CKR_USER_NOT_LOGGED_IN Error when Signing ZIP file with Sectigo USB eToken

Hey everyone,

I have tried to sign a zip file with module-signer code from GitHub - inductiveautomation/module-signer: A utility that signs modules for use in Ignition to create MODL file.

We are using Sectigo USB eToken for signing.

When we try to sign our ZIP File which contains more than one file, we get this error in the figure below:

As you can see, the first file /hmi-protection-gateway-1.0.0.jar was successfully signed, but the second file /module.xml failed.
Also, it does not matter which files I have tried to sign or the order, it’s just stopped working when attempting to sign the second file.

I have tried to debug this, and I have found the exact line where the code raises an exception:

The line code 634 failed and raised this exception:

Nothing that I have tried so far to solve this error works… Any suggestions would be appreciated!

Thanks,
Ben

I’m not familiar with the Sectigo product, but I suspect you have the cert installed under the wrong slot ID. Standard slots 0x9a, 0x9c, 0x9d, and 0x9e have different expectations for PIN usage. This Yubikey document spells them out:

https://developers.yubico.com/PIV/Introduction/Certificate_slots.html

Note 9a and 9d allow multiple signing operations after a single PIN application. 9c needs the PIN for every one. Look for similar information about your Sectigo device. The Yubikey doc implies that non-standard IDs may have configurable behavior.

I use slot 0x9a for module signing.

Possibly some actionable information here: Unable to sign using PKCS#11 token · Issue #42 · kaikramer/keystore-explorer · GitHub