1

Just got an EV Code Signing certificate, it comes in a USB key and shows up in the windows certificate store when plugged in. install4j does have an option to use a certificate from the windows certificate store when signing.

But when I tried to use this option, I got an error:

Caused by: com.install4j.d.k: org.bouncycastle.operator.OperatorCreationException: cannot create signer: Key type not supported
Caused by: org.bouncycastle.operator.OperatorCreationException: cannot create signer: Key type not supported
Caused by: java.security.InvalidKeyException: Key type not supported at jdk.crypto.mscapi/sun.security.mscapi.RSASignature.engineInitSign(RSASignature.java:533)

So, does install4j support these certificates?

And going further: using the key requires a PIN to be entered at the time of signing.

For automated builds, where the installers get built every night, how does install4j handle the PIN (there was no option that I could see in the project file)?

Gerald Holmann
  • 302
  • 1
  • 8
  • It seems strange that BouncyCastle should not be able to the process a key type of an EV certificate. Did you try the PKCS#11 option? Passwords are passed with the `--win-keystore-password` command line option https://www.ej-technologies.com/resources/install4j/help/doc/cli/compiler.html – Ingo Kegel May 05 '20 at 16:06
  • I tried to use PKCS11, but got an error: java.io.IOException: The specified module could not be found. The module is a Yubikey, the PKCS#11 dll that comes with it is libykcs11-1.dll. I tested the dll with the keytool from Java using a config file that references it, and the keytool can read it without problems. – Gerald Holmann May 06 '20 at 18:55
  • Do you have the entire stack trace? It may be in %TEMP%\install4j_error.log. – Ingo Kegel May 06 '20 at 21:26
  • The stack trace is too long to post here, is there any other way that I can get it to you? – Gerald Holmann May 07 '20 at 18:23
  • Please write to support@ej-technologies.com – Ingo Kegel May 07 '20 at 21:10

1 Answers1

0

I can confirm that this does work in principle, without PIN dialog popup, at least in this specific configuration:

  • Sectigo EV Code Signing Certificate
  • SafeNet eToken 5110
Reto Höhener
  • 5,419
  • 4
  • 39
  • 79