looks like cloud-based signing is ‘the easy way’, but we wanted to avoid it for multiple reasons, including security and costs. few of the offers:<\/p>\n\n\n\n
- \n
- https:\/\/store.entrust.com\/default\/ov-ev-code-signing-as-a-se…<\/a><\/li>\n\n\n\n
- https:\/\/www.digicert.com\/content\/dam\/digicert\/pdfs\/datasheet…<\/a><\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
purchases<\/h2>\n\n\n\n
- \n
- i’ve bought Organization Validation Code signing certificate from ssl.com<\/a>. website is sketchy, i even got errors in the process but their support was responsive and i got vetted [ i have proven that i am acting on behalf of the company for which i’ve ordered the cert ] within few days:\n
- \n
- i had to provide registration papers, <\/li>\n\n\n\n
- i also gave DUNS number to speed things up,<\/li>\n\n\n\n
- they made automated call to number visible in D&B records, i had to re-type the number provided over the phone to their website,<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- separately – i’ve bought Yubikey 5 Nano FIPS – to be sure that i’m generating the private key and it’s not known to anyone else.<\/li>\n<\/ul>\n\n\n\n
finalizing the cert issuance<\/h2>\n\n\n\n
- \n
- based on https:\/\/www.ssl.com\/how-to\/key-generation-and-attestation-with-yubikey<\/a>\/ i’ve generated private key on the newly bought Yubikey 5 Nano FIPS:\n
- \n
- in the process i’ve set my own PIN, PUK and Management key for Yubikey via Yubikey Manager,<\/li>\n\n\n\n
- in Yubikey Manager i’ve generated code signing certificate in slot 9a, with ECC P384 private key, then – following instruction above – i’ve created attestation file [ proving that private key was created on Yubikey device ] and intermediate certificate,<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- I’ve provided both of above to ssl.com and waited for them to issue the certificate,<\/li>\n\n\n\n
- once i got the certificate – i’ve imported it together with intermediate and root cert of ssl.com to yubikey [ based on https:\/\/www.ssl.com\/how-to\/install-sslcom-root-and-intermediate-certificates-on-yubikey\/<\/a> ],<\/li>\n\n\n\n
- i’ve installed yubikey’s smartcard minidriver<\/a> and rebooted my pc,<\/li>\n\n\n\n
- after that the new certificate showed up in certmgr.msc > personal > certificates – good!<\/li>\n<\/ul>\n\n\n\n
testing if the certificate works<\/h2>\n\n\n\n
- \n
- i’ve installed signtool from https:\/\/developer.microsoft.com\/en-us\/windows\/downloads\/windows-sdk\/<\/a><\/li>\n\n\n\n
- i was able to successful sign an exe with signtool.exe sign \/sha1 2ad5caaad3caf23baa33a2ad7a6eaaf18255a7c7 \/fd sha256 \/td sha256 \/tr <\/em><\/em>http:\/\/timestamp.digicert.com<\/em><\/a> “Clear Settings Wizard.exe”<\/em><\/em> where the long hex string is a thumbprint of my new certificate, it can be found in certmgr.msc > personal > certificates. <\/li>\n<\/ul>\n\n\n\n
setting up VM with Windows Server<\/h2>\n\n\n\n
qemu-img create -f qcow2 vda.qcow2 32G\nvirt-install --connect qemu:\/\/\/system --arch=x86_64 -n w2 -r 6144 --vcpus=4 --cdrom ..\/win2022\/SERVER_EVAL_x64FRE_en-us.iso --disk path=vda.qcow2 --disk path=..\/win2022\/virtio-win.iso,device=cdrom --graphics vnc,listen=127.0.0.1,port=5907 --noautoconsole --os-type windows --os-variant=win2k16 --network=bridge:br0,model=virtio --accelerate --noapic\n\n# windows iso taken from https:\/\/www.microsoft.com\/en-us\/evalcenter\/download-windows-server-2022\n# virtio-win drivers taken from the latest build at https:\/\/fedorapeople.org\/groups\/virt\/virtio-win\/direct-downloads\/archive-virtio\/<\/code><\/pre>\n\n\n\ni’ve continued the setup via VNC available on loopback of my linux box, on port 5907<\/p>\n\n\n\n
