If the French Government has a goal of digital sovereignty and defending against entities like the NSA taking their data, then this is what it takes to meet that threat model.
A state actor could certainly compromise a Microsoft binary signing key with or without the cooperation of Microsoft.
Whoever controls the key that signs the binaries that touch your data, controls your data.
Using reproducible builds of open/audited software and firmware is a great start to make third party exfiltration of data more expensive. Next would be removing known backdoors like Intel ME until a migration can be made to open/audited hardware as well.
The path France is on is an expensive one to be sure, but if they stop at only ceasing use of offshore cloud services they are kidding themselves.
If the French Government has a goal of digital sovereignty and defending against entities like the NSA taking their data, then this is what it takes to meet that threat model.
A state actor could certainly compromise a Microsoft binary signing key with or without the cooperation of Microsoft.
Whoever controls the key that signs the binaries that touch your data, controls your data.
Using reproducible builds of open/audited software and firmware is a great start to make third party exfiltration of data more expensive. Next would be removing known backdoors like Intel ME until a migration can be made to open/audited hardware as well.
The path France is on is an expensive one to be sure, but if they stop at only ceasing use of offshore cloud services they are kidding themselves.