Discussion:
[PVE-User] Pass through usb eToken device on PX 5.2
Lindsay Mathieson
2018-06-15 01:59:46 UTC
Permalink
Just updated our windows code signing cert from GlobalSign and the f**kers
now require use of a usb token, some sort of smart card (eToken 5100 PKI).
USB 1 I think.

Using it with a windows 7x64 VM with latest spice tools etc. Have plugged
the token into the VM Host and used Add hardware to pass through the USB
token to the VM (Nice interface BTW! detected it fine).

Token shows up in the device manager as a smart card reader (Aladdin and
Rainbow entries). The GlobalSign client software installs ok, but it just
can't find the token.

Anyone else done this successfully?

And off-topic, any suggestion for an alternate code-signing cert supplier?
not happy with this hardware key, its very limiting.
--
Lindsay
Lindsay Mathieson
2018-06-15 11:51:33 UTC
Permalink
Resolved it - GlobalSign tech support couldn't figure it out, eventually
found the answer on a German forum via google translate. The client
software only works when you are conneced via a console, it fails to
load under a RDP session. Fortunately a Spice or noVNC consle works.

Worse - it will only codesign via a console session, and needs a gui
password entry, pretty much useless for out nightly headless builds
where we sign thousands of binaries. And rules out moving to a offsite
server.

I can't imagine what GlobalSign are thinking, this is useless for
anything but individual developer manual builds.
Post by Lindsay Mathieson
Just updated our windows code signing cert from GlobalSign and the
f**kers now require use of a usb token, some sort of smart card
(eToken 5100 PKI). USB 1 I think.
Using it with a windows 7x64 VM with latest spice tools etc. Have
plugged the token into the VM Host and used Add hardware to pass
through the USB token to the VM (Nice interface BTW! detected it fine).
Token shows up in the device manager as a smart card reader (Aladdin
and Rainbow entries). The GlobalSign client software installs ok, but
it just can't find the token.
Anyone else done this successfully?
And off-topic, any suggestion for an alternate code-signing cert
supplier? not happy with this hardware key, its very limiting.
--
Lindsay
--
Lindsay
Yannis Milios
2018-06-15 12:47:20 UTC
Permalink
Have plugged the token into the VM Host and used Add hardware to pass through the USB
token to the VM
I'm using something similar (usb smart card reader/pki card for user
authentication), but in my case I decided that perhaps it's better to
connect the USB token to the client machine rather than the VM host.
In this way you can enable smart card redirection on the RDP client
machine, which then can pass through the PKI card to the VM guest
without the need to redirect the actual usb PKI device.
In addition, you can use SPICE remote-viewer and its built in USB
device redirection option, to pass through the usb token to the VM
guest.The difference in this case is that you cannot share that usb
device both with client (host) machine and the VM guest at the same
time. Hence, the RDP option works better for me in this case.

It would be nice if smart card pass through was supported in
remote-viewer/SPICE server as well..

Y

Loading...