> The bigger issue in my mind is: YTF is this process automated?
Probably because they do not want anyone to have direct access to the machine with the private signing key. With an automated process, they can enforce that all signatures pass through a well-defined process, with built-in audit trails in case anything goes wrong, and that nothing is signed with that key outside of that process.
Of course, that is the theory. As shown by the number of glitches this time, it seems that the process is not that well-defined in practice.