once system was installed – i’ve:<\/p>\n\n\n\n
- \n
- installed virtio drivers from the ISO file – by running virtio-win-gt-x64.msifrom it<\/li>\n\n\n\n
- run windows updates and rebooted the Windows Server VM few times<\/li>\n\n\n\n
- enabled RDP access<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
passing USB device from physical server to Windows VM<\/h2>\n\n\n\n
i’m working with assumption that only one yubikey will be plugged into physical server – so it’s enough find out identifier of the USB token that i want to pass to Windows VM:<\/p>\n\n\n\n
lsusb -v|less\n# i'm searching for Yubico\nBus 001 Device 002: ID 1050:0404 Yubico.com Yubikey 4\/5 CCID\nDevice Descriptor:\n bLength 18\n bDescriptorType 1\n bcdUSB 2.00\n bDeviceClass 0\n bDeviceSubClass 0\n bDeviceProtocol 0\n bMaxPacketSize0 64\n idVendor 0x1050 Yubico.com\n idProduct 0x0404 Yubikey 4\/5 CCID\n bcdDevice 5.43\n iManufacturer 1 Yubico\n iProduct 2 YubiKey CCID\n iSerial 0<\/code><\/pre>\n\n\n\nthat’s the key part: idVendor=0x1050<\/strong>, idProduct=0x0404<\/strong>. i’ve put them to the \/etc\/libvirt\/qemu\/w2.xml – definition of my VM, in <devices> section<\/p>\n\n\n\n
<hostdev mode='subsystem' type='usb' managed='yes'>\n <source>\n <vendor id='0x1050<\/strong>'\/>\n <product id='0x0404<\/strong>'\/>\n <\/source>\n <address type='usb' bus='0' port='2'\/>\n<\/hostdev><\/code><\/pre>\n\n\n\nthen virsh define \/etc\/libvirt\/qemu\/w2.xml<\/em> and virsh start w2<\/em>.<\/p>\n\n\n\n
from now on – use VNC and not RDP to connect to the Windows VM. Why? Because RDP, intentionally, makes it impossible<\/a> to access smartcard\/security devices that are attached to Windows machine to which you’re connecting. <\/p>\n\n\n\n
in the device manager of Windows i can see the smartcard device, with a warning – that’s a good sign:<\/p>\n\n\n\n
![\"\"](\"https:\/\/kudzia.eu\/b\/wp-content\/uploads\/2023\/12\/image.png\")
<\/figure>\n\n\n\nif you have more than one identical yubikey plugged into the physical server and want to pass just one of them – it’s possible to pass whatever is attached to a specific port<\/a>. <\/p>\n\n\n\n
making Yubikey actually work on the Windows VM<\/h2>\n\n\n\n
- \n
- install Yubikey’s minidriver for windows 64 bit <\/a> <\/li>\n\n\n\n
- install Yubikey Manager<\/a><\/li>\n\n\n\n
- reboot the Windows VM<\/li>\n\n\n\n
- at this stage – yubikey manager will not see the key and will tell insert your yubikey<\/em><\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/kudzia.eu\/b\/wp-content\/uploads\/2023\/12\/image-1-1024x574.png\")
<\/figure>\n\n\n\n- \n
- now the key part – based on this thread<\/a> – in the Device Manager<\/em> – double blick on the Microsoft Usbccid Smartcard Reader (UMDF2) <\/em>go to Driver<\/em> > Update Driver, Browser my computer for drivers<\/em> Let me pick from a list of available drivers on my computer<\/em> and select Micrososft Usbccid Smartcard Reader<\/em> (WUDF)<\/em><\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/kudzia.eu\/b\/wp-content\/uploads\/2023\/12\/image-2-1024x719.png\")
<\/figure>\n\n\n\nYubikey token should immediately show up in the Yubikey Manager<\/em>:<\/p>\n\n\n\n
![\"\"](\"https:\/\/kudzia.eu\/b\/wp-content\/uploads\/2023\/12\/image-3-1024x532.png\")
<\/figure>\n\n\n\nsigning a binary in the Windows VM<\/h2>\n\n\n\n
