Yubico Forum https://forum.yubico.com/ |
|
YubiKey4 and signtool https://forum.yubico.com/viewtopic.php?f=35&t=2650 |
Page 1 of 1 |
Author: | laurent [ Wed Jun 14, 2017 7:02 pm ] |
Post subject: | YubiKey4 and signtool |
Hi, I'm trying to use YubiKey4 to sign Windows Executable with the Windows 10 Kit signtool utility. I followed instructions at https://www.yubico.com/support/knowledg ... bikey-neo/ to load the certificate and private key into the yubikey, and signtool successfully signs the file, but when checking the digital signature, Windows shows that the certificate is missing a digital signature (Message is "No Signature present in the subject"). Did anybody successfully manage to sign an executable on Windows? It seems that the yubikey doesn't save the whole certificate chain, and I wonder if this is the reason why the signature is missing. |
Author: | mattlegitt [ Thu Jun 15, 2017 5:09 am ] |
Post subject: | Re: YubiKey4 and signtool |
Hello laurent, When using the signtool were you prompted for the PIN to unlock the smart card for signing or did it finish the signing operation without a PIN prompt? if you were not prompted for a PIN unlock the most likely cause is windows is not detecting the certificate as valid for code signing, where / how did you generate the certificate for code signing? Best Regards, Matthew Yubico Support |
Author: | laurent [ Fri Jun 16, 2017 2:37 am ] |
Post subject: | Re: YubiKey4 and signtool |
The certificate was provided by the Certificate authority based on the CSR I provided. The pin code was asked during signing and signtool shows that my private key is picked up. I tried jsign (https://github.com/ebourg/jsign) and had the exact same result when only using the yubikey. If I provide the full cert chain to the software, then the signature added to the file is valid. |
Author: | ChrisHalos [ Fri Jun 16, 2017 9:09 pm ] |
Post subject: | Re: YubiKey4 and signtool |
This is unavoidable with signtool and smart cards, as far as I'm aware. I haven't had any feedback on this yet, but you may want to look at this tool - https://www.mgtek.com/smartcard (arguably less secure as the current method as it's storing the PIN somewhere in plaintext, but it would certainly be more convenient, and would still be requiring smart card presence). |
Author: | laurent [ Sat Jun 17, 2017 2:32 am ] |
Post subject: | Re: YubiKey4 and signtool |
ChrisHalos wrote: This is unavoidable with signtool and smart cards, as far as I'm aware. I haven't had any feedback on this yet, but you may want to look at this tool - https://www.mgtek.com/smartcard (arguably less secure as the current method as it's storing the PIN somewhere in plaintext, but it would certainly be more convenient, and would still be requiring smart card presence). I don't mind be asked for the PIN. My issue is about signtool not generating a valid signature, and it seems to be related to the fact that even if I import the whole certificate chain into the yubikey, only the most specific one is stored/used? |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |