Urgent- How can I sign with YubiKey?

[Catalin]

Hello,

It is quite strange that they offer the possibility to do so, but advise against it - I am wondering why that is.

Anyway, I am glad to hear you got this working!

And thank you very much for sharing your solution with us and for sharing your valuable feedback! I have forwarded this to our dev team and we will see if something can be done in the future to avoid this.

Best regards,
Catalin

[xObay]

I'm also using a Code Signing Certificate from Sectigo with Yubikey and can't tell how the problem was solved going through this thread.

Can you please help sharing how did you get Advanced Installer to sign using Yubikey on Windows?

[NovaES]

As a recommendation, try to create a SCRIP or a BAT so that it signs your program files and only asks you once for the password.

Otherwise, do the following.

You must always select the certificate and have the YubiKey connected before opening the installer, since it will not recognize the certificate and will cause problems.

When it has this process, indicate everything you want to sign (if you have already signed your files, just tell it to sign the installer and the executions at the administrator level)

Then it will ask you for the certificate password as many times as the installer needs to sign (this is a big problem and there is no solution yet)

So if you only want to sign with the installer and you have 100 files to sign, it will ask you 100 times for the password plus the executable and other requests it will need, a total of 122 easily...

They still haven't found a solution for the installer, I did a self-signed one myself and in 5 seconds I had everything signed just by entering the password once.

I wish you luck and a lot of patience.

[Catalin]

Hello,

@xObay, please see the response from @NovaES above.

@NovaES, thank you once again for contributing to our forums! This is a big help for us and we appreciate it greatly.

Best regards,
Catalin

[xObay]

I found this https://github.com/joseangelmt/AutoInsertPin

I compiled it and tested it and it works. Not the best solution but if you want something to feed in the PIN number whenever the window pops up, this will do the trick.

[NovaES]

I found this https://github.com/joseangelmt/AutoInsertPin

I compiled it and tested it and it works. Not the best solution but if you want something to feed in the PIN number whenever the window pops up, this will do the trick.

It seems like a good idea, although for security reasons... I don't know what to say, you have to be very careful.

If they see a viable option to insert this installer, it will be good but I doubt it. This is more about the configuration by YubiKey and the security standard they want to establish.

More than anything, many programmers will leave the key in, if there is malware on that computer and it picks up the "PIN" it will be able to sign through that PC.

There is nothing certain in this world... and all security is little.

[xObay]

Agreed. Yet we still need to find a solution that can be fully automated to use it in our pipeline.

[NovaES]

I'm trying to use the tool but the console closes, it doesn't work.

[xObay]

You need to provide the PIN as an argument. If you don't, it will exit without giving any messages.

If you are on PowerShell, the command will look something like this.

Code: Select all

.\AutoInsertPin.exe 12345678

Assuming you CDed into the folder where the file was compiled.

[xObay]

You can do the same thing this tool is doing by building it yourself using something like https://www.autoitscript.com/site/ as well.

AutoIt allows you to create a script that can feed in some input to a window when certain conditions are met.

[NovaES]

You need to provide the PIN as an argument. If you don't, it will exit without giving any messages.

If you are on PowerShell, the command will look something like this.

Code: Select all

.\AutoInsertPin.exe 12345678

Assuming you CDed into the folder where the file was compiled.

I just tried and tested it. The password can be seen since it is "stored in RAM". You can look for an alternative so that every time it runs, it uses some type of encryption or even create a "temporary" file with good encryption and then provide a solution.

There may be more methods, it is a matter of trying and testing.

[Catalin]

Thank you for your followup on this and for sharing such invaluable feedback with us.

I am sure this will be of help for further users facing a similar scenario.

Best regards,
Catalin

[Z Automotive]

Hello,

Just bumping this thread in hopes of finding a solution that addresses the need to enter a PIN hundreds of times when signing. Ideally, this would be natively supported in Advanced Installer, especially since hardware token-based code signing is becoming increasingly common.

For those unfamiliar with how we're currently signing with Advanced Installer and a YubiKey: we’re using the custom option shown below.

With the YubiKey plugged in before launching Advanced Installer (or by referencing the certificate’s SHA1 hash from the Windows Certificate Store):



We’re then hit with repeated PIN prompts during the signing process:



This behavior makes large-scale signing incredibly tedious. We'd appreciate any insight or updates on native support for smart card-based signing in future releases.

I'm on 22.7 and my maintenance plan expired today! I will renew it for this feature though! Ha!

Thanks,

Z Automotive

[NovaES]

Hello,

I had to design a program that enters the password in the dialog box. What I do is run my application, and every time it detects the window, it enters the password and automatically clicks Continue. This way, I was able to "automate" it, interacting with the Windows window and entering the data automatically.

[NovaES]

Hello,

I had to design a program that enters the password in the dialog box. What I do is run my application, and every time it detects the window, it enters the password and automatically clicks Continue. This way, I was able to "automate" it, interacting with the Windows window and entering the data automatically.

Hello,

Just bumping this thread in hopes of finding a solution that addresses the need to enter a PIN hundreds of times when signing. Ideally, this would be natively supported in Advanced Installer, especially since hardware token-based code signing is becoming increasingly common.

For those unfamiliar with how we're currently signing with Advanced Installer and a YubiKey: we’re using the custom option shown below.

With the YubiKey plugged in before launching Advanced Installer (or by referencing the certificate’s SHA1 hash from the Windows Certificate Store):



We’re then hit with repeated PIN prompts during the signing process:



This behavior makes large-scale signing incredibly tedious. We'd appreciate any insight or updates on native support for smart card-based signing in future releases.

I'm on 22.7 and my maintenance plan expired today! I will renew it for this feature though! Ha!

Thanks,

Z Automotive