I'm looking into doing Windows code signing, using signtool.exe, with the private key stored on my Yubikey NEO. However, I'm running into problems. Hopefully someone can give me a pointer in the right direction.
I created a self-signed test keypair in slot 9c ('Digital Signature'), which is nicely listed by signtool when searching for keys:
Code:
signtool.exe sign /n test /v /debug tobesigned.txt
The following certificates were considered:
Issued to: testkey
Issued by: testkey
Expires: Fri Jan 24 18:13:27 2025
SHA1 hash: 014D6DCFDF7DCD735CC3F1D1267F4F429D08F1D6
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Subject Name filter, 1 certs were left.
The following certificates were considered:
Issued to: testkey
Issued by: testkey
Expires: Fri Jan 24 18:13:27 2025
SHA1 hash: 014D6DCFDF7DCD735CC3F1D1267F4F429D08F1D6
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Subject Name filter, 1 certs were left.
But the Windows pop-up I get immediately after that tells me
Quote:
A smart card was detected but is not the one required for the current operation. The smart card you are using may be missing required driver software or a required certificate.
(Also see the attached screenshot.)
After which I can only hit cancel, which in turn results in signtool failing:
Code:
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
SignTool Error: No certificates were found that met all the given criteria.
I also tried using a keypair in slot 9a, but that is not even found by signtool, so I guess 9c is the right PIV slot.
Has anyone succeeded in using a NEO in combination with signtool? Can you tell me what I'm doing wrong here?
| Attachments: |
File comment: PIV card error signtool-yubikey-error.png [ 11.9 KiB | Viewed 3015 times ] |