Reputation: 1698
Siging an exe with Yubikey error Error: SignerSign() failed
I have bought an EV signing from ssl.com.
I have a Yubikey 5 NFC, so I tried to load the signature into my Yubikey with all the attestation and stuff.
https://www.ssl.com/how-to/key-generation-and-attestation-with-yubikey/
Everything seems good, certmgr shows the certificate.
But when trying to sign an EXE, I am getting the next error:
"Error: SignerSign() failed." (-2146435068/0x80100004)
To solve it, I tried to install the Yubikey smart card minidriver, and then I started to get the next error:
"Error: SignerSign() failed." (-2146435071/0x80100001)
And sometimes, I started getting the UI error as seen in this Stack Overflow detailed question:
The smartcard cannot perform the requested operation`
Things I have done to try to solve this problem:
- Recreate the attestation and reinstall the signature on Yubikey.
- Resetting the Yubikey PIV and restoring everything to default, including repeating step number #1.
- Installing/uninstalling the Yubikey smart card minidriver, and tried to use Yubikey with and without the minidriver.
- Try to attest/install the signature from the command line, Yubikeymanager, and ssl.com manager.
- Tried all the steps here both on Windows 11, and Windows 10.
List of dead ends
- following Yubikey old article about codesigning in Windows from 2020, it mentions pfx file, and since 2023, the private key should be created inside the Yubikey PIV, so this article is not relevant.
- trying various methods from Yubico GitHub issues, nothing helps, and it ends in 2018 so 6 years ago before Yubikey 5 released, https://github.com/Yubico/yubikey-piv-manager/issues/24
Upvotes: 2
Views: 1003
Answers (1)
Reputation: 1698
Here are the causes of this problem:
ssl.com gives you e-signer, and exposes its HSM key as a .der file.
So, if you do the attestation and download the .der file without emailing them, wait for them to reply that they replaced the certificate .der, and make sure to download the correct file. You will end up downloading an HSM or old .der file
Steps to fix the problem:
- Install the Yubikey minidriver.
- Do the attestation and ask SSl.com support to create a new certificate.
- Wait until the new certificate is issued, because even though their UI lets you download a certificate, it is the old HSM one.
- Upon receiving the certificate, import it into your Yubikey, and then:
a. Eject the Yubikey
b. open cmd, typecertmgr.msc
c. Navigate to Personal>Certificates
d. make sure that you are deleting the code signing certificate if it appears there (it should be on your Yubikey so no harm done)
e. Insert your Yubikey again.
Now the signing should work without all these errors.
Upvotes: 2
Related Questions
- Yubikey PIV "The smartcard cannot perform the requested operation."
- Automate parsing yubikey pin in pkcs11
- How do I sign windows software with a certificate on a yubikey?
- Two PIV certificates - one YubiKey 5
- Xcode 7 error: "Missing iOS Distribution signing identity for ..."
- UWP Application PIV Example Needed
- Is there a way to authenticate YubiKey from stand-alone C# application without internet connection?