Yubikey 4 to sign PDF on macOS

Steps to use the Yubikey 4 on macOS to sign pdf’s in Adobe Reader.

Context

  • Yubikey 4 with certificates already configured

Configure your Yubikey with certificates

  • macOS High Sierra version 10.13.4
  • Adobe Acrobat Reader DC version 2018.011.20058

Download Adobe Reader to open and sign your pdf’s

  • Brew: mac Package management software.

Install brew  if you don’t have it installed yet.

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Steps

PKCS#11 available

  • brew install yubico-piv-tool

After installing the yubico-piv-tool the  /Library/OpenSC/lib/opensc-pkcs-11.so is available.

  • sudo cp -p /Library/OpenSC/lib/opensc-pkcs11.so /usr/local/lib/opensc-pkcs11.so

Later we use the path /usr/local/lib/opensc-pkcs11.so in Adobe Reader. The path /Library/OpenSC/lib/opensc-pkcs11.so doesn’t work in Adobe reader.

Configure Adobe Reader

  • Insert your Yubikey
  • Open random pdf to test
  • Go to Preferences

You have to set the

  • Open Tools>Certificates

  • Add the PKCS#11 module

Attach a module by using the path from one of the first steps: /usr/local/lib/opensc-pkcs11.so

  • Click Digitally Sign and select an area

  • Go to manage ID to set an id as an id to sign.   

Result

Using a PIV and GPG together

Add the line “shared-access” to ~/.gnupg/scdaemon.conf

Got this from a github comment and worked for me.

Resources

  • https://developers.yubico.com/PIV/Guides/
  • https://gpgtools.tenderapp.com/discussions/problems/50028-macgpg2-scdaemon-pcsc-open-failed-sharing-violation-0x8010000b/page/1#comment_42960303
  • https://ruimarinho.gitbooks.io/yubikey-handbook/content/ssh/authenticating-ssh-with-piv-and-pkcs11-client/
  • https://lauri.xn--vsandi-pxa.com/2017/03/yubikey-for-ssh-auth.html

Use for SSH

Slot9A authentication voor SSH

Via piv manager creeer self sign certificate met RSA2048

Dan via terminal ssh public key.

ssh-keygen -D /Library/OpenSC/lib/opensc-pkcs11.so -e

Add the SSH key provided via PKCS#11 to the local ssh-agent:

ssh-add -s /usr/local/lib/opensc-pkcs11.so

use pin for passphrase

 

2 Replies to “Yubikey 4 to sign PDF on macOS”

  1. Best practice is to have multiple YubiKeys set up for your accounts. One on your keychain, or one in your wallet, or one in a safe place at home will help to make sure you’ve always got a backup YubiKey nearby. Many services let users set up multiple YubiKeys with their account for this very reason. Twitter only allows one key at the moment. If you want more than one YubiKey on your Twitter account, or would like to have YubiKey support on mobile, help us out by sending a tweet to tell them what you’d like to see.
    By the way! The best essay writing service – https://www.easyessay.pro/

  2. Unfortunately this doesn’t work for me.

    YubiKey: 5
    MaxOsX: Mojave
    OpenSC: 0.19
    Adobe Reader DC: Build: 19.10.20069.311970

    I’ve got an error 0x101 while writing the doc.

Leave a Reply

Your email address will not be published. Required fields are marked *