Urgent- How can I sign with YubiKey?

[NovaES]

Hello, sorry for my delay in responding.

YubiKey advises against eliminating the PIN policy. To prevent it from asking multiple times, you would have to delete the certificate and import it again. But for this, you would have to readmit it again and wait more than 2 business days for approval.

This also wastes a lot of time but as I said, yubikey advises against it.

In an external updater package that I have, with a bat file I sign an entire folder at once and it only asks me for the PIN once, this is something that I have developed on my own to avoid having to enter the PIN several times.

Maybe advanced installer, you should do the following:

Enter a new configuration specific to signing with YubiKey keys. If the user has selected this, when the installer construction is launched, create a BAT file where it contains all the files that must be signed, this way it would only ask for the PIN once and not every time it has to sign.

It may be a solution.

[Catalin]

Hello,

It is quite strange that they offer the possibility to do so, but advise against it - I am wondering why that is.

Anyway, I am glad to hear you got this working!

And thank you very much for sharing your solution with us and for sharing your valuable feedback! I have forwarded this to our dev team and we will see if something can be done in the future to avoid this.

Best regards,
Catalin

[xObay]

I'm also using a Code Signing Certificate from Sectigo with Yubikey and can't tell how the problem was solved going through this thread.

Can you please help sharing how did you get Advanced Installer to sign using Yubikey on Windows?

[NovaES]

As a recommendation, try to create a SCRIP or a BAT so that it signs your program files and only asks you once for the password.

Otherwise, do the following.

You must always select the certificate and have the YubiKey connected before opening the installer, since it will not recognize the certificate and will cause problems.

When it has this process, indicate everything you want to sign (if you have already signed your files, just tell it to sign the installer and the executions at the administrator level)

Then it will ask you for the certificate password as many times as the installer needs to sign (this is a big problem and there is no solution yet)

So if you only want to sign with the installer and you have 100 files to sign, it will ask you 100 times for the password plus the executable and other requests it will need, a total of 122 easily...

They still haven't found a solution for the installer, I did a self-signed one myself and in 5 seconds I had everything signed just by entering the password once.

I wish you luck and a lot of patience.

[Catalin]

Hello,

@xObay, please see the response from @NovaES above.

@NovaES, thank you once again for contributing to our forums! This is a big help for us and we appreciate it greatly.

Best regards,
Catalin

[xObay]

I found this https://github.com/joseangelmt/AutoInsertPin

I compiled it and tested it and it works. Not the best solution but if you want something to feed in the PIN number whenever the window pops up, this will do the trick.

[NovaES]

I found this https://github.com/joseangelmt/AutoInsertPin

I compiled it and tested it and it works. Not the best solution but if you want something to feed in the PIN number whenever the window pops up, this will do the trick.

It seems like a good idea, although for security reasons... I don't know what to say, you have to be very careful.

If they see a viable option to insert this installer, it will be good but I doubt it. This is more about the configuration by YubiKey and the security standard they want to establish.

More than anything, many programmers will leave the key in, if there is malware on that computer and it picks up the "PIN" it will be able to sign through that PC.

There is nothing certain in this world... and all security is little.

[xObay]

Agreed. Yet we still need to find a solution that can be fully automated to use it in our pipeline.

[NovaES]

I'm trying to use the tool but the console closes, it doesn't work.

[xObay]

You need to provide the PIN as an argument. If you don't, it will exit without giving any messages.

If you are on PowerShell, the command will look something like this.

Code: Select all

.\AutoInsertPin.exe 12345678

Assuming you CDed into the folder where the file was compiled.

[xObay]

You can do the same thing this tool is doing by building it yourself using something like https://www.autoitscript.com/site/ as well.

AutoIt allows you to create a script that can feed in some input to a window when certain conditions are met.

[NovaES]

You need to provide the PIN as an argument. If you don't, it will exit without giving any messages.

If you are on PowerShell, the command will look something like this.

Code: Select all

.\AutoInsertPin.exe 12345678

Assuming you CDed into the folder where the file was compiled.

I just tried and tested it. The password can be seen since it is "stored in RAM". You can look for an alternative so that every time it runs, it uses some type of encryption or even create a "temporary" file with good encryption and then provide a solution.

There may be more methods, it is a matter of trying and testing.

[Catalin]

Thank you for your followup on this and for sharing such invaluable feedback with us.

I am sure this will be of help for further users facing a similar scenario.

Best regards,
Catalin