fangpsh's blog

虚拟机下USB Token使用问题

23 年 6 月1 日之后,代码签名证书只能通过 USB Token等安全设备分发:

As of June 1, 2023, all publicly trusted code signing certificates' keys must be stored on cryptographically secure hardware (USB tokens, hardware security modules [HSMs], etc.). The goal here is to help organizations better secure their code signing certificates and keys against cybercriminals. https://codesigningstore.com/how-to-set-up-code-signing-hardware-token

使用的是 epass2003,原来的CICD 签名用的虚拟机,之前从 PVE 迁移到了 cloudpods,需要先配置下 USB 直通:USB 透传,按文档做即可。

安装完厂商给的驱动之后,RDP 远程桌面下,证书库找不到证书, cloudpods 比较小众,用 关键词: proxmox+USB Token 搜索,找到一个帖子: [PVE-User] Pass through usb eToken device on PX 5.2

Resolved it - GlobalSign tech support couldn't figure it out, eventually found the answer on a German forum via google translate. The client software only works when you are conneced via a console, it fails to load under a RDP session. Fortunately a Spice or noVNC consle works.

类似问题:Why is remote SmartCard not found when using RDP

使用 cloudpods 带的 vnc 进入,果然能正常找到证书。 切换到SPICE,或者再安装个novnc 来替换 RDP 即可。

更进一步扩展性、灵活性的问题,可以使用USB Network Gatevirtualhere等方案,或者考虑上Digi USB-Over-IP | AnywhereUSB Plus国内特色:朝天椒 USB Server

单独这个 code signing 的场景,还有DigiCert KeyLocker CloudHSM