undefined | Better HN

0 pointsorphea6mo ago0 comments

How is a client cert not another glorified static password? It would have been stolen from repo secrets the same way.

0 comments

You don't store them in repos on disk, but in a HSM so they can't be stolen, and then you protect signing access to them based on service/process information.

j / k navigate · click thread line to collapse

0 pointsorphea6mo ago0 comments

How is a client cert not another glorified static password? It would have been stolen from repo secrets the same way.

0 comments

pabs36mo ago

You don't store them in repos on disk, but in a HSM so they can't be stolen, and then you protect signing access to them based on service/process information.

j / k navigate · click thread line to collapse