CA/Browser Forum Changes Are Making Code Signing Expensive
Apr 5, 2026 · 8 views
The CA/Browser Forum has tightened code signing requirements since 2023. Each change makes cloud HSM providers richer and developers poorer.
Timeline
- June 2023 — All keys must be on hardware. Software key generation banned.
- 2024 — Minimum RSA key size: 3072 bits
- 2025 — Stricter key protection verification
- 2026 — Expected: shorter validity (3 years to 1 year), increasing renewal costs
Who Benefits?
Certificate Authorities. Every requirement creates new revenue: managed signing services, cloud HSM fees, compliance monitoring subscriptions, more frequent renewals.
What Hasn't Changed
The requirement is hardware key storage, not cloud key storage. A $50 USB token meets the same security requirements as a $500/month cloud HSM. Tokens like SafeNet and YubiKey have been certified for decades.
Real Cost Comparison
Small company, 3 products:
- Cloud HSM: $400/year cert + $240/year service + per-sign fees = $700+/year ongoing
- OneSigner: $400/year cert + $80 token + $99 OneSigner = $579 year 1, $400/year after
By year 3, cloud costs $2,100+ more.
Future-Proofing
When the next requirement drops, cloud providers adjust pricing upward. Your USB token keeps working exactly as before — the hardware security requirement is already met.