As of June 2023, all code-signing certificates will be issued on a pre-configured, secure USB device that meets FIPS compliance. This means that code-signing certificates can no longer be simply downloaded from a certificate vendor or reseller and simply installed locally on a build machine like they have been since the beginning.
Once the verification process for a company has been successful, the USB device will be physically shipped via courier to the company for use.
The USB dongle will contain the certificate (which can be exported) as well as the private key, however the private key cannot be exported from the USB dongle, meaning that the USB dongle will always need to be plugged in, and accessible for any code-signing to take place.
This presents a special challenge for virtual machines running under Microsoft Hyper-V.
USB Passthrough for HyperV
So how do you use a USB devices on a HyperV virtual machine when there are no physical USB ports on a virtual machine!?
The answer is to use the USB ports on the HyperV Server and then use “USB passthrough” so that the client machine can see it.
Ordinarily, this is achieved by enabling “Enhanced Session Mode” on both the HyperV server and Vitual Machine, and then configuring your remote desktop connection to share, or “passthrough” drives, USB devices and other connected things.
Then, when connecting to the HyperV client machine via Remove Desktop Connection, you would use the Local Resources tab on the connection dialog, check the relevant devices/ports/drives etc that you want the virtual pc to “see”, and connect.
It seems like this should work…but it doesn’t.
Despite these settings, your virtual pc will still not be able to see the USB dongle.
HyperV seems unable to work with the USB dongle regardless of whatever configuration settings are made.
There are 2 parts to the solution:
- The connection method to the virtual PC and
- The USB pass-though process
The connection method – don’t use Microsoft RDP and instead use VNC
Connections to the virtual machine cannot be made using Microsoft Remote Desktop Connection (RDP) sessions. Similarly, you cannot use “vmconnect”, or connect via the HyperV server itself using HyperV. All of these Microsoft-based methods of connection will block access to the USB dongle, despite any configuration settings you may use.
The solution is to use another remote connection method.
TightVNC (https://www.tightvnc.com) can be used to connect to the HyperV client and it will not block access to the USB dongle. Install TightVNC on both the virtual client (in server mode), and use the client mode for client-based remote access.
TightVNC will need to be used whenever any remote access is required where you need to see, use or configure the USB dongle.
USB passthrough can be achieved by using 3rd party software to do what HyperV cannot.
https://www.virtualhere.com is a company that provides a software solution for this at a reasonable price that just works, and there is a trial mode that will allow a proof-of-concept.
Download and install VirtualHere on the HyperV server, as well as the HyperV client.
Install VirtualHere Server on the HyperV host machine and run it.
Install VirtualHere Client on the HyperV client machine and run it. It will display a list of all the USB devices that are plugged into the HyperV server machine.
Right-click on the eToken 5510+ FIPS, and select “Use this device”.
You should now be able to see the USB key from the Windows System Tray
Installing the USB dongle drivers and software
Once the USB dongle is showing up in the HyperV client, you can now download and install the drivers and software that is used to manage the USB dongle.
Once you have the Drivers installed, you must install the Windows DigiCert Hardware Certificate Installer.
DigiCert has this guide you can follow ( start at steps 6-7 ):
Configure the USB dongle for unattended access
Once the USB dongle has been configured and contains the code-signing certificate, use the SafeNet Authentication client software to configure it so that it doesn’t require password prompting each time you sign a file.
Use the Client Settings > Advanced tab
- Check the “Enabled single logon” checkbox and “Enable single logon for PKCS#11” checkbox.
- Select “Never” in the “Automatic logoff after token inactivity (in minutes)” drop-down box.
Export the Certificate to the local machine
Export the code-signing certificate to the local machine for use.
Open the SafeNet Authentication Client and click on the certificate. Use the “Export” option from the toolbar to export the certificate to a .cer file.
Save it to disk somewhere. This file will be used during the code-signing process.
Copy certificate details for use with Microsoft SignTool.exe
In order to sign a file with the code-signing certificate, you will need to extract some information from the certificate. These values will be used as parameters in your signing process.
Copy the name of the Cryptographic Provider. It should be: eToken Base Cryptographic Provider
Copy the Container name. It will in the format p11#xxxxxxxxxxxxxxxxx
Signing a file
Use the Microsoft SignTool to digitally sign a file. Use the parameters from your code-signing certificate to build a command line for the sign tool.
Example command line
signtool.exe sign /v /d ContentDescriptionGoesHere /du DescriptionURLGoesHere /fd sha256 /tr http://timestamp.digicert.com /td sha256 /f "C:\Certificate Location\CodeSigning Cert.cer" /p TopSecretPasswordGoesHere /csp "eToken Base Cryptographic Provider" /kc ContainerNameGoesHere "c:\Files\FileToSign.dll"
Refer to the Microsoft SignTool documentation here: