Is it a good practice to install an Authenticode authentication certificate directly on an assembly server to create a signed assembly? I am looking for some resources on the network that suggest or support that this practice is legal if you have taken appropriate steps to protect the assembly server and the process by which the assembly is created and deployed.

All the “best practice” recommendations that I can find about code signing methods are top notch in terms of the proposed process. A Microsoft reference document contains up to six servers for the simple act of signing a single assembly. http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/best_practices.doc

Some background:

My company creates rich business simple business applications for its employees and direct customers. We do not create commercial software. My build server is physically and network protected using my companies, strict security policies and procedures. Only very specific people in the organization are even able to start building in my environment.

Our current process requires me to break the assembly / deployment process into many stages using a lot of manual process. We use physical devices to store Authenticode certificates that require a PIN to be entered by the user. We must shuffle assemblies / manifests that require code signing on designated PCs for code signing, which also need to be physically protected.

It is less safe for me to transfer a physical token / device and leave all these manual steps in place. Nothing stops a person with physical access to a token / device from signing everything they want. At least with an automated, registered, controlled build server environment, you know what was signed and by whom.