Automating EV SSL Yubikey Multiple Pin Prompts

We use an EV codesign certificate to sign our software on Windows. The EV codesign certificate from SSL.com is on a Yubikey usb and requires me to enter a PIN into a Windows Security smart card prompt every time I want to sign something. That is great in theory, because I don't want someone nefarious to be able to use our codesign certificate to do bad things in our name.

In practice however, I have to enter the PIN six times over the course of several minutes while building one of our installers in Advanced Installer. (And six is very very low in comparison to what some other builds would entail!) That means sitting here and watching the boring build... copy and pasting a handful of times.

(As a bonus, if I'm too slow entering the PIN, one of the Advanced Installer build temp files gets locked somehow and I have to reboot the PC. That's a mystery for another blog post someday. But it is yet another reason that I have to sit here and actively monitor the build to enter the PIN fairly quickly. Ugh.)

So, like any frustrated software developer, I spent my Saturday afternoon seeing if there's any way to automate my way out of this frustration. Here's the abbreviated version of my research and finally my solution.

• First I looked in to the installer build settings. Advanced Installer unfortunately does not have any way to save the PIN in the project file. (It does allow for hooking up to Azure Key Vault. But, I don't want to store any of this to an online account, nor do I know if I even could.)

• Next I turned to Windows Security settings itself, and learned that there is no hope of caching the PIN in Windows 10 because it was patched out of windows 10.

• In Windows 10, it's now at the discretion of the smart card driver manufacturer to decide the PIN caching policy. Yubikey itself has ways to configure this when you're making the card, but the SSL.com Yubikey smart card we get for our EV codesign key is set to require the PIN every time.

• This person on Reddit was kind enough to do the heavy lifting of seeing if there's any way to adjust the Yubikey settings from the card SSL.com sent us. Spoiler alert: there's not. But, that Reddit post also inspired me to figure out how to use AutoHotkey to help me enter the PIN.

• This thread helped me learn how to write a little AutoHotkey script to check for a Windows Security window popping up, then I added the line to put in the pin/enter by reading the AutoHotkey help documents.

So, in the end, here's my slapped-together AutoHotkey script to check for new Windows Security pop-up windows, type in the PIN, and press enter.

#NoEnv  ; Recommended for performance and compatibility with future AutoHotkey releases.
#SingleInstance Force
; #Warn  ; Enable warnings to assist with detecting common errors.
SendMode Input  ; Recommended for new scripts due to its superior speed and reliability.
SetWorkingDir %A_ScriptDir%  ; Ensures a consistent starting directory.


#persistent

   ;this section runs automatically at startup

   ; set up timer to keep checking for our pin window
   settimer, checkForNewWindow, 50   ;every 100ms, run the label. I find 50ms works better on Windows 11.

return

checkForNewWindow:    ;the label
   WinGet, id, list,,, Program Manager   ;list of windows (exclude the desktop)
   if (id > lastid)
   {  
      WinGetActiveTitle, Title
      If InStr(Title, "Windows Security") {
         Send, YOUR_PIN_HERE{Enter}
     lastid := 0 ; reset so next popup is always checked
      }
   }
   lastid := id    ;always keep up to date
Return

Update: When I use this on Windows 11 running through Parallels on my Mac, I find that a 100ms delay is too long. I find that 50ms works much better. If the window doesn't get detected and the prompt doesn't get filled in sometimes, try mousing over the icons in the system tray (the right side of the task bar with the clock) to force a tool tip to pop up. I often just leave my mouse hovered over an icon in that tray while running a build just in case.

With AutoHotkey installed, you run the script by double-clicking it. You can quit the script by right-clicking it in your dock and selecting to quit. When I'm making installer builds, I run a bash script, so I've added two lines before and after my Advanced Installer command to start the AutoHotkey script and then stop all AutoHotkey scripts. (I'm lazy, and this is the only AutoHotkey script I use.)

To start the script:

Start "" /b  "c:\program files\autohotkey\autohotkey.exe" "your_script.ahk"

To shut down all of the scripts:

taskkill /IM autohotkey.exe /F

Aside: It wouldn't surprise me if SSL.com corrects their Yubikey setup in the future allowing for PIN caching. All of my interactions with their customer service, including the validation to getting our EV codesign certificate, have gone really smoothly (And that is saying a lot. Extended validation is usually a bit of a pain for small businesses.) Their price point and customer service have been top notch every time I've interacted with them, so I would recommend them.