Yubico Forum ...visit our web-store at 2017-06-17T02:32:32+01:00 https://forum.yubico.com/feed.php?f=35&t=2650 2017-06-17T02:32:32+01:00 2017-06-17T02:32:32+01:00 https://forum.yubico.com/viewtopic.php?t=2650&p=9624#p9624 <![CDATA[Re: YubiKey4 and signtool]]> ChrisHalos wrote:

This is unavoidable with signtool and smart cards, as far as I'm aware. I haven't had any feedback on this yet, but you may want to look at this tool - https://www.mgtek.com/smartcard (arguably less secure as the current method as it's storing the PIN somewhere in plaintext, but it would certainly be more convenient, and would still be requiring smart card presence).


I don't mind be asked for the PIN. My issue is about signtool not generating a valid signature, and it seems to be related to the fact that even if I import the whole certificate chain into the yubikey, only the most specific one is stored/used?

Statistics: Posted by laurent — Sat Jun 17, 2017 2:32 am

]]> 2017-06-16T21:09:37+01:00 2017-06-16T21:09:37+01:00 https://forum.yubico.com/viewtopic.php?t=2650&p=9623#p9623 <![CDATA[Re: YubiKey4 and signtool]]> https://www.mgtek.com/smartcard (arguably less secure as the current method as it's storing the PIN somewhere in plaintext, but it would certainly be more convenient, and would still be requiring smart card presence).

Statistics: Posted by ChrisHalos — Fri Jun 16, 2017 9:09 pm

]]> 2017-06-16T02:37:12+01:00 2017-06-16T02:37:12+01:00 https://forum.yubico.com/viewtopic.php?t=2650&p=9620#p9620 <![CDATA[Re: YubiKey4 and signtool]]>
I tried jsign (https://github.com/ebourg/jsign) and had the exact same result when only using the yubikey. If I provide the full cert chain to the software, then the signature added to the file is valid.

Statistics: Posted by laurent — Fri Jun 16, 2017 2:37 am

]]> 2017-06-15T05:09:59+01:00 2017-06-15T05:09:59+01:00 https://forum.yubico.com/viewtopic.php?t=2650&p=9615#p9615 <![CDATA[Re: YubiKey4 and signtool]]>
When using the signtool were you prompted for the PIN to unlock the smart card for signing or did it finish the signing operation without a PIN prompt? if you were not prompted for a PIN unlock the most likely cause is windows is not detecting the certificate as valid for code signing, where / how did you generate the certificate for code signing?

Best Regards,
Matthew
Yubico Support

Statistics: Posted by mattlegitt — Thu Jun 15, 2017 5:09 am

]]> 2017-06-14T19:02:48+01:00 2017-06-14T19:02:48+01:00 https://forum.yubico.com/viewtopic.php?t=2650&p=9614#p9614 <![CDATA[YubiKey4 and signtool]]>
I'm trying to use YubiKey4 to sign Windows Executable with the Windows 10 Kit signtool utility.

I followed instructions at https://www.yubico.com/support/knowledg ... bikey-neo/ to load the certificate and private key into the yubikey, and signtool successfully signs the file, but when checking the digital signature, Windows shows that the certificate is missing a digital signature (Message is "No Signature present in the subject").

Did anybody successfully manage to sign an executable on Windows? It seems that the yubikey doesn't save the whole certificate chain, and I wonder if this is the reason why the signature is missing.

Statistics: Posted by laurent — Wed Jun 14, 2017 7:02 pm

]]>