Clive - Thanks very much for trying those things out. I can imagine how having both drivers installed at the same time would be problematic, as they have the same task. In any case though, it looks like things are working as they should and hardware code signing is functioning. We just wanted to get this right here in Setup Factory first, before adding it to the other products. Again, thanks for your help and feedback!

Hi Ted,

Sorry I didn't get a chance to raise a support ticket. However, I have today installed the new version 9.6.0.1 and I can confirm, when the "Show Signing Window" is checked, the Code Signing dialog pops up as expected.

As a footnote I did uninstalled the SAC, keeping my client settings, and tried the Minidriver and this worked as you described except it prompts every time for the PIN/Password.

I left the Minidriver installed and reinstalled the SAC. With the SAC's "Enable single logon" checked, the Code Signing dialog popped up once and SUF worked without the "Show Signing Window" checked.

I thought I was going to have the best of both worlds but unfortunately after a reboot the system complained about a missing etoken.dll. Repairing the SAC fixed the issue, I suspect overwriting the mini-driver, but then SUF's "Show Signing Window" needed to be checked.

Anyway the good news you have provided us a solution depending whether we use the the SAC, Minidriver, or use a batch file to avoid the PIN/Password completely.

Many thanks to yourself and Ulrich for your assistance.
​
Clive​

Hi Ulrich,

Apologies for my late response. However, please find attached the output.txt file you requested. This works as you would expect.

Clive

We have released an update today to Setup Factory v9.6.0.1 that adds a "Show Signing Window" checkbox to the Code Signing dialog. Use this option for hardware token drivers that require a visible signtool.exe window in order to show their PIN/Password. We've confirmed that this works with the Thales SafeNet Authentication Client software. We've also found that if you use the Thales Minidriver rather than the "SAC", it works fine without this option checked - just like with a YubiKey etc.

Hello Clive,

Could you please confirm that this works around the issue. It is almost certain, but I would like to be 100% sure. Please download the batch file attached here.

Once you have the batch file, please edit the path to your signtool.exe in line 59, so it points to the location on your system. Then, change the path of the signtool.exe in the settings, so it uses the batch file instead, like this:



Everything else can be kept as it is, e.g. certificate subject name, and/or thumbprint, etc. Then, attempt to build and see if this works as expected, meaning that you are prompted for the token PIN/password at each access to the device.

A debug file, named "output.txt" will be created in the temporary folder, which may assist in debugging an error, should something not work as expected.

This should perform the exact command as when signtool is getting invoked in the IDE, just without redirecting the output to the log window, which may be the reason why the prompt is not being shown. Please let me know. if there are any issues.

Ulrich

All the actions below are after I rebooted my generation / build machine. This is a Windows 10 Pro 22H2.

Unfortunately, this made no difference.

​

Before I made these changes I exited SUF, changed the above flags, reloaded the project and selected the build option.

It failed in the same place as shown above.

I then signed a program from the command line. The SafeNet Authentication Client (SAC) password dialogue displayed, entered the password and the program was signed. This was to see if the SAC was run once if it would allow SUF to work.

I once more reloaded my project in SUF, selected the build option, and it failed in the same place.

NB: Re-enabling these flags, signing a program from the command line, reloading my project in SUF​ and rebuilding it worked. i.e. no password dialogue was displayed.​

"C:\Program Files (x86)\Setup Factory 9\SUFDesign.exe" /BUILD "C:\Apps\Setup Factory 9\Projects\6.3\Triumph 6.3 Upgrade.suf" "/CONST:g:\Upgrade6.3\build.ini" "/LOG:g:\Upgrade6.3\build.log"

No. A batch file manually called from a command line prompt.

Thanks for the link. And this 'rant' pretty much confirms my experience so far working with new code signing certs. and USB tokens.

"CA's (and their resellers) have some of the worst websites I have ever had the displeasure of reading. Pages and pages of useless or contradictory information with links promising more information that take you around in circles. Grrrrr."

