x64 Driver Signing as of Vista RC1 (and later)
(By: Hector J. Rodriguez | Published: 25-Sep-06| Modified: 25-Sep-07)
[Hector Notes: I wrote this memo back in September of 2006. As of September of 2007 (many months after Vista was released) it still seems to be accurate. HJR]
Lately I've been busy, so haven't had nearly as many tips to pass along. Cuz I know you miss my hints, I'll pass along (with comment) a set of useful tips that Peter put together on driver signing that he sent to the NTDEV list.
Let me sumarize what I know about singing for x64 Vista RC1:
- Where to start: The Microsoft-written KMCS walkthrough is a reasonably helpful resource. Just follow it to the letter, and don't attempt to stray. It's out of date regarding test signing (it still indicates that the test signing cert needs to be added to the root cert authority, which is no longer required... see below) but otherwise, it's helpful. Also, there's a sort of goofy command procedure in same directory as signtool and signability in the WDK that I found particularly helpful. Don't run it -- it mixes up the concept of which machine you sign the driver on and which machine you load the driver on (it appears to think these are both the same machine, which is just plain weird)... but read it. It has the commands you can use with signtool and signability to get the job done.
- "Release" signing using a Verisign cert and the appropriate cross-cert downloaded from microsoft.com works. I haven't tested any other cert/cross-cert combos. But I think it's safe to assume they work also.
- You do have to put the signing cert in the certificate store of the machine on which you are doing the signing-- Converting the .spc/.pvk to a .pfx file and then referring to the .pfx file directly from signtool does not work. This was confirmed by Microsoft and they're working to fix it.
- You cannot use the signtool signwizard mode for driver/cat signing, as the signwizard does not allow you to specify a cross cert. Microsoft confirmed this is not expected to be changed.
- I have not been successful at getting signtool to sign a driver/cat using a cert stored on a smartcard (here at OSR, we typically use eTokens -- usb attachable smart cards -- for such things). This is annoying, because if no workaround is found it'll mean that (until pfx file support is fixed) there really is NO alternative for product signing other than putting ones product signing cert into the cert store of some machine. This doesn't sound very secure to me. Microsoft's looking into the problem.
- On x64 (of course) if you attempt to install an unsigned cat -- or a cat that's signed but not with an appropriate cert -- the driver is associated with the device but yellow-banged out in device manager. I got an "error 39" when attempting to install the driver. I didn't see any clear indication to the user that the reason for the problem is that the cat/driver lacks a digital signature. This sounds to me like a customer support problem just waiting to happen.
- When you view the "digital signature" properties of a signed driver executable on Vista, one of the fields is "email address:" -- There is current no known way to set this field. This has been confirmed by Microsoft.
- Test signing works. Use bcdedit command "BCDEDIT -set testsigning on" and reboot. The system restarts in test mode, with small "test mode" brands on each corner of the display and the system version/build on the top line of the display in the center.
- Test signing is implemented even more flexibly than Microsoft has previously described. When test signing mode is enabled on an x64 Vista system, a driver or cat file will be treated as being properly signed if it's signed with any cert at all. This is nice, because it means you do not have to install your test signing cert (or "Root Agency" for a makecert cert) in the root certification authority store for every test machine. I demonstrated this by signing a cat and driver with a makecert cert and loading it without adding anything to the target machines cert stores. This has been verified by Microsoft, and Microsoft indicates that this is how test signing will work in the released version of Vista. YAY!
- The tools -- signability and signtool -- are incredibly bad. If you want to create a CAT file (the format of which appears to be undocumented... arrrgh) check out INF2CAT (google it) from the winqual submission tool kit. John from HP brought this utility to my attention in another thread on the NTDEV list. INF2CAT creates a cat and doesn't leave a freakin' notepad Windows open on your desktop when it's done (as signability does). Of course, it does require 5 additional supporting assemblies to run. Ugh. I'd love to see somebody in the community write a nice, simple, replacement for these tools aimed directly at driver writers.
was printed from OSR Online http://www.osronline.com
Copyright 2017 OSR Open Systems Resources, Inc.