How to use PIV smartcards (YubiKey 4) to sign application binaries?

Question

I am about to start using my YubiKey 4 (RSA 2048 bit key) for signing application binaries. There a quite a few tutorials about how to setup this. It seems that most tutorials based on the original Yubico guide (Android, MacOS), which confuses me.

When I reviewed the PIV certificate slot information, I came to the conclusion that Slot 9c, Digital Signature, is the correct slot for code signing as I digitally sign the binary with my private key.

However, with e.g. the Yubico's Android guide, and may other guides, the selected certificate slot is 9a, which is for PIV Authentication. The slots usage is for "authenticate the card and the cardholder" against "things like system login", which is clearly a misuse for the usage of code signing.

What is the correct (semantic) slot for a code signing certificate with YubiKey 4's PIV applet? And is there any reason why use/stick with slot 9a?

Answer 1

The YubiKey tools do not enforce any kind of restrictions or limitations on the keys or certificates in particular slots. Some third-party tools do.

The largest difference between the various slots is the PIN policy applied to them. 9a, being intended for authentication, only requires that the PIN be entered once. It's intended to be able to be used for system login, followed by any number of web browser sessions.

9c, on the other hand, requires a PIN to be entered for each transaction. This is a desirable property for signing.

If you use slot 9a for signing, then the card will permit further signing until the card is powered down or removed.

9d functions similarly to 9a, though it is intended for encryption, rather than authentication. Having separate slots makes it possible to do things like have an authentication cert in 9a (with the key generated on the card), and encryption in 9c (with the key loaded to the card, and escrowed elsewhere in case the card is lost).

Escrow is generally not a desirable property for authentication, as it leads to the possibility of impersonation. It is a very good property for encryption (as it means that the files are not all lost in the event the card is locked, lost, or damaged, or the employee leaves the employer).

9e does not require authentication, and is intended for things like door locks. Using that slot would enable any application to sign without user interaction.

In short, slot 9c is in fact the correct slot for code signing. As most guides with YubiKeys are intended to support authentication (rather than encryption or signing), they tend to use slot 9a.