newer minor VS version, library incompatibilities, 3rd party packages that fail to build, OS-specific quirks, etc
    • being under constant threat of being forced to upgrade makes this worse

Is there a way to avoid some of this pain?

Options I see:

1. don't use code signing -- tempting, but not really an option in our case
2. find another CA -- apparently all CAs adopted(ing) these recommendations. Let me know if it isn't true, please
3. create a dedicated server in our environment and use it just for signing (incorporate it into the build process). I would love to hear a recommendation on how to facilitate this. There bound to be utilities for that....

Assuming your private key is held by the DigiCert ONE service, you can replace signtool with Jsign to sign your binaries (disclaimer: I'm the author). Jsign is cross platform and sends directly the hash of your file to the DigiCert API, so you aren't tied to the DigiCert client tools requirements.

The syntax looks like this:

jsign --storetype DIGICERTONE --alias test \
      --storepass "<api-key>|/path/to/Certificate_pkcs12.p12|<password>" application.exe