Emmanuel Bourg

Technically the access token is not a password, but if your security policies prohibit using it as a command line argument it's possible to read the token from an environment...

If I understand well, adding extra certificates is useful in a cross signing scenario, when the same key is used by several certificates with different trust paths, right?

@MrAlex94 Does that mean that when you renew your certificate, you reuse the same private key and update the certificate chain used by the build script, but you do not...

@MrAlex so you basically have two certificate chains, one EV, and the other non-EV, both sharing the same private key hosted by Azure Key Vault? I'd be curious to know...

@MrAlex94 Thank you for the clarification. osslsigncode supports the `-addUnauthenticatedBlob` parameter to inject bytes into the signature that can be altered without invalidating it. That's a simpler alternative than fiddling...

> The only difference when using the /ac flag with signtool is that the dummy cert doesn’t appear in the digital signature list on the file properties (I’m not sure...

@mikehearn Thank you for the example!

Thank you for reporting this issue > Is this an oversight / bug , or expected behaviour Jsign assumes the reserved area is either empty or contains a 20 bytes...

> The question is, how does signtool handle such a file? It looks like signtool replaces the empty reserved area with the CABSignature structure and appends the PKCS#7 signature at...

I don't have an ETA sorry. I've discovered another problem related to the per folder reserved area (using the `ReservePerFolderSize` directive); * if the file has a per cabinet and...