install signtool from https:\/\/developer.microsoft.com\/en-us\/windows\/downloads\/windows-sdk\/<\/a> – it’s enough to select Windows SDK Signing Tools for Desktop Apps<\/em><\/p>\n\n\n\n
run certmgr.msc <\/em>, find your certificate, double click on it, go to Details<\/em> and scroll down to the Thumbprint<\/em> – it’s the hash we’ll use to identify cert that should be used in the signing process<\/p>\n\n\n\n
![\"\"](\"https:\/\/kudzia.eu\/b\/wp-content\/uploads\/2023\/12\/image-4.png\")
<\/figure>\n\n\n\nadd c:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.22621.0\\x64 <\/em>to path to make signtool easily accessible from command line, providing – as the long hex – thumbprint of your cert:<\/p>\n\n\n\n
signtool.exe sign \/sha1 2ad5caaad3caf23baa33a2ad7a6eaaf18255a7c7 \/fd sha256 \/td sha256 \/tr <\/em><\/em>http:\/\/timestamp.digicert.com<\/em><\/a> “Clear Settings Wizard.exe”<\/em><\/em><\/p>\n\n\n\n
![\"\"](\"https:\/\/kudzia.eu\/b\/wp-content\/uploads\/2023\/12\/image-5.png\")
<\/figure>\n\n\n\nif all went fine – signature on the exe should be replaced with yours<\/p>\n\n\n\n
![\"\"](\"https:\/\/kudzia.eu\/b\/wp-content\/uploads\/2023\/12\/image-6-1024x415.png\")
<\/figure>\n\n\n\nagain – above will not work if you RDP – yubikey manager will tell Insert your YubiKey, <\/em>signtool will ask to select a smartcard device, and tell “No certificates were found that met all the given criteria”.<\/p>\n\n\n\n
signing without need to manually enter the PIN each time <\/h2>\n\n\n\n
I’ve found few options for unattended \/ fully automated signing, without prompt for pin, with Yubikey:<\/p>\n\n\n\n
- \n
- scsigntool – https:\/\/www.mgtek.com\/smartcard – free, but closed source and fairly obscure. seems to work fine, but i’d prefer to have more transparency<\/li>\n\n\n\n
- https:\/\/ebourg.github.io\/jsign\/<\/a> – which requires Java and seems to work fine; you’ll need to install Yubico-piv-tools<\/a> and add C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin <\/em>to PATH<\/em>.<\/li>\n\n\n\n
- osslsigncode<\/a> might support it, i did not try. details: 1<\/a>, 2<\/a>.<\/li>\n<\/ul>\n\n\n\n
java -jar jsign-5.0.jar -tsaurl http:\/\/timestamp.sectigo.com --storetype YUBIKEY --storepass MYPIN --replace yubico-piv-tool-2.3.1-win64.msi\nERROR StatusLogger Log4j2 could not find a logging implementation. Please add log4j-core to the classpath. Using SimpleLogger to log to the console...\nAdding Authenticode signature to yubico-piv-tool-2.3.1-win64.msi<\/code><\/pre>\n\n\n\ni’m sure it’s possible to specify which cert to use, but i don’t know how to do it. anyway – this seems to work.<\/p>\n\n\n\n
<\/p>\n\n\n\n
reminder: access to local smartcard is not possible via RDP, i was getting this error when trying to use jsign via RDP instead of VNC:<\/p>\n\n\n\n
jsign: Failed to load the keystore\njava.security.KeyStoreException: keystore type 'YUBIKEY' is not supported with security provider SunPKCS11-yubikey\n at net.jsign.KeyStoreType.getKeystore(KeyStoreType.java:474)\n at net.jsign.KeyStoreBuilder.build(KeyStoreBuilder.java:283)\n at net.jsign.SignerHelper.build(SignerHelper.java:256)\n at net.jsign.SignerHelper.sign(SignerHelper.java:388)\n at net.jsign.JsignCLI.execute(JsignCLI.java:132)\n at net.jsign.JsignCLI.main(JsignCLI.java:40)\nCaused by: java.security.KeyStoreException: PKCS11 not found\n at java.base\/java.security.KeyStore.getInstance(KeyStore.java:967)\n at net.jsign.KeyStoreType.getKeystore(KeyStoreType.java:469)\n ... 