Code Signing with FIPS USB Token on a Windows HyperV virtual machine

As of June 2023, all code-signing certificates will be issued on a pre-configured, secure USB device that meets FIPS compliance. This means that code-signing certificates can no longer be simply downloaded from a certificate vendor or reseller and simply installed locally on a build machine like they have been since the beginning. Once the verification process for a company has been successful, the USB device will be physically shipped via courier to the company for use. The USB dongle will contain the certificate (which can be exported) as well as the private key, however the private key cannot be exported from the USB dongle, meaning that the USB dongle will always need to be plugged in, and accessible for any code-signing to take place. This presents a special challenge for virtual machines running under Microsoft Hyper-V.

USB Passthrough for HyperV

So how do you use a USB devices on a HyperV virtual machine when there are no physical USB ports on a virtual machine!?
The answer is to use the USB ports on the HyperV Server and then use “USB passthrough” so that the client machine can see it.

The problem…

Ordinarily, this is achieved by enabling “Enhanced Session Mode” on both the HyperV server and Vitual Machine, and then configuring your remote desktop connection to share, or “passthrough” drives, USB devices and other connected things.

HyperV Host and Client

Then, when connecting to the HyperV client machine via Remove Desktop Connection, you would use the Local Resources tab on the connection dialog, check the relevant devices/ports/drives etc that you want the virtual pc to “see”, and connect.

HyperV Local Resources

It seems like this should work…but it doesn’t.
Despite these settings, your virtual pc will still not be able to see the USB dongle.
HyperV seems unable to work with the USB dongle regardless of whatever configuration settings are made.

The solution…

There are 2 parts to the solution:

  1. The connection method to the virtual PC and
  2. The USB pass-though process

The connection method – don’t use Microsoft RDP and instead use VNC

Connections to the virtual machine cannot be made using Microsoft Remote Desktop Connection (RDP) sessions. Similarly, you cannot use “vmconnect”, or connect via the HyperV server itself using HyperV. All of these Microsoft-based methods of connection will block access to the USB dongle, despite any configuration settings you may use.

The solution is to use another remote connection method.

TightVNC (https://www.tightvnc.com) can be used to connect to the HyperV client and it will not block access to the USB dongle. Install TightVNC on both the virtual client (in server mode), and use the client mode for client-based remote access.

TightVNC will need to be used whenever any remote access is required where you need to see, use or configure the USB dongle.

Allowing USB-passthrough

USB passthrough can be achieved by using 3rd party software to do what HyperV cannot.

https://www.virtualhere.com is a company that provides a software solution for this at a reasonable price that just works, and there is a trial mode that will allow a proof-of-concept.

Download and install VirtualHere on the HyperV server, as well as the HyperV client.

Install VirtualHere Server on the HyperV host machine and run it.

VirtualHere Server

Install VirtualHere Client on the HyperV client machine and run it. It will display a list of all the USB devices that are plugged into the HyperV server machine.

Right-click on the eToken 5510+ FIPS, and select “Use this device”.

eToken 5510+ FIPS

You should now be able to see the USB key from the Windows System Tray

attached USB Token
Eject Token

Installing the USB dongle drivers and software

Once the USB dongle is showing up in the HyperV client, you can now download and install the drivers and software that is used to manage the USB dongle.
https://knowledge.digicert.com/solution/how-to-install-the-safenet-drivers-and-client-software-windows.html

Once you have the Drivers installed, you must install the Windows DigiCert Hardware Certificate Installer.
https://www.digicert.com/StaticFiles/DigiCertHardwareCertificateInstaller.zip

DigiCert has this guide you can follow ( start at steps 6-7 ):
https://knowledge.digicert.com/solution/e-token-setup-and-certification-installation.html

Configure the USB dongle for unattended access

Once the USB dongle has been configured and contains the code-signing certificate, use the SafeNet Authentication client software to configure it so that it doesn’t require password prompting each time you sign a file.
Use the Client Settings > Advanced tab

  • Check the “Enabled single logon” checkbox and “Enable single logon for PKCS#11” checkbox.
  • Select “Never” in the “Automatic logoff after token inactivity (in minutes)” drop-down box.

Export the Certificate to the local machine

Export the code-signing certificate to the local machine for use.
Open the SafeNet Authentication Client and click on the certificate. Use the “Export” option from the toolbar to export the certificate to a .cer file.
Save it to disk somewhere. This file will be used during the code-signing process.

Export Certificate

Copy certificate details for use with Microsoft SignTool.exe

In order to sign a file with the code-signing certificate, you will need to extract some information from the certificate. These values will be used as parameters in your signing process.
Copy the name of the Cryptographic Provider. It should be: eToken Base Cryptographic Provider
Copy the Container name. It will in the format p11#xxxxxxxxxxxxxxxxx

Container Name

Signing a file

Use the Microsoft SignTool to digitally sign a file. Use the parameters from your code-signing certificate to build a command line for the sign tool.
Example command line

shell

signtool.exe sign /v /d ContentDescriptionGoesHere /du DescriptionURLGoesHere /fd sha256 /tr http://timestamp.digicert.com /td sha256 /f "C:\Certificate Location\CodeSigning Cert.cer" /p TopSecretPasswordGoesHere /csp "eToken Base Cryptographic Provider" /kc ContainerNameGoesHere "c:\Files\FileToSign.dll"

Refer to the Microsoft SignTool documentation here:
https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool

Discussions and Comments

Click here to view and join in on any discussions and comments on this article.

Written by
Paul Baka


Helpful Guides

View more Guides, FAQs and information to help with your Certificate purchases.

Learning Centre

View more resources on cyber security, encryption and the internet.


Continue reading with these guides you may be interested in...

#Code Signing

Configure and Setup Verokey/DigiCert USB eToken

Video Included

Today, we are going to run through the process of ordering and configuring your new DigiCert or Verokey Code Signing Certificate. Then, we will initialise a new USB eToken to have the Certificate installed onto it as a secure HSM USB Device.