Thank you @Nas_T, I’ve checked DigiCert’s offering, but so far I haven’t found a plan that fits our scenario at a cost comparable to traditional file-based code signing certificates (PFX), which were only a few hundred euros per year. The cloud signing options seem significantly more expensive, especially when considering frequent builds.
Regarding the AWS KMS + jsign approach, @tresf thank you for sharing that experience, it could be very valuable. Our pipelines run on Azure DevOps, so we probably won’t adopt AWS directly, but if you have any lessons learned that would apply even outside AWS, I would really appreciate it.