Signing AAX with YubiKey [SOLVED]


I have been using PACE to sign my AAX plugins for a few years, and I have now migrated to using a Yubikey for code signing due to the industry changes.

I am having trouble using the wraptool.exe to sign with my new USB dongle. I have added the --signid command using the thumbprint of the certificate, but it’s not prompting for my PIN, and just failing.

I am getting the error:

wraptool Error: pace::eden::thrift::exception::PaceThriftExceptionWire: BinaryDsigException::CodesignToolError, 14,
Error signing the specified binary., ossignaturewin.cpp, line 643, Can't sign with the certificate identified by the thumbprint 917ef4fd5c_REDACTED_a26cd002a80c040.

The thumbprint works when manually running signtool.exe on a file but I can’t get PACE to ask for the Yubikey PIN.

I’ve tried passing extra signing options to signtool to no avail.

Does anyone have any idea how to get around this? I tried removing the PIN requirement on the Yubikey, but didn’t have any luck.


You’ll need to contact PACE support about issues related to PACE due to non-disclosure agreements.

After a while of frustration, I tried passing in the --signtool parameter to use the .exe I use for the installer and that seems to have fixed the issue. Not sure why the default doesn’t work when it used to with a keyfile.

Can you be a bit more specific? I’m running into the same issue.

It’s pretty amazing that things like this fall by the wayside; key migration busted every one of my CI pipelines. Good stuff. :joy:

When passing --signtool manually and specifying a path I get further in the process. Signtool and my key manager want an sha256 hash and I can’t find any way to pass ‘/fd sha256’ through wraptool to signtool. What a damn nightmare, opening an incident with pace.

1 Like

Did you figure out how to pass fd through?
Having the same issue here :confused:

(Not to mention the issue of not requiring a pin for the yubikey)

We worked around it by writing a simple wrapper that calls signtool and adds the missing arguments.
We point wraptool at this exe.

Here’s a proof of concept cpp file:

frankensign.cpp (1.0 KB)

Word of warning about and the way they set up the yubikey they deliver. They only will supply it with a PIN active that can only be entered via UI. I.e. you can’t (as far as we can find out) pass the pin when calling signtool.exe or unlock it in any way via a command and therefore you can’t automate your signing process. To work around this annoyance we used an AutoIT script we launch before each signing that detects when the PIN entry dialog appears and it enters it for us.