Trust.ID Talk: The Digital Certificate and Identity Security Podcast
Not Caring About Code Signing is a Billion Dollar Mistake ft. Stefan Wenig
July 2, 2026
In this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Michelle Davidson is joined by Stefan Wenig, CEO and CTO at SignPath, to discuss why code signing must be treated as a complete business process, not simply a matter of managing keys and certificates. Together, they explore how changing baseline requirements are reshaping code signing, why organizations need greater visibility into their certificate landscapes and how centralized infrastructure can bring development, operations and security teams into alignment.
In this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Michelle Davidson is joined by Stefan Wenig, CEO and CTO at SignPath, to discuss why code signing must be treated as a complete business process, not simply a matter of managing keys and certificates.
They explore how changing baseline requirements are reshaping code signing, why organizations need greater visibility into their certificate landscapes, and how centralized infrastructure can bring development, operations, and security teams into alignment.

What You’ll Learn:
Stefan Wenig is the CEO and CTO of SignPath. He specializes in code signing, secure software development, certificate management and the infrastructure organizations need to protect their software supply chains. Through his work, Stefan helps organizations bring greater visibility, flexibility and centralized control to signing processes that often span development, security and operations teams. 

If you enjoyed this episode, make sure to subscribe, rate, and review on Apple Podcasts, Spotify, and YouTube Podcasts, instructions on how to do this are here.

Episode Resources:


Key Takeaways:

Code signing cannot be reduced to isolated key management or certificate management decisions. It sits inside a much larger system involving secure software development, DevOps, operations and multiple teams with different responsibilities. Security depends on those smaller practices working together rather than being handled independently.

Changes to FIPS requirements have strengthened expectations around how code signing keys are stored. Dedicated, certified devices make it harder for private keys to be copied or stolen. Certificate validity periods have also shortened, increasing the operational pressure on organizations that still manage certificates manually.

Nobody knows exactly when quantum computers will be capable of breaking today’s cryptographic algorithms. That uncertainty does not remove the need to prepare. Organizations need signing infrastructure that can switch algorithms quickly and support the move toward quantum-safe standards as platforms adopt them.

Certificate procurement, key issuance, and signing access should flow through a centralized process. Without it, development teams may create direct arrangements with operations teams or purchase certificates from providers without the security team knowing. Centralized infrastructure creates a clear source of truth and makes access easier to audit.


Quotes:


Trust.ID Talk: The Digital Certificate and Identity Security Podcast is handcrafted by our friends over at: fame.so