Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:14 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: YubiKey4 and signtool
PostPosted: Wed Jun 14, 2017 7:02 pm 
Offline

Joined: Wed Jun 14, 2017 6:53 pm
Posts: 3
Hi,

I'm trying to use YubiKey4 to sign Windows Executable with the Windows 10 Kit signtool utility.

I followed instructions at https://www.yubico.com/support/knowledg ... bikey-neo/ to load the certificate and private key into the yubikey, and signtool successfully signs the file, but when checking the digital signature, Windows shows that the certificate is missing a digital signature (Message is "No Signature present in the subject").

Did anybody successfully manage to sign an executable on Windows? It seems that the yubikey doesn't save the whole certificate chain, and I wonder if this is the reason why the signature is missing.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Jun 15, 2017 5:09 am 
Offline
Yubico Moderator
Yubico Moderator

Joined: Tue Jan 05, 2016 5:03 pm
Posts: 27
Hello laurent,

When using the signtool were you prompted for the PIN to unlock the smart card for signing or did it finish the signing operation without a PIN prompt? if you were not prompted for a PIN unlock the most likely cause is windows is not detecting the certificate as valid for code signing, where / how did you generate the certificate for code signing?

Best Regards,
Matthew
Yubico Support


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 16, 2017 2:37 am 
Offline

Joined: Wed Jun 14, 2017 6:53 pm
Posts: 3
The certificate was provided by the Certificate authority based on the CSR I provided. The pin code was asked during signing and signtool shows that my private key is picked up.

I tried jsign (https://github.com/ebourg/jsign) and had the exact same result when only using the yubikey. If I provide the full cert chain to the software, then the signature added to the file is valid.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 16, 2017 9:09 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
This is unavoidable with signtool and smart cards, as far as I'm aware. I haven't had any feedback on this yet, but you may want to look at this tool - https://www.mgtek.com/smartcard (arguably less secure as the current method as it's storing the PIN somewhere in plaintext, but it would certainly be more convenient, and would still be requiring smart card presence).


Top
 Profile  
Reply with quote  
PostPosted: Sat Jun 17, 2017 2:32 am 
Offline

Joined: Wed Jun 14, 2017 6:53 pm
Posts: 3
ChrisHalos wrote:
This is unavoidable with signtool and smart cards, as far as I'm aware. I haven't had any feedback on this yet, but you may want to look at this tool - https://www.mgtek.com/smartcard (arguably less secure as the current method as it's storing the PIN somewhere in plaintext, but it would certainly be more convenient, and would still be requiring smart card presence).


I don't mind be asked for the PIN. My issue is about signtool not generating a valid signature, and it seems to be related to the fact that even if I import the whole certificate chain into the yubikey, only the most specific one is stored/used?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group