The solution for this highly specific problem is to not install the "minidriver" part of the SafeNet Authentication Client package . If already installed, uninstall the entire package, then run the installer again, choose "Custom" install and make sure the Minidriver feature set is set to "don't install" (The SafeNet installer doesn't offer a "Modify" option).

This is apparently because the "minidrivers" are the ones that allow the badly designed Windows Smart Card logon system to talk to the SafeNet USB smart cards. With the minidrivers removed, all access is through the SafeNet extensions to the CryptoAPI 2 subsystem that is used by signing tools (including old tools based on the classic CryptoAPI 1).