Yubikey 4 to sign PDF on macOS

Steps to use the Yubikey 4 on macOS to sign pdf’s in Adobe Reader.

Context

  • Yubikey 4 with certificates already configured

Configure your Yubikey with certificates

  • macOS High Sierra version 10.13.4
  • Adobe Acrobat Reader DC version 2018.011.20058

Download Adobe Reader to open and sign your pdf’s

  • Brew: mac Package management software.

Install brew  if you don’t have it installed yet.

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Steps

PKCS#11 available

  • brew install yubico-piv-tool

After installing the yubico-piv-tool the  /Library/OpenSC/lib/opensc-pkcs-11.so is available.

  • sudo cp -p /Library/OpenSC/lib/opensc-pkcs11.so /usr/local/lib/opensc-pkcs11.so

Later we use the path /usr/local/lib/opensc-pkcs11.so in Adobe Reader. The path /Library/OpenSC/lib/opensc-pkcs11.so doesn’t work in Adobe reader.

Configure Adobe Reader

  • Insert your Yubikey
  • Open random pdf to test
  • Go to Preferences

You have to set the

  • Open Tools>Certificates

  • Add the PKCS#11 module

Attach a module by using the path from one of the first steps: /usr/local/lib/opensc-pkcs11.so

  • Click Digitally Sign and select an area

  • Go to manage ID to set an id as an id to sign.   

Result

Using a PIV and GPG together

Add the line “shared-access” to ~/.gnupg/scdaemon.conf

Got this from a github comment and worked for me.

Resources

  • https://developers.yubico.com/PIV/Guides/
  • https://gpgtools.tenderapp.com/discussions/problems/50028-macgpg2-scdaemon-pcsc-open-failed-sharing-violation-0x8010000b/page/1#comment_42960303
  • https://ruimarinho.gitbooks.io/yubikey-handbook/content/ssh/authenticating-ssh-with-piv-and-pkcs11-client/
  • https://lauri.xn--vsandi-pxa.com/2017/03/yubikey-for-ssh-auth.html

Use for SSH

Slot9A authentication voor SSH

Via piv manager creeer self sign certificate met RSA2048

Dan via terminal ssh public key.

ssh-keygen -D /Library/OpenSC/lib/opensc-pkcs11.so -e

Add the SSH key provided via PKCS#11 to the local ssh-agent:

ssh-add -s /usr/local/lib/opensc-pkcs11.so

use pin for passphrase

 

Yubikey and macOS GPG Suite

First install gpg suite

Download from https://gpgtools.org/

Check signature

  • Open terminal
  • Go to folder with download and type:
$ shasum -a 256 <GPG-Suite-download-filename>

In my case filename: GPG_Suite-2018.3.dmg

This results in an signature:

00a6d0c69dd050acd2df4a34bf8502d4e0de3af9b4f7523a0003af14b60006be  GPG_Suite-2018.3.dmg
  • Compare this with the signature on the website

  • Install the GPG Suite

This will also install the app gpg keychain.

Get gpg key from yubikey

You need a Yubikey with gpg keys on it. How to setup your Yubikey?

  • Open terminal
  • Insert yubikey
  • Typ in terminal:
$ gpg --card-status

You should get the info on the yubikey

  • Get your gpg key id. In my case F6868133B81EF682 :
sec#  rsa4096/F6868133B81EF682
  • Now export your public key:
$ gpg --armor --export <your key id> ~/mypublickey.pub
  • Get your key into the gpg keychain
  • Go to finder and open your public key.

Right click or double click the file. In my case I had to specify gpg keychain as the application to open this file.

In GPG keychain it will now show up with type pub/sec. But in the details overview you can see ‘card: #’. This means the key is on a smartcard.

Click ‘Details’ to check the keys details. There you can see the private key is on a card. ‘Card: #’

Test your Yubikey

  • Go to finder
  • Right click a random file
  • Go to Services and choose encrypt file

  • Now you can choose your key in the dropdown in the list below the box
  • To test ‘sign’ check also the sign checkbox

If you later decrypt the file, it will show you the signature.

  • After click ‘Ok’ it will ask to insert your Yubikey

  • Typ your PIN and the encryption starts

You can open the just created file in finder and ‘decrypt’ to test decryption and signature.