You certainly don't need a hardware token, you can store it in any FIPS 140 Level 2+ stores. This includes stuff like Azure KeyVault and AWS KMS.
Azure Trusted Signing is 100% the best choice, but if for whatever reason you cannot use it, you can still use your own cloud store and hook in the signing tools. I wrote an article on using AWS KMS earlier this year: https://moonbase.sh/articles/signing-windows-binaries-using-...
TLDR: Doing this yourself requires a ~400-500$/year EV cert and miniscule cloud costs
Can confirm this, we use Azure KeyVault and are able to have Azure Pipelines use it to sign our release builds.
We’re (for the moment) a South African entity, so can’t use Azure Trusted Signing, but DigiCert has no issue with us using Azure KeyVault for our EV code signing certificate.
I had ours renewed just this week as it happens. Cost something like USD 840 before tax, don’t have a choice though and in the grand scheme of things it’s not a huge expense for a company.
Moonbase AS | https://moonbase.sh | Remote (Europe) | Part-time / co-founder | Lead Commercial Growth
Moonbase is building the ultimate e-commerce platform for indie software developers. We're already trusted by innovative indie studios and growing fast—with zero marketing. Now, we need YOU to take us to the next level.
This is your chance to shape and lead the commercial side of a high-potential startup from the ground up. We're talking strategy, marketing, sales, partnerships — the whole package.
We're a bootstrapped startup, building a lifestyle company, and are looking at bringing on a third founder to help us cover what we don't do well today. So if this appeals to you, get in touch with me at tobias@moonbase.sh or read more here: https://thehub.io/jobs/67a512995a0d1e7c9ade895f
Datadog is a monstrosity, they do so many things, most of which you don't know or don't care about, so which ones do you need?
We ended up going for HyperDX, just because I really favour fast log searches and simple alerts straight to Slack, but many of these Clickhouse-powered observability suites like Signoz, BetterStack, etc will do the job. Just depends how much you want to pay.
Also, I hope you're on OTEL already, since it makes changing providers the most easy task ever.
I think the main attack vector they are trying to protect against is XSS attacks. If a malicious actor manages to inject client side code, there’s nothing preventing them from exfiltrating tokens and gaining persistent user access. This because there is no Secure Enclave to store tokens in in browsers.
The bff pattern can solve this by using HTTP only cookies, keeping all session tokens on the server.
For high security scenarios like banks and health it makes sense, but there are so many more attack vectors that it’s not gonna cover it all.
With an XSS exploit it is game over, you control the browser.
Adding more complexity and opening up the possibility of CSRF exploits with BFF does not look like a good trade off to me.
Fully managed so I can spend my time on actually building features. In my case, AWS is my go to cloud, and even with a couple of thousand users, Lambda for compute, DynamoDB for database and SNS+SQS for eventing is costing me less than 5€ per month. Yes, there are risks with serverless if you get DDOSed or whatever, but it’s a risk I’m fine with, and can mitigate with gateways in front if necessary. And Lambdas are not locking me in to AWS since I’m running “full” ASP.Net apps in them, so hosting them on actual compute platforms is an easy switch.
Very similar tech stack here, with all the same motivations. Biggest differences are I'm using RDS for the database and have a slightly different approach for serverless compute. I started out with Lambda, but the cold start times were bugging me so I moved production hosting to App Runner, which is the next best thing (eliminates cold start without breaking the wallet). Kept staging environment on Lambda. Also using the "fat lambda" approach with ASP.NET apps, so no lock-in here. Spending about $35/mo total - RDS is the biggest contributor, then App Runner and other small things.
I also have an SSR app for the homepage which required some dynamic functionality. Basic Node app hosted in a Cloudflare worker essentially for free, hitting the App Runner hosted API for data.
It was serverless from the start, although there isn't a whole lot of serverless unique code in it, apart from some event handler bootstrapping to handle SQS triggered Lambdas. Everything else is just standard .Net that would look the same no matter where it's hosted. Huge fan of separating infrastructure concerns from the rest of the app to not lock yourself in so much.
Location: Amsterdam, Netherlands
Remote: Prefer on-site, but open to remote
Willing to relocate: No
Technologies: C#/.Net, JS/TS, Vue.js, React.js, AWS, Terraform, +++
Résumé/CV: On request
LinkedIn: https://linkedin.com/in/tobbentm
Github: https://github.com/TobbenTM
Email: m@dsen.tv
---
Generalist engineer, with solid experience building stable systems, doing actual fullstack work from infra to frontend. Sharing a lot of knowledge as I go, making sure to upskill the team around me. Open to new opportunities in the near future.
Purely speculative, but I suspect quite a number of vr players have gotten used to the floating movements.
Some vr games are just vastly better using floating movements, especially FPS games. Look at Pavlov VR for example, it's honestly the best movement I've ever used in VR, but it requires the player to overcome the motion sickness introduced by the floating movement.
And if players are getting used to it, I'm guessing new games have an easier time utilizing that?
Azure Trusted Signing is 100% the best choice, but if for whatever reason you cannot use it, you can still use your own cloud store and hook in the signing tools. I wrote an article on using AWS KMS earlier this year: https://moonbase.sh/articles/signing-windows-binaries-using-...
TLDR: Doing this yourself requires a ~400-500$/year EV cert and miniscule cloud costs