I am not sure why SAC is being so obstinate with SUF. However, next year we will look elsewhere. In the meantime I do have one of two solutions. After each reboot, signing some manually to force the password dialogue to be used once, or revert back to using a batch file which as you have already mentioned overrides the hardware security

That's odd... We're using a YubiKey 5 FIPS as our HSM with the YubiKey SmartCard Minidriver installed. I've run dozens of tests this morning and the "Windows Security" smart card popup shows up in both IDE and Command Line runs during the signing (twice per build) requesting the PIN/Password. Can you please try it using the IDE and let us know if that makes a difference for you? Then you can see any errors or messages as they happen.

From doing some Google searches on the sign tool error you received (and what you mentioned a few posts above where you enabled "SafeNet Authentication client, Enable single login and Enable single logon for PKCS#11," in order to try and avoid entering the PIN/password when the certificate is accessed), I've seen several people say that this may not work for command line builds as their driver service interferes with the user interaction. You should try and get this running as straightforward as possible before trying to avoid the PIN prompt (frankly that’s exactly opposite to what the point of the hardware token security is going for, and certainly requiring some fancy footwork of their driver to override the hardware security… the PIN is a real pita, but it’s where we’ve ended up in the name of “security”…)
​
Perhaps create a small dummy project just to test the signing and try it in the IDE - try disabling that single logon option in your driver if it doesn't show the PIN window.

Finally, what command line are you using to call your unattended build? Are you running that from some sort of CI continuous integration tool or ? If it is being called by a system service, Windows can not show the PIN dialog (https://xrstf.de/2018/03/safenet-tok...ing-gitlab-ci/).

Otherwise, I've tried pretty much every permutation of redirecting STDOUT, piping to a file etc., and still the YubiKey PIN dialog shows up... Perhaps it is going behind a window, but that's odd too.

Hi Ulrich,

I have now done as requested. There is still a problem but more information is now provided.

I then decided to cut-n-paste the Signing Command into a batch file, and substitute the file for signing, I get the image below. After entering in the password the file is successfully signed.


I then rebuilt the project once more and the files are now successfully being signed.

It looks like the SafeNet Authentication Client won't display the password dialog when called from within SUF. NB: We build our installers via the command line and not from within the SUF Project Studio / Editor. Not sure if that would make a difference?

I am sorry for that. Could you please re-download and try building this project again? We updated the installer on the server and this should be resolved.

Ulrich

Hi Ulrich,

I have installed SUF 9.6 and changed my code signing as suggested and shown below.

The thumbprint is a copy-n-paste from the certmgr and I have tried it with and without the subject name but the build process fails with the following message:

Clive

Hi Ulrich,

Maybe it's our setup or how Sectigo does things but I am having to enter a password not a PIN.

However, if I set the following setting in the SafeNet Authentication client, Enable single login and Enable single logon for PKCS#11, then it'll prompt once until the machine is rebooted.

​The solution described in this post avoids this all together.

Out of interest what happens to projects that still have SHA1 signing filled out when they are updated in SUF 9.6?

​

Clive

We released Setup Factory 9.6 today, and if you have active maintenance, you can retrieve it from the Customer Portal.

The code signing setting dialog was changed, support for SHA-1 was dropped, and it should be overall much easier to use a certificate on a token. Basically, we understand that every HSM token should have a driver, which will make the certificate(s) available in the cert store (certmgr.exe). A cert in the store can be selected via subject name, and/or thumbprint. During the signing process, the driver will prompt for the device PIN, but no password should be required during the process.



Ulrich

This is my take on the code signing batch file helper. I also avoid having to enter our token's password every time something needs to be signed.




NB: For some reason when the batch file runs from within SUF it wouldn't get the password from the registry or expand variables if they were passed. Not exactly sure why but in the the end I kept with installer's 'Certificate Password' argument which solved my problem.​

Hi Ulrich,

Hopefully sooner than later. We've just received our 'token' and it's been a PITA from the start.

This was good read for anyone interested.

Kind regards

Hopefully we have a cleaner approach in the near future. This is still undergoing tests.



Ulrich