make HSM configuration more robust to unintended large billings

[hellais]

In January 2025 we forgot the HSM modules running in AWS and as a result incurred in 1.6k USD unexpected fees for CloudHSM and in February 2.2k USD.

Going forward we should put things in place to prevent this. Currently this is all reliant on going through the HSM procedure properly and not skipping the last step:

1. Run the command:

create-hsms.sh

wait for the tokens to be created (this will take several minutes).

2. If it’s the first time you are doing signing, ensure that /home/ubuntu/.hsmcredentials constains the username and password to access the code signing key in the format HSM_PASSWORD=”USERNAME:PASSWORD”
You can now sign exe binaries using:

sign-windows-exe.sh [unsigned.exe] [signed.exe]

3. Once you are done be sure to terminate all the running HSMs using:

delete-hsms.sh

We should evaluate having:

• Monitoring that checks the HSM tokens are not running for more than some amount of time and if so sends us a notification
• Automatically terminate the HSM tokens (running delete-hsms.sh) after some amount of inactivity