I am trying to use the NitroKey HSM to sign .exe using signtool.
The initialiaztion and key generation works fine. I installed the sc-hsm-middleware to get the minidriver necessary for the operation.
I generated :
- A root certificate on ID 01
-A signing certificate on ID 02
The pkcs15-tool -D command show them as intended
I want to use signtool to sign a executable :
signtool sign /n “SigningCert” /csp “Microsoft Base Smart Card Crypto Provider” /kc “15e353a3-b80b-07c0-4e70-aa07aaff8e05” /fd SHA256 /v calc.exe
The following certificate was selected:
Issued to: SigningCert
Issued by: RootAuthenticode
Expires: Wed Dec 26 16:24:31 2018
SHA1 hash: 7991ABE78760FEE9102D8F1F480707215B743CD5
The certificate is correctly chosen, but then Windows security, while detecting the Nitro Key fails with :
The smart card cannot perform the requested operation or the operation requires a different smart card
It seems that either the nitrokey does not support this operation (which I don’t think so), or that I am missing a step.
Anyone know what I could be missing ?
Alternatively, is there another alternative to signtool (Mono / line by line openssl )
Thanks a lot