Check our other helpful areas that might answer your question

Following major changes in the Industry, I now have a YubiKey that contains the digital signature so I can sign. Now I try to sign my application but I can't find a way to do it with the advanced installer.

I need help.

Hello,

Have you tried following the steps from the following article?

How to use the USB eToken for Extended Validation Code Signing in Advanced Installer

I have read a bit about YubiKey and at a first glance, it looks similar.

Best regards,
Catalin

Hi,

I have similar problem. Can you please suggest if the HSM key token usage is supported on Advanced Installer version 17.3? When I try to follow the suggested documented steps, I don't see any options under "Use file from disk" radio button option.

Thanks in advance!

Ankur

Hello Ankur,

If I remember correctly, this support has been added in version 18.6 of Advanced Installer.

Best regards,
Catalin

Can you explain how to sign with a digicert yubikey 5 NFC FIPS? I can't get to sign the installer or configure it. It is generated by an HSM

Hello,

Have you tried the article I've previously mentioned?

I'm asking this because I'm not really familiar with "Yubikey 5 NFC FIPS" and so far the customers facing a similar scenario managed to get it working using that.

Best regards,
Catalin

Hello,

I'm very sorry but I can't use the certificate in the way mentioned. The option it gives me to export my certificate is .crt or .pem

It is very annoying to have to enter the PIN more than 300 times to sign file by file...

You have to find some solution.

As an alternative, I have had to create a program together with a BAT file (which includes the signtool command and the fingerprint of the signature) to be able to sign the files independently, where only the pin asks me once.

I'm sorry, I can't sign with advanced installer and have to enter the PIN more than 300 times for each thing I have to sign (and it is necessary that it be signed.)

Hello,

First of all, I apologize for this invonvenience.

If possible, could you please try reading the following forum thread and let me know if that helps?

Re: Signing with Smart Card - Too Many Password Prompts

Best regards,
Catalin

No.

I repeat to you, no. I can't export my certificate as I'm telling you to in any of those formats nor can I do what it says in the thread.

Hello,

I am sorry to hear this didn't help! I somehow got carried away and forgot about the .crt/.pem requirement. Please accept my apologies for that.

Regarding the .crt or .pem options for your export, I can only think of this workaround exposed by one of our customers:

Re: [solved] EV singning with CI Server

The workaround uses .CER certificate, which as per my research is almost the same thing as .CRT and the conversion should be pretty easy to achieve.

Also, tomorrow I will have a meet with our dev team to further discuss this. I will let you know if I will find discover anything useful regarding this topic.

Best regards,
Catalin

Hello, as I have indicated, I do not use SafeNet, I use YubiKey. Link -> https://www.yubico.com/la-yubikey/serie ... s/?lang=es

As I mentioned, YubiKey works differently than SafeNet, in terms of security yubikey is better. SafeNet is distributed in the US while in Europe it is more accessible and quicker to get YubiKey.

I was talking to YubiKey support to unlink the PIN, something they did not advise me on but they sent me some help links. Maybe this can help your development team.

https://docs.yubico.com/hardware/yubike ... ed%20later

Thank you for your followup on this!

As I mentioned, YubiKey works differently than SafeNet, in terms of security yubikey is better. SafeNet is distributed in the US while in Europe it is more accessible and quicker to get YubiKey.

I definitely did not know this, interesting information.

And sure, I will forward your feedback to our dev team tomorrow when we'll have the meeting.

Thank you once again for your help so far!

Best regards,
Catalin

What I can tell you is that speaking with the YubiKey technicians, the only way to delete the PIN is by deleting the certificate and importing it again, something that they completely advise me against.

Personally, I have been able to develop a program that signs all the files in the folders and subfolders of a directory, both libraries and executables, by entering only the PIN once. Maybe this can give development engineers an idea. There may be other alternatives but for me this and making patches lightly with another mechanism that I use is more than efficient.

Waiting for new Advanced Installer updates.

Hello,

Thank you once again for your feedback here and for sharing the solution you found with us.

So far, from what I can understand, the issue resides on the certificate itself and how YubiKey works.

However, I will discuss this with our dev team and whether there's something we can do on our end or not. I will let you know afterwards.

Best regards,
Catalin

Hello,

As promised, I'm following up on this.

After discussing this with our dev team, I have found out that YubiKey actually has a PIN Policy:

https://docs.yubico.com/hardware/yubike ... pin-policy

To specify how often the PIN needs to be entered for access to the credential in a given slot, set a PIN policy for that slot. This policy must be set upon key generation or import; it cannot be changed later.

This is in the article you have previously provided, but somehow I overlooked that PIN part on my end.

Have you tried setting that PIN policy? I'm definitely no expert in this, but it looks like exactly what we need here.

Best regards,
Catalin