Thanks, that’s what I figured.
My plan is to spend some time with GitHub - mtrojnar/osslsigncode: OpenSSL based Authenticode signing for PE/MSI/Java CAB files, which should allow signing to be automated enough to only need to enter the pin once, if it’s needed at all. But this is just based on a cursory review and Stack Overflow responses.
I just received my Yubikey and about to go through the whole process! Sounds like fun. My last KSoft key expired last year!!
@Thom_McGrath If you go down this road with osslsigncode, please keep us updated on how things go.
According to the current description, the osslsigncode tool requires a certificate in a file. yubikeys do not (yet) seem to be supported, which makes it unusable for new certificates. New certificates are only available in the form of yubikeys or in the cloud tools, which cost an insane amount of money.
In a chat with ssl.com, I was also able to find out that you can buy a certificate there and link it to your own yubikeys. This saves about 200€ per yubikey. And it allows several developers signing and you have a backup in case the yubikey used should break. Documentation is also available there.
However, you will probably not be able to avoid entering the pin/password.
@Jerry_Fritschle : what did you enter in the innosetup script to make it work?
I will sign my app in a few weeks, so every peace of information is welcome. I will document my experiences here as well.
My understanding is that osslsigncode can use PKCS#11, which the Yubikey also supports. I’m writing off the top of my head, so I might have the exact terminology wrong.
Ok, so here’s my progress. There are two roadblocks so far.
I’ve downloaded osslsigncode and the available pkcs11.dll from GitHub. I’ve put pkcs11.dll right next to osslsigncode.exe. I have yubico-piv-tool installed and I have exported my certificate from Yubikey Manager. All of this is based on instructions found at signtool - Automate Extended Validation (EV) code signing with Yubico Yubikey - Stack Overflow
For a trial run, I have tried the command
& "C:\Users\8e8d1\Documents\osslsigncode\bin\osslsigncode.exe" sign -pkcs11module "C:\Program Files\Yubico\Yubico PIV Tool\lib\libykcs11.lib" -pkcsengine "C:\Users\8e8d1\Documents\osslsigncode\bin\pkcs11.dll" -pass redacted -ts "http://timestamp.sectigo.com" -key "pkcs11:id=%01" -certs "C:\Users\8d8d1\Documents\The ZAZ Studios ossl.crt" -n "Beacon" -i "https://usebeacon.app" -in "C:\Users\8e8d1\Documents\Beacon\Project\Builds - Beacon\Windows 64 bit\Beacon\Beacon.exe" -out "C:\Users\8e8d1\Documents\Beacon_Signed.exe"
No matter what I try, the command tells me “Overwriting an existing file is not supported.” I’ve tried a relative path too, but no matter what, it thinks the output file already exists. It does not.
That brings me to the next roadblock. Inno Setup requires that the file be signed in-place. As in the very thing that osslsigncode refuses to do. There’s no mechanism in Inno Setup - at least that I’m aware of - that allows it to grab a different signed version. So I’ve opened a ticket with osslsigncode at Signing with Inno Setup · Issue #392 · mtrojnar/osslsigncode · GitHub to hopefully get an option added to allow signing in-place.
If anybody can figure out why osslsigncode thinks the output file already exists though, I’d love to hear it.
Edit: Success! Well, aside from the Inno Setup part. Turns out my command was wrong in a few ways. I should have noticed before posting. Here is a working command.
osslsigncode sign -pkcs11module "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll" -pkcs11engine "C:\Users\8e8d1\Documents\osslsigncode\bin\pkcs11.dll" -pass redacted -ts "http://timestamp.sectigo.com" -key "pkcs11:id=%01" -certs "C:\Users\8e8d1\Documents\The ZAZ Studios ossl.crt" -n "Beacon" -i "https://usebeacon.app" -in "C:\Users\8e8d1\Documents\Beacon\Project\Builds - Beacon\Windows 64 bit\Beacon\Beacon.exe" -out "C:\Users\8e8d1\Documents\Beacon_Signed.exe" -nolegacy
I did add both C:\Program Files\Yubico\Yubico PIV Tool\bin and C:\Users\8e8d1\Documents\osslsigncode\bin to my PATH env, which may or may not have helped. So anyway, if we can get an option to override the file… we’re golden.
Great progress and thanks for the update Thom!
The solution is a batch file. Point Inno Setup to this as the signing command. Call it like
innosign.bat path pin name url
For example:
C:\Users\8e8d1\Documents\innosign.bat "C:\Users\8e8d1\Documents\Beacon\Project\Builds - Beacon\Windows 64 bit\Beacon\Beacon.exe" redacted Beacon "https://usebeacon.app"
It will move the original file, sign the moved file into the location of the original, and delete the moved file. Tweak how you like, since your paths won’t match mine. I’m still trying to decide how I want to organize.
@echo off
set source_path=%~1
set pass=%~2
set name=%~3
set url=%~4
for %%i in ("%source_path%") do (
set file_drive=%%~di
set file_name=%%~ni
set file_ext=%%~xi
set file_path=%%~pi
)
set renamed_file=%file_name%-original%file_ext%
set renamed_path=%file_drive%%file_path%%renamed_file%
ren "%source_path%" "%renamed_file%" || (
echo Failed to rename file
exit /b 1
)
osslsigncode sign -pkcs11module "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll" -pkcs11engine "C:\Users\8e8d1\Documents\osslsigncode\bin\pkcs11.dll" -pass "%pass%" -ts "http://timestamp.sectigo.com" -key "pkcs11:id=%%01" -certs "C:\Users\8e8d1\Documents\The ZAZ Studios ossl.crt" -n "%name%" -i "%url%" -in "%renamed_path%" -out "%source_path%" -nolegacy || (
ren "%renamed_path%" "%file_name%"
echo Failed to sign file
exit /b 1
)
del "%renamed_path%"
So in Inno Setup’s “Configure Sign Tools” I have:
C:\Users\8e8d1\Documents\innosign.bat $f redacted $p
And my SignTool command looks like
SignTool=Yubi $qBeacon$q $qhttps://usebeacon.app$q
I just did a full run of my build process, and my app and installers are signed perfectly, and I never had to enter my PIN once.
Woohoo and great job Thom! You’ve quite possibly saved folks a ton of money in cloud signing fees and a whole ton of hassle removed and build baby sitting for the rest of us. 
Coming back to chip in my experience with setting this process up for an EV certificate, also a SSL.com customer. The business validation process was quite long, even though all of my details were correct and in place at DUNS. I had to constantly email them to get updates, and it seemed that was the only time they moved. Eventually, though, everything got sorted.
Thom’s work was of great help. I didn’t have to modify my PATH. I left the PIV tool in the installed location and copied the specified files to the osslsigncode folder. That seems to have worked.
I also found that with the -name parameter, the UAC dialog was showing the full-path to my copy from the build automation instead of the name, so I removed it from Thom’s script.
In the end, everything works great! I went for an EV certificate this time because of some of the EV benefits, but also I wanted to see what the process was like for myself. It wasn’t the worst with all my business details already correct, but it wasn’t a fast process. Start your renewals 4 weeks early.
@Thom Any plans to write a more permanent walk-through in a blog post or gist? I’d be happy to contribute my recent experience.
Jesus Christ on a bike.
A; Well done Thom on the guide.
B: WTAF???
@Thom_McGrath Today I’m finding that my signed executables are presenting “Unknown Publisher” UAC warnings, even though the Properties > Digital Signatures tab is correctly showing my signature.
Signtool verify function approves of the file.
Verifying: C:\Users\tim\Desktop\LifeboatSetup_211.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha256): AB889DFAFFA84BAD10F55C06D963F9410A467B07E96EDEA8DBBA2786BF493C04
Signing Certificate Chain:
Issued to: SSL.com EV Root Certification Authority RSA R2
Issued by: SSL.com EV Root Certification Authority RSA R2
Expires: Fri May 30 13:14:37 2042
SHA1 hash: 743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A
Issued to: SSL.com EV Code Signing Intermediate CA RSA R3
Issued by: SSL.com EV Root Certification Authority RSA R2
Expires: Wed Mar 22 12:44:23 2034
SHA1 hash: D2953DBA95086FEB5805BEFC41283CA64C397DF5
Issued to: Timothy Parnell
Issued by: SSL.com EV Code Signing Intermediate CA RSA R3
Expires: Sat Nov 06 15:36:07 2027
SHA1 hash: 487244BD6DB12D5E26920EBDCC9EF04BDCF8882B
The signature is timestamped: Fri Dec 27 11:18:29 2024
Timestamp Verified by:
Issued to: SSL.com Root Certification Authority RSA
Issued by: SSL.com Root Certification Authority RSA
Expires: Tue Feb 12 12:39:39 2041
SHA1 hash: B7AB3308D1EA4477BA1480125A6FBDA936490CBB
Issued to: SSL.com Timestamping Issuing RSA CA R1
Issued by: SSL.com Root Certification Authority RSA
Expires: Sun Nov 12 13:50:05 2034
SHA1 hash: 84DC2F563A1AAA690C468F3B56EF2D63AEC7CA39
Issued to: SSL.com Timestamping Unit 2024 E1
Issued by: SSL.com Timestamping Issuing RSA CA R1
Expires: Thu Feb 16 11:18:18 2034
SHA1 hash: F57441AB25FCCD323D52BD3A4B9E50403E47D3B9
Successfully verified: C:\Users\tim\Desktop\LifeboatSetup_211.exe
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
I have been finding so little information I don’t know what to do next. I have made a reddit post in a desparate attempt for help. I have found a grand total of 1 other person having this issue and to boot - they were having it with a Microsoft signed executable.
Does anyone know who I get in touch with to figure this out? Microsoft has set up a LOT of a walls to prevent you from getting customer service. SSL.com customer support staff tends to be a little bit on the “doesn’t know what their product is”. Neither are an experience I want to deal with…
I’ve noticed it too. That probably explains why I’m not building reputation for this one.
Edit: Yeah my old signature was doing it correctly.
I’m going to get this figured out. It’s not the certificate. Signing with signtool produces the desired output. Only thing different I notice about the signatures so far is “digest encryption algorithm” is “ECC” with signtool instead of “sha256ECDSA” with osslsigncode. I’m not yet sure that it matters, but the only clue I have so far.
I have to take a break before writing up full findings, but I think I’ve just about figured it out.
Step 1: Ditch my entire tutorial.
Step 2: Download SmartCard Tools
Step 3: Use it like scsigntool.exe /pin <your pin> sign <the sign tool parameters you're used to>
The pin parameter must appear before the sign command and signtool parameters. The tool must exist in the same path as signtool.exe. Seems like it does some shared memory shenanigans to provide the pin when necessary, but I don’t care as long as it works.
I would add to the list that you will need the YubiKey Smart Card Minidriver (as instructed by SSL.com) since this goes through signtool.exe. I had skipped the driver previously with osslsigncode system. Without the minidriver, signtool.exe can’t find the certificate 
The updated system is working. Thank you so much for your work.
Thanks for that! I was just updating my tutorial and didn’t realize that part of it.