Greetings Folks!
I am yet another developer with driver signing woes.
I’m out of ideas and looking for advice.
I’ve release-signed my driver’s binary and it loads and
works correctly under Vista x64 (and all other platforms).
Of course I also created and signed a CAT file, but the
scary “unknown publisher” warning was still displayed
(I ignored it to verify my driver worked under Vista x64).
I used the same process to sign my x86 driver, and got
the same warning under XP and Vista x86.
I used “makecat” with the usual cookbook CDF file from
the MS “walkthrough” document, but the output CAT file
apparently does not refer to my SYS file…
**************
C:\driver>signtool verify /kp /v /c driver.cat driver.sys
Verifying: driver.sys
SignTool Error: File not found in the specified catalog.
SignTool Error: File not valid: driver.sys
**************
Of course, the “driver.sys” file IS in the same folder as
the INF, CDF, and CAT files and I DID list the SYS file
in the CDF file. Incidentally, the “signtool verify” command
works fine on the SYS and CAT files individually, but fails
when I try to verify them together.
So I decided to abandon “makecat” and instead use the new
“inf2cat” utility. Unfortunately, “inf2cat” can’t even find the
INF file at all…
**************
C:\driver>dir
Directory of C:\driver
12/12/2007 02:19 PM
.12/12/2007 02:19 PM ..
12/06/2007 01:33 PM 40,424 driver.sys
12/10/2007 10:19 AM 1,884 driver.inf
06/08/2006 09:37 PM 2,000 MSCV-GlobalSign.cer
3 File(s) 44,308 bytes
2 Dir(s) 195,921,354,752 bytes free
C:\driver>inf2cat /driver:c:\driver\driver.inf /nocat
DRIVER.INF does not exist.
**************
This tool thinks the INF is missing even when I place the
"inf2cat.exe" and its support DLLs in the same folder as
the INF. I've also used a full path to the INF with no luck.
This makes NO sense to me! The "inf2cat" package was
downloaded just a few days ago from the MS web site,
so it must be the latest version.
I downloaded the latest Vista WDK from the MSDN web
today and I'm running all commands from the proper DDK
shell as the admin (per the "walkthrough" docs).
Short-term goal: make the "inf2cat" utility work!
Ultimate goal: release my driver with a signed CAT
and INF so that no scary warnings are displayed during
the install. My signed binary works in a pinch, but my
company spent too much time and money not to get
the full benefits from signed drivers. I don't care to
use "inf2cat" if "makecat" will work.
Some random thoughts...
1) We bought the $230 SPC from GlobalSign. It's in
the "Personal" certificate store on my signing PC.
The certificate path is recognized as valid. I used this
certificate's "thumbprint" value in the "signtool"
command when I signed the SYS and CAT files. I'm
confident that I'm using the latest version of "signtool"
and that the parameters are correct.
2) The MS/GlobalSign cross-certificate was installed
in the "Intermediate Certification Authorities" folder.
It was issued by the "Microsoft Code Verification Root",
yet under the details tab the "Windows does not have
enough information to verify this certificate" error
is displayed. So the certificate path is NOT recognized
as valid and this really bothers me. Should the
cross-certificate be moved to the "Trusted Root
Certification Authorities" folder instead? Would this
move resolve the certificate path and allow my CAT file
to be signed correctly? Do I even need the cross-
certificate in my local store since it's enumerated
on the "signtool" command line as a .CER file?
3) My development PC runs XP x64. Vista x64 is very
unstable on my test machines and keeps trashing the
hard drive. I've re-installed four times now and I'm
sick of dealing with it. Since I get the same "unknown
publisher" headaches under XP x86 and Vista x86, I want
to debug the signing process with those platforms first.
Am I correct in assuming that the "signtool", "makecat",
and "inf2cat" utilities work the same regardless of the
destination platform?