@seph are you the one managing the macOS code signing key? Have you been forced to store the key on a security token yet? I think I can renew the windows one and just use one of my yubikeys laying around, but now I'm concerned how this will impact the release process... As I don't think you can export the priv keys off of the token once they're on there?

the Apple certs don’t have the same HSM requirement. They’re just apple certs, which we toss into a github secret

Ah right. I forgot about that, seems much easier on Apple 😕