Hi All
Does anyone here have a code signing certificate issued on a usb token?
If so can you post or pm where you got it and the token brand/client software used? I’m researching a blog post on code signing with usb tokens (will be standard after 15 nov this year) - but only have experience with 1 particular token (from digicert, uses gemalto safenet). I’d like to hear about other token types in use.
I’m using a Sectigo OV certificate, which I purchased through https://www.ksoftware.net/
Requires Microsoft’s signtool.exe to do the signing.
On my computer, it’s located here: C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64
Signtool uses the Safenet client, which came with the certificate.
It was a real pain getting certified by Sectigo – took around 3 months.
Cheers,
Lex
Correction: that should read “EV certificate”
Thanks, seems like this is the most common usb key. If you open the safenet client tools, under the advanced view click on the token (under the tokens node) - have a look at the product name and the supported key size. Mine is
SafeNet eToken 5110
Supported key size : 2048 bits
New keys have to be 3072 bits or larger - so I will have to get a new token. I’m wondering what the new token kinds are?
I’m hoping I can use a yubikey (which I ordered last week) - although it seems not all vendors support it, most will only issue on tokens they sell/provide (how convenient for them). Going round in circles with this stuff at the moment.
Found some useful info here
SSL.com website is a nightmare - they provide tons of info but 99% of it is pushing you towards their cloud service (eSigner) - so finding info on actually signing things with their certificates using the yubikey is proving difficult.
Mine is:
SafeNet eToken 5110 CC (940)
Supported key size : 4096 bits
The Safenet client software is from Thales.
Lex
Well another day of going down the google rabbit hole on EV certificate automation - what I have found today is that there is no way to automate EV code signing when using the Yubikey tokens - other than with autohotkey if someone is logged in. They configure the key so that it requires the pin for every file it signs - ugh. SSL.com seem to be the only CA using yubikeys - and also one of the cheaper CA’s (although they still charge USD$199 for the yubikey when you can buy them elsewhere for USD$100).
With the Thales software, you can configure it to remember the password after you have entered it once (until the next reboot).
Lex
Unfortunately the yuibikey client uses a driver which uses the windows smart card system, and they configure the cards to prompt each time. Finding it really hard to get and good info on other usb tokens, but this is an eye opener
Using autohotkey is not an option when running your builds on a CI server (which typically runs as a windows service).
We use one. I can’t remember who we got it through (maybe Positive SSL) but it is issued by Comodo (now Sectigo).
Token seems to be a SafeNet e Token 5110, we run the Safenet client on the build server, and use the signtool via the command line to automate the signing process (specifying the password via the private key container – what a hack!).
Supported Keysize is 2048.
This all seems to have been made too hard and poorly documented – makes you think conspiracy.
Heading back down the rabbit hole on code signing again, our certificate expires in a few months so getting the ball rolling.
Finding it very difficult to determine which usb tokens some CA’s are providing with the certificates. If anyone has purchased recently, can you post from which site and token kind you got?
Also, do not recommend this site - they have substantially ripped off my blog post from Oct 2022 with no attribution at all - I was actually browsing their site looking to buy when I came across the blog post and immediately recognised my work - at least one image was directly taken from my post (byte for byte idendical). 
Wow, that’s not a good thing. You can write to Google about copyright infringement. I don’t know where exactly that is done, but I read somewhere that it can be done.
I looked into that - they make it really difficult and not worth persuing.
Sectigo and any Sectigo resellers supply YubiKey’s
Digicert support Safenet
No reply from the other CA’s I have contacted so far.
FYI - Safenet good (can automate), YubiKey bad (password prompts cannot be avoided).
Not sure about why there is any real advantage to automate at that point, given all the shenanigans required to simply prove who you and your company are, I guess you must have something different to us to do once you get the key.
Management have always gone for 1 year extensions, this is the first year we have been able to convince them to go for 3 due to all the time wasting involved.
Also going for the ‘EV’ this time, talk about money for jam, what a racket.
First step, after payment, at the sslstore this year gave a compile error on the certificate generation ‘step’, after ‘supports’ useless ‘try agains’ they escalated to development who fixed the bug ‘immediately’. Strange.
The problem is our build servers are in a data center in Sydney, we are in Canberra, and the builds from from a CI server running as a service, so no one is there to keep typing in the password every time we want to sign a file (a lot, we signed quite a few files each build).
Yeah I’m just going for OV, EV is stupid expensive and a bit onerous sorting out validation etc, especially since I work from home and no longer have an office.
I’m really over code signing in general, like you say, it’s a racket, extorsion really. Half tempted to just use a self signed certificate and make the public key available on the website, import that to avoid certificate warnings.
Hi All,
I watched this forum thread with interest as I was going through the same pain as everyone else. I was trying to get the Certificate to be issued using our trading name of Desktop EDA . They were very reluctant to do this and we eventually agreed on Desktop EDA (). Not ideal but better just the trust name.
We eventually got approval and was then told it has to be delivered on a usb via UPS. Another 2 week delay.
We just received the USB today - in the mean time we have been setting up a NUC to be our license server and Build PC. I was planning to hide the NUC away somewhere and never have to physically touch it. We learned today that one cannot run the Safenet application that reads the USB unless you log in as a physically present user. (that was the only way it would see the USB).
Has anyone managed to use the safenet remotely?
regards
Brian
I did a while back
but that my cert/token has expired - need to order a new one now as it’s no longer compatible (key sizes have changed) and our pfx cert expires soon.
You don’t have to physically login if you follow the steps I outlined for the Single Login part. Note that you cannot use remote desktop (rdp) to login - but you can use vnc as it doesn’t detect vnc.
Alternative, install Continua CI on your build machine and [run your FinalBuilder](Continuous Integration with FinalBuilder builds) from it.
Where did you get your cert from and was it an OV or EV cert?
I need to order asp but cannot make up my mind on whether I need an EV or just stick with OV and save some $
We used Sectigo