deciphertools.com

Automating EV SSL Yubikey Multiple Pin Prompts

Tap here to send yourself this article and receive a 10% coupon code!

We use an EV codesign certificate to sign our software on Windows. The EV codesign certificate from SSL.com is on a Yubikey usb and requires me to enter a PIN into a Windows Security smart card prompt every time I want to sign something. That is great in theory, because I don't want someone nefarious to be able to use our codesign certificate to do bad things in our name.

In practice however, I have to enter the PIN six times over the course of several minutes while building one of our installers in Advanced Installer. (And six is very very low in comparison to what some other builds would entail!) That means sitting here and watching the boring build... copy and pasting a handful of times.

(As a bonus, if I'm too slow entering the PIN, one of the Advanced Installer build temp files gets locked somehow and I have to reboot the PC. That's a mystery for another blog post someday. But it is yet another reason that I have to sit here and actively monitor the build to enter the PIN fairly quickly. Ugh.)

So, like any frustrated software developer, I spent my Saturday afternoon seeing if there's any way to automate my way out of this frustration. Here's the abbreviated version of my research and finally my solution.

So, in the end, here's my slapped-together AutoHotkey script to check for new Windows Security pop-up windows, type in the PIN, and press enter.

#NoEnv  ; Recommended for performance and compatibility with future AutoHotkey releases.
#SingleInstance Force
; #Warn  ; Enable warnings to assist with detecting common errors.
SendMode Input  ; Recommended for new scripts due to its superior speed and reliability.
SetWorkingDir %A_ScriptDir%  ; Ensures a consistent starting directory.


#persistent

   ;this section runs automatically at startup

   ; set up timer to keep checking for our pin window
   settimer, checkForNewWindow, 50   ;every 100ms, run the label. I find 50ms works better on Windows 11.

return

checkForNewWindow:    ;the label
   WinGet, id, list,,, Program Manager   ;list of windows (exclude the desktop)
   if (id > lastid)
   {  
      WinGetActiveTitle, Title
      If InStr(Title, "Windows Security") {
         Send, YOUR_PIN_HERE{Enter}
     lastid := 0 ; reset so next popup is always checked
      }
   }
   lastid := id    ;always keep up to date
Return

Update: When I use this on Windows 11 running through Parallels on my Mac, I find that a 100ms delay is too long. I find that 50ms works much better. If the window doesn't get detected and the prompt doesn't get filled in sometimes, try mousing over the icons in the system tray (the right side of the task bar with the clock) to force a tool tip to pop up. I often just leave my mouse hovered over an icon in that tray while running a build just in case.

With AutoHotkey installed, you run the script by double-clicking it. You can quit the script by right-clicking it in your dock and selecting to quit. When I'm making installer builds, I run a bash script, so I've added two lines before and after my Advanced Installer command to start the AutoHotkey script and then stop all AutoHotkey scripts. (I'm lazy, and this is the only AutoHotkey script I use.)

To start the script:

Start "" /b  "c:\program files\autohotkey\autohotkey.exe" "your_script.ahk"

To shut down all of the scripts:

taskkill /IM autohotkey.exe /F

Aside: It wouldn't surprise me if SSL.com corrects their Yubikey setup in the future allowing for PIN caching. All of my interactions with their customer service, including the validation to getting our EV codesign certificate, have gone really smoothly (And that is saying a lot. Extended validation is usually a bit of a pain for small businesses.) Their price point and customer service have been top notch every time I've interacted with them, so I would recommend them.

Write A Comment

Decipher Tools Home

San Francisco / Phoenix, USA

© 2024 Decipher Media, LLC. · Privacy