Yubico Forum

Re: Yubikey NEO Windows code signing problem

2015-07-29T15:57:54+01:00

Glad to hear that you got it working.

A.

Statistics: Posted by Alessio — Wed Jul 29, 2015 3:57 pm

Re: Yubikey NEO Windows code signing problem

2015-07-29T15:41:43+01:00

Took me a while to get back to this, but I just did and I think the set-chuid did the trick. Unfortunately not entirely sure, since there has been too much fiddling in between, but at least it works now. Thanks!

Statistics: Posted by syzzer — Wed Jul 29, 2015 3:41 pm

Re: Yubikey NEO Windows code signing problem

2015-06-17T09:52:47+01:00

Yes I can confirm that slot 9c is the correct one.

Double check that your certificate has the right enhanced key usage field. You need one with OID 1.3.6.1.5.5.7.3.3 in order to enable a key for code signing (admittedly you pass the EKU filter tho).
As I can see you're using your own test certificate, so make sure to include that when you generate it.

I don't know how you're doing the generation, but I can tell you that it's possible to do it and set the required OID with openssl creating your own CA.

Also make sure that the card has a CHUID set.

I hope this helps out.

A.

Statistics: Posted by Alessio — Wed Jun 17, 2015 9:52 am

Yubikey NEO Windows code signing problem

2015-06-16T17:26:40+01:00

I'm looking into doing Windows code signing, using signtool.exe, with the private key stored on my Yubikey NEO. However, I'm running into problems. Hopefully someone can give me a pointer in the right direction.

I created a self-signed test keypair in slot 9c ('Digital Signature'), which is nicely listed by signtool when searching for keys:

Code:

signtool.exe sign /n test /v /debug tobesigned.txt

The following certificates were considered:
    Issued to: testkey
    Issued by: testkey
    Expires:   Fri Jan 24 18:13:27 2025
    SHA1 hash: 014D6DCFDF7DCD735CC3F1D1267F4F429D08F1D6

After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Subject Name filter, 1 certs were left.

But the Windows pop-up I get immediately after that tells me

Quote:

A smart card was detected but is not the one required for the current operation. The smart card you are using may be missing required driver software or a required certificate.

(Also see the attached screenshot.)

After which I can only hit cancel, which in turn results in signtool failing:

Code:

After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.

I also tried using a keypair in slot 9a, but that is not even found by signtool, so I guess 9c is the right PIV slot.

Has anyone succeeded in using a NEO in combination with signtool? Can you tell me what I'm doing wrong here?

Statistics: Posted by syzzer — Tue Jun 16, 2015 5:26 pm