1 Correct answer
Dear CAC and PIV card users on MacOS computers, here’s an update on our progress to solve the issue that many of you are facing when signing in Adobe Acrobat and Reader after updating Mac OSX to version 10.11.6 or 10.12.
I will provide some technical details at the end if you’re interested, but first we have some important news. We have been working closely with Apple and especially with Kenneth Van Alstyne, the developer who manages the Mac OSX port of the open source CACkey driver, to understan
...
70
Replies
PDF signing using smart card (CAC or PIV) works fine on Mac OS X 10.11.6. Tested with Acrobat Pro 11.0.17 and 15.006.30198. For it to work out of box you need a working tokend.
If you do not have a working tokend - then the workaround provided above (adding a PKCS#11 library that accesses the CAC directly) would solve the problem, assuming your PKCS#11 library works correctly.
Currently I'm using Open Source tools (OpenSC and OpenSC.tokend). These tools fully support my workflow for smartcards, including PDF signing, S/MIME (signature and encryption, using Apple Mail and MS Outlook 2011 and 2016), Web sites authentication (Apple Safari, Google Chrome, Firefox using PKCS#11 library opens-pkcs11.so), and smartcard-based computer logon. I did not have to attach a PKCS#11 library, as it is unnecessary when your tokend is good:
Mac OS X 10.11.6 improved PDF signing - before Acrobat was only using SHA1 if the signing key was on a CAC. Now it correctly uses what it's supposed to - SHA256:
For those people who have problems with PDF digital signature - please check what tokend you're using, and try with a working one instead. I did, and you can see the results on the screenshots above.
> CTK was a completely new API and applications have to be written to take advantage of it
Concur.
> In the case of applications supporting both CSSM/CDSA and CTK, I'm not really sure how they would behave if the same token were to be made available via both APIs
The issue I'm concerned with is two tokends - pivtoken (that's incapable of "feeding" the smartcard to Keychain and such) and a legacy tokend (such as your or mine) figthing each other for requests that they both can serve. Rather than one tokend receiving requests via multiple interfaces (which should be trivial 
).
> The documentation for CryptoTokenKit has been a little lacking. Hopefully eventually Apple can shed some light on this,
> I'm a little nervous that 10.13 is going to remove TokenD support completely.
Ah, you're one of those few who do learn from history and past experience?
I just hope the legacy framework would stay with us, so our current code could work.
UPDATE: Within 10 minutes of posting and re-reading the beginning of this post and running the CACKey driver from page 1. and following the "attach module" steps that is in the notes; the rest was cake and I was able to sign digitally with my CAC. I was hesitant at first to download but after purchasing the subscription and the inability to still not sign. I was in dire need of a solution. That solution was the CACkey driver.
Once that is installed then hit the "back' button and enter this " /usr/local/lib/pkcs11/cackey.dylib " under attach module and BOOM you have the answer.
*****I too am running into the issue of unable to sign with digital certs using my military CAC while using ADOBE DC. I have traveled the webs and this forum and as many state ADOBE is not addressing the issue. I am running the latest IOS High Sierra 10.13.2 and Adobe DC will not see the CAC reader and of course the reader is plugged in with the card inserted; verified by logging into websites/military sites that require CAC log in.
AdChoices