SmartCard Tools FAQ

Expand All / Collapse All

  • How does ScSignTool work?

    ScSignTool starts Microsoft signtool and then injects code into the signtool process. When ScSignTool detects a signing operation, it will authenticate the smart card with the PIN you provided, and then resume the signing operation. The signing operation itself is not altered, giving you the guarantee that the signature is exactly the same as if signed without ScSignTool. As the smartcard is authenticated before the signing operation using a different handle, the PIN must be cacheable per process, i.e. the PINs caching policy on the smartcard must be set to 'Normal'.

  • Which smartcards are supported?

    ScSignTool supports various smartcards that are Minidriver enabled, i.e. that implement the Windows Smart Card Minidriver Specification. Examples include PIV compliant smart cards using Microsoft’s built-in Minidriver and smartcards from various vendors, such as Gemalto, Athena, or SafeNet.

  • Does ScSignTool work with the Yubikey?

    If your Yubikey supports PIV, yes. Currently, Yubikey Neo and Yubikey 4 do support PIV. Note, that you cannot use the slot '9c' (Digital Signature), as the smartcard PIN is marked as 'Always prompt'. Instead, use the slot '9a' (Authentication).

  • I am still getting prompted for a PIN although I specified the PIN on the command-line.

    Per design, ScSignTool authenticates the smartcard before the actual signing is started. In order for this to work, the PIN must be cacheable ‘per process’. The PIN caching type is stored on the smart card, and tied to a specific PIN. For instance, the Digital Signature certificate of a PIV compliant smart card uses a PIN which caching type is set to ‘always prompt’. This causes the PIN prompt to appear even if ScSignTool has authenticated the smartcard already.

    You can use the ScMinidriverTool to figure out which PIN is used and how it is configured. In ScMinidriverTool, find the public key container of your certificate and note the PIN. Then look up the PIN Cache Policy Type by selecting the PIN. The PIN Cache Policy Type must be set to Normal in order to work with ScSignTool.

  • I am getting the error message 'Failed to run signtool.exe: The system cannot find the file specified. (0x80070002)'

    ScSignTool.exe is not a standalone tool. ScSignTool.exe launches the Windows SDK tool 'SignTool.exe' to perform signing. Make sure you have the Windows Kit installed and SignTool.exe is in your PATH variable. For instance, open the Visual Studio Native Tools Command Prompt, or run "%VS140COMNTOOLS%\vsvars32.bat" (substitute the environment variable VS140COMNTOOLS with the one of your Visual Studio version installed).

  • I am getting the error message 'Failed to run signtool.exe: The parameter is incorrect. (0x80070057)'

    This error usually occurs when you mix 32-bit and 64-bit versions of scsigntool.exe and signtool.exe. Make sure you that the two executables are either both x86 or both x64. The Windows Kit includes both x86 and x64 versions of signtool.exe.