Success!
Using the July 6th walkthrough (URL below), and a lot of patience, I was actually able to sign both a .sys and .cat file with our Verisign release signing cert this afternoon.
After converting the .SPC/.PVK pair to a .PFX file, I *thought* I was ready to rock. BUT, I was not able to use a .PFX file directly with signtool when using a cross cert. I got:
D:\signing\driver>signtool sign /f osrc3.pfx /p xxxxxxxx /v /t http://timestamp.verisign.com/scripts/timestamp.dll /ac mscv-vsClass3.cer usbfx2lk.sys
SignTool Error: The /f option is incompatible with the /ac option.
Sooooo… I had to add the .PFX to my private cert store (wasn’t this supposed to be fixed after Beta 2??). After putting your cert into the private cert store, you need to get the certificate’s NAME (start certmgr.msc, double click the cert, select details, and find CN=xxxxxx – That xxxxxx is the cert name to use with SIGNTOOL. Any spaces in the name? Be sure to enclose the name in QUOTES.
After that… it was as easy as:
D:\signing\driver>signtool sign /n “OSR Open Systems Resources, Inc.” /t http://timestamp.verisign.com/scripts/timestamp.dll /ac mscv-vsClass3.cer usbfx2lk.sys
Done Adding Additional Store
Attempting to sign: usbfx2lk.sys
Successfully signed and timestamped: usbfx2lk.sys
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
Oh, the excitement. I went on to sign the CAT file with similar results.
As previously noted, check out the walkthrough document – While not great, this document is actually very helpful: http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
Finally, be sure to get the RIGHT cross certs (the ones available before WinHEC were broken) from: http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx
We’ll definitely write something up in the September/October issue of The NT Insider on this (the next issue is the July/August issue, which is presently at the printer… we refuse to let go of August here at OSR).
Peter
OSR