Yubikey 4 to sign PDF on macOS

Steps to use the Yubikey 4 on macOS to sign pdf’s in Adobe Reader.

Context

  • Yubikey 4 with certificates already configured

Configure your Yubikey with certificates

  • macOS High Sierra version 10.13.4
  • Adobe Acrobat Reader DC version 2018.011.20058

Download Adobe Reader to open and sign your pdf’s

  • Brew: mac Package management software.

Install brew  if you don’t have it installed yet.

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Steps

PKCS#11 available

  • brew install yubico-piv-tool

After installing the yubico-piv-tool the  /Library/OpenSC/lib/opensc-pkcs-11.so is available.

  • sudo cp -p /Library/OpenSC/lib/opensc-pkcs11.so /usr/local/lib/opensc-pkcs11.so

Later we use the path /usr/local/lib/opensc-pkcs11.so in Adobe Reader. The path /Library/OpenSC/lib/opensc-pkcs11.so doesn’t work in Adobe reader.

Configure Adobe Reader

  • Insert your Yubikey
  • Open random pdf to test
  • Go to Preferences

You have to set the

  • Open Tools>Certificates

  • Add the PKCS#11 module

Attach a module by using the path from one of the first steps: /usr/local/lib/opensc-pkcs11.so

  • Click Digitally Sign and select an area

  • Go to manage ID to set an id as an id to sign.   

Result

Using a PIV and GPG together

Add the line “shared-access” to ~/.gnupg/scdaemon.conf

Got this from a github comment and worked for me.

Resources

  • https://developers.yubico.com/PIV/Guides/
  • https://gpgtools.tenderapp.com/discussions/problems/50028-macgpg2-scdaemon-pcsc-open-failed-sharing-violation-0x8010000b/page/1#comment_42960303
  • https://ruimarinho.gitbooks.io/yubikey-handbook/content/ssh/authenticating-ssh-with-piv-and-pkcs11-client/
  • https://lauri.xn--vsandi-pxa.com/2017/03/yubikey-for-ssh-auth.html

Use for SSH

Slot9A authentication voor SSH

Via piv manager creeer self sign certificate met RSA2048

Dan via terminal ssh public key.

ssh-keygen -D /Library/OpenSC/lib/opensc-pkcs11.so -e

Add the SSH key provided via PKCS#11 to the local ssh-agent:

ssh-add -s /usr/local/lib/opensc-pkcs11.so

use pin for passphrase