notation icon indicating copy to clipboard operation
notation copied to clipboard
verified publisher icon notaryproject

How to sign using certificates on a smartcard, and verify using the root ca used to create this certificate ?

Open nipil opened this issue 2 months ago • 3 comments

What is not working as expected?

I am trying out Notation, and everything is working great using test certificates.

Now i want to switch to a smartcard (or any similar harware).

Are smartcard (or other protocols for hardware based key/cert holders) supported by Notation ?

  • if not

    • is it planned in any roadmap?
    • if yes, when could i hope to use it ?

  • if yes, could you point to some documentation on

    • how to use a smartcard/token with notation ?
    • how and where to import the ca chain which issued the certs on the smartcard ?

Thanks in avance for your help.

What did you expect to happen?

I want to switch to using a smart card (usb dongle with certificates on it) to sign container images.

How can we reproduce it?

I did not find how hardware based certificates in Notation

Describe your environment

My smartcard is working great for browser and vpn authentication, on a windows OS.

What is the version of your Notation CLI or Notation Library?

1.3.2

nipil avatar Oct 31 '25 10:10 nipil

Hi @nipil , thanks for your request. I think signing using certs on smartcard is not supported in Notation. Can you clarify more on the smartcard? This may need to develop a new plugin to support. You can also extend it by developing your own plugin.

FeynmanZhou avatar Nov 01 '25 00:11 FeynmanZhou

Can you clarify more on the smartcard?

The device i have is a USB token i plug into my windows machine I can automatically use it for browser-based identification using client-certificate from it And to authenticate when using vpn using a client certificate on it.

It appears under the device manager

  • USBCCID Smartcard Reader (WUDF)
  • class "SmartCardReader"
  • service WUDFRd

The loaded drivers linked to this device are :

  • scfilter.sys
  • wudfusbcciddriver.dll
  • winusb.sys
  • wudfrd.sys

Not that it matters i guess, but :

  • vendor id 0x0529
  • product id is 0x0620
  • revision 1

Device driver page : https://support.globalsign.com/ssl/ssl-certificates-installation/safenet-drivers

nipil avatar Nov 01 '25 08:11 nipil

Under linux (debian 12) it presents itself in dmesg as :

[2649590.910292] usb 1-2: new full-speed USB device number 16 using xhci_hcd
[2649591.060176] usb 1-2: New USB device found, idVendor=0529, idProduct=0620, bcdDevice= 0.01
[2649591.060190] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[2649591.060197] usb 1-2: Product: Token JC
[2649591.060202] usb 1-2: Manufacturer: SafeNet

And in lsusb gives the following

Bus 001 Device 016: ID 0529:0620 Aladdin Knowledge Systems Token JC

Additionnal information about this device and linux drivers : https://cyrille.giquello.fr/informatique/safenet_etoken_5110

PS: i do not use this token under linux, and i do not intend to : i just provide this information for completeness.

nipil avatar Nov 01 '25 08:11 nipil