Issues signing MSI file using YubiKey Manager with .crt certificate (not with a .PFX)

Question

I have been trying to sign my MSI file using YubiKey Manager with a .crt cert (not a PFX due to recent CAB and Sectigo's rules) but couldn't find a good way to make it work.

I have followed these recommended articles(1, 2) but ended up getting this generic error when trying to sign with SignTool as recommended.

SignTool Error: No certificates were found that met all the given criteria.

I am using this following SignTool command to sign my MSI.

.\signtool.exe sign -s "My" -sha1 "<thumbprint>" /td sha256 /fd sha256 -tr http://timestamp.sectigo.com .\myfile.msi

I am pretty sure that the certificate is present in the Personal cert store but in .crt format. My hunch is that the SignTool is expecting a .PFX which unfortunately cannot be provided in this context as the Private Key will be in the YubiKey Token and Sectigo won't allow us to convert the .crt to .pfx.

I've come across numerous solutions addressing the generic SignTool error, but unfortunately, none of them have proven effective in resolving my specific issue.

I appreciate any assistance or insights into resolving this issue.

Answer 1

You need to download Yubikey Drivers such as "Yubico PIV Tool", "YubiKey Manager" and "YubiKey Smart Card Minidriver" from https://www.yubico.com/support/download/smart-card-drivers-tools. After that they need to begin the signing process from the start.