If you purchase an EV Code Signing Certificate, one of the requirements is that you use two-factor authentication using a hardware token. And even if you own a regular code signing certificate, good practice is that you protect your private keys using a smart card.
One major annoyance of using smart cards with Microsoft’s signtool.exe is that you will be prompted for the smart card PIN. For automated builds, entering PINs manually is not an option. Depending on the vendor’s drivers, you may be able to somehow cache the PIN. However, there may be scenarios where this procedure does not work for you, for instance if you smart card uses the Microsoft Base Smart Card Crypto Provider or if you remote desktop to a build server. This is where ScSigntool comes to the rescue.
ScSigntool.exe is identical with signtool.exe, except that you will be able to provide the smart card PIN via the command-line or registry when signing files. ScSigntool.exe works by launching signtool.exe with the parameters you provided and then hooking the smart card API.
scsigntool [-pin <pin>] <signtool command and options>
scsigntool -pin 1234 sign -sha1 yourcerthash yourfile.exe
Instead of passing the PIN on the command-line, you can also store the PIN in the Windows registry. The PIN must be stored at the following location:
[HKEY_CURRENT_USER\SOFTWARE\MGTEK\ScSignTool\Credentials\{your-smartcard-guid}] "User"="your-pin" (REG_SZ)
You can use ScMinidriverTool.exe to figure out the GUID of your smart card.
Use the SmartCard MiniDriver Tool to view and manage content on your smart card.
If you would like to try our SmartCard Tools, we are pleased to provide you the download at no charge:
smartcardtools.zip, V1.2.1104