A brief history of code signing at Mozilla

Over the past ~20 years, Mozilla has evolved its code signing process for Firefox, starting with detached GPG signatures and progressing to Authenticode signing. With improvements like automation, parallelized signing, and Autograph, signing becomes faster and more secure. Surprisingly, Windows builds were signed on Linux using mono’s signcode version. Notarization with rcodesign allowed for cloud operations and reduced reliance on macOS hardware. Tools like osslsigncode, winsign, apple-codesign, mardor, signingscript, and iscript play crucial roles in the signing process. Autograph, Mozilla’s modern code signing service, brings performance and security enhancements, allowing for private key material to be kept in HSMs.

https://hearsum.ca/posts/history-of-code-signing-at-mozilla/