OSRLogo
OSRLogoOSRLogoOSRLogo x OSR Custom Development Services
OSRLogo
x

Everything Windows Driver Development

x
x
x
GoToHomePage xLoginx
 
 

    Tue, 17 Oct 2017     115080 members

   Login
   Join


 
 
Contents
  Online Dump Analyzer
OSR Dev Blog
The NT Insider
Downloads
ListServer / Forum
Driver Jobs
  Express Links
  · The NT Insider Digital Edition - May-June 2016 Now Available!
  · Windows 8.1 Update: VS Express Now Supported
  · HCK Client install on Windows N versions
  · There's a WDFSTRING?
  · When CAN You Call WdfIoQueueP...ously

x64 Driver Signing as of Vista RC1 (and later)

[Hector Notes: I wrote this memo back in September of 2006.  As of September of 2007 (many months after Vista was released) it still seems to be accurate.  HJR]

Lately I've been busy, so haven't had nearly as many tips to pass along.  Cuz I know you miss my hints, I'll pass along (with comment) a set of useful tips that Peter put together on driver signing that he sent to the NTDEV list.

Peter writes:

Let me sumarize what I know about singing for x64 Vista RC1:

  • Where to start: The Microsoft-written KMCS walkthrough is a reasonably helpful resource. Just follow it to the letter, and don't attempt to stray. It's out of date regarding test signing (it still indicates that the test signing cert needs to be added to the root cert authority, which is no longer required... see below) but otherwise, it's helpful. Also, there's a sort of goofy command procedure in same directory as signtool and signability in the WDK that I found particularly helpful. Don't run it -- it mixes up the concept of which machine you sign the driver on and which machine you load the driver on (it appears to think these are both the same machine, which is just plain weird)... but read it. It has the commands you can use with signtool and signability to get the job done.
  • "Release" signing using a Verisign cert and the appropriate cross-cert downloaded from microsoft.com works. I haven't tested any other cert/cross-cert combos. But I think it's safe to assume they work also.
  • You do have to put the signing cert in the certificate store of the machine on which you are doing the signing-- Converting the .spc/.pvk to a .pfx file and then referring to the .pfx file directly from signtool does not work. This was confirmed by Microsoft and they're working to fix it.
  • You cannot use the signtool signwizard mode for driver/cat signing, as the signwizard does not allow you to specify a cross cert. Microsoft confirmed this is not expected to be changed.
  • I have not been successful at getting signtool to sign a driver/cat using a cert stored on a smartcard (here at OSR, we typically use eTokens -- usb attachable smart cards -- for such things). This is annoying, because if no workaround is found it'll mean that (until pfx file support is fixed) there really is NO alternative for product signing other than putting ones product signing cert into the cert store of some machine. This doesn't sound very secure to me. Microsoft's looking into the problem.
  • On x64 (of course) if you attempt to install an unsigned cat -- or a cat that's signed but not with an appropriate cert -- the driver is associated with the device but yellow-banged out in device manager. I got an "error 39" when attempting to install the driver. I didn't see any clear indication to the user that the reason for the problem is that the cat/driver lacks a digital signature. This sounds to me like a customer support problem just waiting to happen.
  • When you view the "digital signature" properties of a signed driver executable on Vista, one of the fields is "email address:" -- There is current no known way to set this field. This has been confirmed by Microsoft.
  • Test signing works. Use bcdedit command "BCDEDIT -set testsigning on" and reboot. The system restarts in test mode, with small "test mode" brands on each corner of the display and the system version/build on the top line of the display in the center.
  • Test signing is implemented even more flexibly than Microsoft has previously described. When test signing mode is enabled on an x64 Vista system, a driver or cat file will be treated as being properly signed if it's signed with any cert at all. This is nice, because it means you do not have to install your test signing cert (or "Root Agency" for a makecert cert) in the root certification authority store for every test machine. I demonstrated this by signing a cat and driver with a makecert cert and loading it without adding anything to the target machines cert stores. This has been verified by Microsoft, and Microsoft indicates that this is how test signing will work in the released version of Vista. YAY!
  • The tools -- signability and signtool -- are incredibly bad. If you want to create a CAT file (the format of which appears to be undocumented... arrrgh) check out INF2CAT (google it) from the winqual submission tool kit. John from HP brought this utility to my attention in another thread on the NTDEV list. INF2CAT creates a cat and doesn't leave a freakin' notepad Windows open on your desktop when it's done (as signability does). Of course, it does require 5 additional supporting assemblies to run. Ugh. I'd love to see somebody in the community write a nice, simple, replacement for these tools aimed directly at driver writers.

 

Related Articles
Getting DbgPrint Output To Appear In Vista and Later
Only Signed Drivers To Run on Vista X64
USB 2.0 Debugging
Disabling User Account Control on Vista
No More x86 Only Submissions to WHQL
Power Play - Power Management Changes in Vista
Take Two - x64 Driver Signing
Just Sign Everything - What to Sign and How to Sign It for Vista
What is Coming with Vista - Limited User Access
Write No Code...Get a GUI - Vista Power Plan Integration

User Comments
Rate this article and give us feedback. Do you find anything missing? Share your opinion with the community!
Post Your Comment

"CAB Format"
CAB format is simply a PKCS/ASN.1 "signedData" structure. For ms-specific OID's, this list is helpful: http://support.microsoft.com/?id=287547

If you need to create a cat, does makecat.exe not work?

26-Sep-06, David Someone


Post Your Comments.
Print this article.
Email this article.

Writing WDF Drivers I: Core Concepts
LAB

Nashua (Amherst), NH
15-19 May 2017

Writing WDF Drivers II: Advanced Implementation Techniques
LAB

Nashua (Amherst), NH
23-26 May 2017

Kernel Debugging and Crash Analysis
LAB

Dulles (Sterling), VA
26-30 Jun 2017

Windows Internals and Software Driver Development
LAB

Nashua (Amherst), NH
24-28 Jul 2017

 
 
 
 
x
LetUsHelp
 

Need to develop a Windows file system solution?

We've got a kit for that.

Need Windows internals or kernel driver expertise?

Bring us your most challenging project - we can help!

System hangs/crashes?

We've got a special diagnostic team that's standing by.

Visit the OSR Corporate Web site for more information about how OSR can help!

 
bottom nav links