New to Windows Code-Signing with a Yubikey

After having twice gone through the root-canal that is Sectigo, I just had a much more positive experience getting my new Windows certificate through I ponied up for the Yubikey, instead of subscribing to the cloud signing. I also purchased a five-year term. I’ll be 70 then, and might by then have better things to do. :slight_smile:

In the past I used either KSign or ExeWrapper to sign the app folders. Each would sign the .exe files and the individual DLLs. There is no such batch action in’s SSL manager. Each file must be individually signed. At least the Yubikey’s PIN need only be entered once per session.

I seem to have no problem if I just sign the .exe files (multiple .exes in projects that have workers), then sign the Innosetup installer. However, if I also sign the top-level DLLs, I get inconsistent functionality. If I sign the plugins in the Libs folder (again, multiple Libs folder where I have workers) things just completely break, In particular, MBS acts like it it is just missing.

The plugins are a mix of Einhugur and MBS, and should already have their vendor signatures. Can I just leave them like that? Would that also apply to the top-level DLLs? Note that I’m not using DesktopHTMLViewer on Windows, so I don’t have all that Chrome stuff.

On my own systems, everything seems fine with just the .exes and the installer signed.


I have been running the same setup for years, and I only sign the exe’s and the installer.
Never had an issue.

You can also get inno setup to codesign the uninstaller using
Then you codesign the file it builds.

We sign our DLLs for the plugins to make sure they load, even if you have some more restricted Windows version or a virus scanner checking.

You should of sign the DLLs coming with your application.
Not sure why you have trouble there.

I note that Inno setup doesnt re-sign the DLLs by default. It recognises that they have a signature and leaves them alone.

In the light of day, that trouble has gone away. I should have been more specific. The issue was that a job was not performed which was supposed to be handed off to a worker. That was after I had signed the worker .exe DLLs. However, since the job involved a CURL operation, there could have been a transient network issue which was just a coincidence.

So yes, all is well when I sign the DLLs that come with the .exe(s). What I still don’t understand is why the plugin DLLs, particularly MBS, failed to load after I signed those (as both ExeWrapper and KSign appeared to do.) But since signing all of those is quite tedious with the app, it is just as well to know that I don’t have to. :slight_smile:

I never made an ExeWrapper for Windows because when I pack on Windows I use InnoSetup and its ability to codesign as it packs everything into the installer. If you are building an installer I would recommend taking this approach. Graham hinted at it above.

The only thing I’ve got handy for you is the Beacon installer from @Thom_McGrath. I haven’t gotten a YubiKey myself yet (that’s a task for November), so I can’t explain the ins and outs of how this all fits together with a token.

Beacon Setup.iss on Github

I got Yubikey… oh boy it’s an experience. I did go through and it works, but I need to enter my pin every single time a file needs to be signed. And there are a bunch. It’s really annoying. There is another signing tool that can interface with the yubikey another way, but I’ve yet to try to integrate it into my workflow.

Using their SSL Manager, I have found that I only need to enter the PIN once, as long as I keep the signing dialog window open between files.

I do use InnoSetup, but I always just used KSign to sign the installers (after signing the build folders with ExeWrapper on my Mac.) It was not clear to me whether InnoSetup signed all the packed contents, or just the installer itself. More to learn. :slight_smile:

What is “their SSL Manager?” That’s not their eSigner is it?

It handles everything and can be configured to do things like only sign unsigned files (signonce flag). I expect to have more insight as to how it interacts with a YubiKey when I get my own.

I will add that I have seen exactly what Thom describes with the PIN / Password being required for each file with a client project. In their case we are able to copy the password to the clipboard and just paste it in to the dialog that opens.

1 Like Manager is the name of the desktop app that they offer. This is not the eSigner. I downloaded that from them, along with the Yubikey mini driver. And yes, it only requires the PIN a single time during a session.

Interesting. Is there any way to integrate it into workflows? Without a command line component, it’s kind of useless in that regard.

Well, as I look into this, hopefully it only needs the PIN once. :slight_smile:

Ugh, not looking forward to this when I have to renew my SSL signing certificate.


  • can this be done on a VM? (I do all my Windows signing on an Intel mac running an Intel windows VM running under parallels or fusion)
  • can this be done on a Windows ARM VM? (Thinking about the future, when I upgrade from my Intel mac to a M-series CPU)

I run a bat file on pre and post build in inno setup, I actually copy my pin to the clipboard and bulk code sign all the files at once. So for each build i only have to paste the key in twice.

Yubikey and the updating of certificates is the process i would not wish on my worst enemy. Every two or three years i have to do this and i spend days trying to figure it all out. Once it is up and running, runs great.

I myself am doing this on a Fusion (Intel) Windows 11 guest, from a Sonoma host. While I have an M1 laptop, I am only doing this on my Intel desktop, so I can’t speak for that.

1 Like

The good news: With encouragement here, I have figured out signing through InnoSetup, signing the .exe and all DLLs along the way. I get a signed uninstaller in the bargain. It works with the Yubikey.

The bad news: I have to enter the PIN on each pass. This is where the clipboard is one’s friend.

For the command line, the documentation only references signtool.exe. “Batch” capability is only mentioned regarding eSigner.

This is the sample of the bat file i use in Inno Script

@Echo off
echo|set /p=YUBIKEYCODE|clip
echo "=== Copied PWD to Clipboard ==="
echo === Pre Signing Apps ===
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" sign /fd sha256 /n "CERTIFICATE NAME" /tr /td sha256 "..\..\Builds - AppName\Windows\AppName\AppName.exe" "..\32bit\AppName Helpers\AppNameOLEHelper\AppNameOLEHelper.exe" "..\32bit\AppName Helpers\AppNameImageLoaderAppNameImageLoader.exe" ADD MORE HERE

Only asks for key once, and you just Control + V to paste.
I think path is relative to where inno script iss file is