5 more\nCaused by: java.security.NoSuchAlgorithmException: no such algorithm: PKCS11 for provider SunPKCS11-yubikey\n at java.base\/sun.security.jca.GetInstance.getService(GetInstance.java:101)\n at java.base\/sun.security.jca.GetInstance.getInstance(GetInstance.java:218)\n at java.base\/java.security.Security.getImpl(Security.java:684)\n at java.base\/java.security.KeyStore.getInstance(KeyStore.java:964)\n ... 6 more\nTry `java -jar jsign.jar --help' for more information.\n<\/code><\/pre>\n\n\n\nlooks like there’s a way around it, but requires binary patching: 1<\/a>, 2<\/a>, 3<\/a>.<\/p>\n\n\n\n
Extended Validation code signing certificates<\/h2>\n\n\n\n
few weeks after buying OV Code Signing cert from ssl.com and testing if all works fine i’ve bought proper EV certs to be used in the next 3 years – one from ssl.com another from sectigo via ssl2buy.com. vetting process was very similar for both OV and EV certs – it was based on call to number found in company registration papers. installation and use of EV certs was identical to OV. in case of sectigo besides getting the requested cert, i’ve received two intermediary certs and root cert. i’ve installed them via:<\/p>\n\n\n\n
cd C:\\Program Files\\Yubico\\YubiKey Manager\r\nykman.exe piv certificates import 82 C:\\sectigo\\out\\root.crt -m managementkey\r\nykman.exe piv certificates import 83 C:\\sectigo\\out\\int1.crt -m managementkey\r\nykman.exe piv certificates import 84 C:\\sectigo\\out\\int2.crt -m managementkey\r\n\r\n<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
starting from June 2023 code signing certificates for MS Windows cannot be delivered as a file anymore. files are easy to steal. now certs must reside on security modules which don’t allow private key extraction, at least not for mere mortals. we’re using such a cert to sign exe and msi files on a build […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3567","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/3567","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/comments?post=3567"}],"version-history":[{"count":9,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/3567\/revisions"}],"predecessor-version":[{"id":3595,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/3567\/revisions\/3595"}],"wp:attachment":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/media?parent=3567"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/categories?post=3567"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/tags?post=3567"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- osslsigncode<\/a> might support it, i did not try. details: 1<\/a>, 2<\/a>.<\/li>\n<\/ul>\n\n\n\n
- install Yubikey Manager<\/a><\/li>\n\n\n\n
- install Yubikey’s minidriver for windows 64 bit <\/a> <\/li>\n\n\n\n
- i was able to successful sign an exe with signtool.exe sign \/sha1 2ad5caaad3caf23baa33a2ad7a6eaaf18255a7c7 \/fd sha256 \/td sha256 \/tr <\/em><\/em>http:\/\/timestamp.digicert.com<\/em><\/a> “Clear Settings Wizard.exe”<\/em><\/em> where the long hex string is a thumbprint of my new certificate, it can be found in certmgr.msc > personal > certificates. <\/li>\n<\/ul>\n\n\n\n
- i’ve installed yubikey’s smartcard minidriver<\/a> and rebooted my pc,<\/li>\n\n\n\n
- based on https:\/\/www.ssl.com\/how-to\/key-generation-and-attestation-with-yubikey<\/a>\/ i’ve generated private key on the newly bought Yubikey 5 Nano FIPS:\n
- https:\/\/www.digicert.com\/content\/dam\/digicert\/pdfs\/datasheet…<\/a><\/li>\n<\/ul>\n\n\n\n