USB Token EV Codesigning fails under Windows 11 / VSTO /

609 views Asked by At

What I want to achieve?

Code sign my VSTO Outlook Plugin using Visual Studio 2022. I follow these instructions: https://learn.microsoft.com/en-us/visualstudio/vsto/how-to-sign-office-solutions?view=vs-2022

Environment

  • Windows 11 (German), Visual Studio 2022 17.6.0
  • USB Hardware Token (Sectigo eToken 5110, Card Type IDPrime)
  • SafeNet Authentication Client 10.8 R8

What is the problem?

Choosing the Sectigo Certificate for signing my code fails:

enter image description here

enter image description here

The German text says something like this:

The requested operation cannot be performed with the smart card or another smart card is required for the operation

What I already tried

I successfully installed SafeNet Authentication Client. I successfully changed the password. Furthermore, I can successfully run certutil -scinof (it pops up the SafeNet Client and asks for the password, which I can enter so that certutil shows success).

The certificate is available under my windows (user certificates):

enter image description here

What actually seems to work is to use code signing from the cmd line like described by sectigo (https://www.sectigo.com/knowledge-base/detail/Code-Signing-with-an-OV-or-an-EV-Code-Signing-Certificate/kA03l000000c4TX):

signtool sign /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /a "C:\Users\heckner\source\repos\xxx\build\setup.exe"

enter image description here

During signing process the popup saying that the smartcard is not working comes up twice, but after that a password prompt from SafeNet Client popups up and after entering the password it seems to work.

When I check the signature on the signed exe it seems ok:

enter image description here

The problem is that I still receive the message from Microsoft during installation of this setup like:

enter image description here

What could help?

  1. Perhaps someone can show me what to do manually to sign a VTSO Outlook plugin. Setup.exe seems not the solution.
  2. https://developercommunity.visualstudio.com/t/Visual-studio-doesnt-detect-digicert-co/10135932?entry=problem
1

There are 1 answers

0
HHeckner On

I want to answer my own question as I just found out about the real problem.

First of all it is important to understand that there were already several certificates installed on my laptop.

To avoid any problems: First start SafeNet client and plugin the USB token into your laptop!

That was the reason that I received this popup when clicking on "Select certificate from store":

enter image description here

The reason is that (for no real reason?) Visual Studio iterates through the code-signing certificates stored on my local keystore. As there was an old certificate first selected Visual Studio was not able to find the new one from Sectigo.

What is needed next. Click on "Cancel" on each popup dialog like this one:

enter image description here

... until you arrive at this dialog.

enter image description here

Now click on "Options" (or additiona options) to open the certificate selection dialog:

enter image description here

Now you are the first time able to select the right certificate from the store and everything works like charm.

Boy I spent hours over hours trying to delay signing and using mage.exe. This also worked but is a very manual process!