Nitrokey HSM need to enter pin on EACH signing


as far as I remember, in the beginning it was not neccessary to enter the smartcard PIN on EACH signing with HSM2 - only after a while not using.

But currently I have to enter the pin on each single signing.
Is there a solution to lock the smartcard after some minutes of not using instead of immediately?

Windows 10, Nitrokey HSM2, Opensc 0.19

Best regards,

I don’t know what is causing this, but it sounds like an OpenSC issue.

Can you try, if the same behaviour can be observed when using the native PKCS#11 module from the sc-hsm-embedded project ?


using java, (PKCS#11) with OpenSC looks like it is also every time unlocking, but as there it is possible to put the pin into the commandline parameter, it is less a problem.

I’ll try the application you mentioned.

There is also a native JCE Provider for the SmartCard-HSM that offers a better Java integration and does not require JNI code.

The source is in the CDN and the latest version is available in our IVY repository.

In Theorie you could configure in opensc.conf a pin caching and time to hold the pin. If that’s practical working need to be tested.

use_pin_caching = bool;
# Use PIN caching (Default: true)?

pin_cache_counter = num;
# How many times to use a PIN from cache before re-authenticating it (Default: `10`)?

pin_cache_ignore_user_consent = bool;
# Older PKCS#11 applications not supporting `CKA_ALWAYS_AUTHENTICATE` may need to set this to get signatures to work with some cards (Default: `false`).

Oh, and you should update to the newest OpenSC SW ( 20.x)

Please make sure to use the latest OpenSC as well, as there were some security issues with earlier versions:


I now installed on my local computer OpenSC 0.21 and could still reproduce it.

Even with this opensc.conf

app default {
	framework pkcs15 {
		# use_file_caching = true;
		use_pin_caching = true;
		pin_cache_counter = 10;
		pin_cache_ignore_user_consent = true;

pin_cache_ignore_user_consent true or false tried, but I always get the windows prompt for the pin.

I’m trying with this command on windows:

signtool.exe sign /tr /td SHA256 /n "<certificatename>" test.exe

Further suggestions?

Looking at the debug logs, I see that PKCS15 framwork is reading this configuration, but it also looks like the pcsc reader is ignoring this ( and in addition e.g. enable a not available pin-pad )

No further suggestions from my side as I gave up using it due to banana software. I want to use it and not grow it. I was able to prevent the PIN question with the NK Pro using the macOS keychain and an scevent on macOS. But not with the HSM on a FreeBSD Sstem

and is there a better integration for Windows binary (exe, dll) signing, too?

Yes, so you are running multiple signtool.exe commands one after another?

Yes, exactly. One after another.

From the alternative ideas: perhaps it would work better for you on Linux (e.g. through a VM). Have you tried osslsigncode?

Example call on Linux:

$ osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/ -pkcs11module /usr/lib/ -key “pkcs11:object=win-sign-test1” -certs outcert.spc -n Nitrokey -in app.exe -out app-signed.exe

In this example call the PIN can be automatically provided to the tool, but I do not see the details how yet by the -readpass switch from the environment variable PKCS11_PIN:

osslsigncode sign … -readpass <(sh -c ‘echo -n ${PKCS11_PIN}’)

More at:

I am not sure how would this work… the library is initialized every time a new application is started, you’d need to use something that signs multiple images at once in a loop.

Every time EXE is started the library is loaded again and has no idea that few minutes earlier another application was using smartcard.


thanks for your idea. Did not try that yet, as our build infrastructure is currently all on windows.
But I did not know that signing Windows applications on Linux is possible.

I am not sure how would this work… the library is initialized every time a new application is started, you’d need to use something that signs multiple images at once in a loop.

But therefore there should be the pin caching feature in the settings, which does not work currently.

My current mechanism is I transfer the files to the sign server file by file and sign it file by file. A change by transferring all files first, then signing all and then sending all back could improve that, too. But would be a bigger change.

So a simple solving that pin caching would be easier (for me)… as it is a bug in OpenSC in my opinion.

Just for information, but it’s possible to build it for Windows according to the following:

1 Like