rdtsc

I'm suprised to see this sentiment. My impressions go into the opposite direction. Stackoverflow posts about SafeNet tokens range from auto-typing the password into the GUI via AutoIt to undocumented parameters gained from reverse engineering the driver. Coupled with proprietary software not directly available from the vendor. All in all this sounds terrible. On the other hand the YubiKey libraries are open-source and automated signing via PKCS#11/PIV is easy. I've recently implemented this via Windows' SignerSignEx3 -> Callback to sign the computed hash -> Sign via OpenSSL + PKCS#11 provider + PKCS#11 YubiKey library and the pin can be provided as a provider option. I did this with OpenSSL primarily so that I could move the actual signing (as opposed to Authenticode hash computation) to a different machine running Linux. One disadvantage of the YubiKey is that it doesn't support RSA keys with >2048 bits; not enough for code signing anymore so you have to use ECDSA. There are certain signature schemes that don't support ECDSA (like NuGet).