Code signing usb tokens

Hi All

Does anyone here have a code signing certificate issued on a usb token?

If so can you post or pm where you got it and the token brand/client software used? I’m researching a blog post on code signing with usb tokens (will be standard after 15 nov this year) - but only have experience with 1 particular token (from digicert, uses gemalto safenet). I’d like to hear about other token types in use.

I’m using a Sectigo OV certificate, which I purchased through

Requires Microsoft’s signtool.exe to do the signing.
On my computer, it’s located here: C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64

Signtool uses the Safenet client, which came with the certificate.

It was a real pain getting certified by Sectigo – took around 3 months.


1 Like

Correction: that should read “EV certificate”

Thanks, seems like this is the most common usb key. If you open the safenet client tools, under the advanced view click on the token (under the tokens node) - have a look at the product name and the supported key size. Mine is

SafeNet eToken 5110
Supported key size : 2048 bits

New keys have to be 3072 bits or larger - so I will have to get a new token. I’m wondering what the new token kinds are?

I’m hoping I can use a yubikey (which I ordered last week) - although it seems not all vendors support it, most will only issue on tokens they sell/provide (how convenient for them). Going round in circles with this stuff at the moment.

Found some useful info here website is a nightmare - they provide tons of info but 99% of it is pushing you towards their cloud service (eSigner) - so finding info on actually signing things with their certificates using the yubikey is proving difficult.

Mine is:

SafeNet eToken 5110 CC (940)
Supported key size : 4096 bits

The Safenet client software is from Thales.


1 Like

Well another day of going down the google rabbit hole on EV certificate automation - what I have found today is that there is no way to automate EV code signing when using the Yubikey tokens - other than with autohotkey if someone is logged in. They configure the key so that it requires the pin for every file it signs - ugh. seem to be the only CA using yubikeys - and also one of the cheaper CA’s (although they still charge USD$199 for the yubikey when you can buy them elsewhere for USD$100).

With the Thales software, you can configure it to remember the password after you have entered it once (until the next reboot).


Unfortunately the yuibikey client uses a driver which uses the windows smart card system, and they configure the cards to prompt each time. Finding it really hard to get and good info on other usb tokens, but this is an eye opener

Using autohotkey is not an option when running your builds on a CI server (which typically runs as a windows service).

We use one. I can’t remember who we got it through (maybe Positive SSL) but it is issued by Comodo (now Sectigo).

Token seems to be a SafeNet e Token 5110, we run the Safenet client on the build server, and use the signtool via the command line to automate the signing process (specifying the password via the private key container – what a hack!).

Supported Keysize is 2048.

This all seems to have been made too hard and poorly documented – makes you think conspiracy.


1 Like