We have a desktop Electron app which needs to be signed before we ship it. Most of this codebase is written by developers on Upwork. Doing the work to sign the app means putting our private key in their hands. To give the key to a developer we hardly know make no sense from a security point of view.<p>That's not even the end of it. To do signing in our CI/CD process, we have to put the private key in there, which makes it available to anybody we ever hire in the future.<p>How can security work like this be outsourced? Is there some trick, like keeping the real private key on the CI/CD server?<p>(Background #1: we're a small company funded on revenues, and we mind spending very carefully. Background #2: the CI/CD server is on Gitlab).