How to Keep Your Digital Signature Credentials Safe with YubiKey?

Code Signing Credential with YubiKey

In our previous post, we have explained what us YubiKey? How to use it for code signing?

Now let us discuss the importance of securely storing credentials and introduce the concept of using a dedicated removable device. We will specifically focus on the YubiKey from Yubico.

Here are a few key points:

Point 1:

Storing credentials on disk, even on a removable USB flash drive that is only plugged in when signing binaries (executables), is considered a bad idea. This approach is vulnerable to security risks, as the credentials can be accessed or compromised if the device or disk is lost, stolen, or compromised.

Point 2:

Storing credentials in the Windows certificate store as an alternative is also not considered a robust security solution. The text implies that more than relying solely on the built-in security measures provided by Windows is required. Using a metaphor suggests it’s as effective as throwing a chair with Steve Ballmer (former CEO of Microsoft) sitting on it. In other words, it could be more secure.

Point 3:

Instead, the text suggests using a dedicated removable device explicitly designed to protect sensitive credentials. It introduces the concept of FIPS 201 Personal Identity Verification (PIV) devices, which comply with a U.S. government standard for secure credentials.

Point 4:

The YubiKey from Yubico is highlighted as an example of a convenient and relatively affordable PIV device. The author mentions that they will focus on explaining the usage of YubiKeys specifically, although the general process may also apply to other FIPS 201 PIV devices.

Now we know the importance of securely storing credentials and using dedicated PIV devices like the YubiKey as a secure solution for protecting sensitive information. It discourages relying solely on disk storage or the Windows certificate store for storing such credentials.

Storing your Code Signing Credential into a YubiKey

This section provides instructions on how to store your code signing credential into a YubiKey, a hardware security device.

Here’s a breakdown of the steps:

Step 1: Open PIV Manager (pivman.exe) is the software used to manage YubiKey’s Personal Identity Verification (PIV) functionality.

YubiKey PIV Manager Insert your YubiKey

Step 2: Plug in your YubiKey. If it’s your first time using it, you’ll be asked to set a PIN (Personal Identification Number) for the device.

YubiKey PIN Generation

Step 3: On the PIN setup screen, keep the “Use PIN as key” option checked under “Management Key“. This option relates to how the PIN is used to authenticate and unlock the YubiKey.

Step 4: For code signing on Windows, you can overlook the recommendation for cross-platform compatibility regarding the PIN. Windows doesn’t have issues using a PIN that includes extended alphanumeric characters. The PIN is already short enough at eight characters.

Note: It’s important to note that the YubiKey, like a credit card, allows only three attempts to enter the correct PIN before locking itself—such a security measure to protect the data stored on the device. If the YubiKey gets locked, it can be reset, but the credentials stored on it will be lost.

Step 5: After setting the PIN, you should see a screen where you have to click the “Certificates” tab in the PIV Manager.

YubiKey PIV Manager Certificates Tab

Step 6: Select the “Digital Signature” section in the Certificates screen. This is the type of certificate you’ll require for code signing.

Digital Signature YubiKey PIV Certificate

Step 7: Click “Import from file” and select your .p12 code to sign the credential file. You will be prompted to enter a password for the private key within the .p12 file, not the PIN you set for the YubiKey.

Step 8: If the import process is successful, you will see a notice indicating so. At this point, you can unplug your YubiKey.

Certificate Installed

Step 9: Plug the YubiKey back in, and return to the “Digital Signature” certificate in the PIV Manager. You should now see details about the installed credential, indicating that it is ready to be used for code signing.

Digital Signature YubiKey

Following these steps should allow you to store your code signing credential on the YubiKey and use it for digital signing.

Secure your Code Signing Certificate with YubiKey

Code Signing Certificates ensure the software integrity and authenticity. Whereas YubiKey is a hardware-based authentication device for code signing certificates security.

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.