Great decision! Many thanks to MS to make developers’ life easier! I’m sure I’d like to use F8 boot options during every boot and I’m pleased to learn our QA to do it on every test machine!
(Yes, I have my drivers signed. But we use 3rd party tools like DbgView which use unsigned drivers. No, we don’t use WinDbg)
Well, it already stopped work in some previous build. At least now it is documented :-/
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
How about signing these 3rd party drivers with your own key
and installng your own cert? Vista should let you do this.
–PA
“Michal Vodicka” wrote in message news:xxxxx@ntdev…
Great decision! Many thanks to MS to make developers’ life easier! I’m sure I’d like to use F8 boot options during every boot
and I’m pleased to learn our QA to do it on every test machine!
(Yes, I have my drivers signed. But we use 3rd party tools like DbgView which use unsigned drivers. No, we don’t use WinDbg)
Well, it already stopped work in some previous build. At least now it is documented :-/
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
That’s not possiblke with DbgView. When it starts in installs its driver
(which is embedded in the executable) and removes the driver when it
exits. It does not use an INF file to install the driver. It’s a legacy
NT 4.0 style driver that is started via the service manager.
MS owns sysinternals now, though, so who i=knows if things will change
with that one.
I’m curious though about OSRs DbgMon. I use Windbg so I haven’t used
either tool for a while (though they do come in handy when it’s not
possible to connect a debugger to the target machine) so I don’t know if
it has been changed to take the whole driver-signing business into
account yet or not. If not, I suspect it won’t be long. OSR is usually
on top of things like that.
Beverly
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
Sent: Saturday, September 09, 2006 8:52 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] nointegritychecks boot options is gone in Vista RC1
How about signing these 3rd party drivers with your own key and
installng your own cert? Vista should let you do this.
–PA
“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
Great decision! Many thanks to MS to make developers’ life easier! I’m
sure I’d like to use F8 boot options during every boot and I’m pleased
to learn our QA to do it on every test machine!
(Yes, I have my drivers signed. But we use 3rd party tools like DbgView
which use unsigned drivers. No, we don’t use WinDbg)
Well, it already stopped work in some previous build. At least now it is
documented :-/
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Ok, suppose I know how dbgview installs it’s driver and have the dbgv.sys file.
Suppose that dbgview won’t try to rewrite and start it if it already is running.
Can I sign dbgv.sys with my own signature so that it will run under Vista, even if it has
no INF file ( since it is not a PnP driver ) ?
–PA
“Brown, Beverly” wrote in message news:xxxxx@ntdev…
That’s not possiblke with DbgView. When it starts in installs its driver
(which is embedded in the executable) and removes the driver when it
exits. It does not use an INF file to install the driver. It’s a legacy
NT 4.0 style driver that is started via the service manager.
MS owns sysinternals now, though, so who i=knows if things will change
with that one.
I’m curious though about OSRs DbgMon. I use Windbg so I haven’t used
either tool for a while (though they do come in handy when it’s not
possible to connect a debugger to the target machine) so I don’t know if
it has been changed to take the whole driver-signing business into
account yet or not. If not, I suspect it won’t be long. OSR is usually
on top of things like that.
Beverly
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
Sent: Saturday, September 09, 2006 8:52 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] nointegritychecks boot options is gone in Vista RC1
How about signing these 3rd party drivers with your own key and
installng your own cert? Vista should let you do this.
–PA
“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
Great decision! Many thanks to MS to make developers’ life easier! I’m
sure I’d like to use F8 boot options during every boot and I’m pleased
to learn our QA to do it on every test machine!
(Yes, I have my drivers signed. But we use 3rd party tools like DbgView
which use unsigned drivers. No, we don’t use WinDbg)
Well, it already stopped work in some previous build. At least now it is
documented :-/
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Sure, you can sign driver binary and this is what I’ll do if there isn’t a new DebugView version in the near future (I asked MR to sign it but he is probably busy with other things). I guess it’d be even possible to extract driver binary, sign it and update the resource in the EXE file. It can violate the licence, though.
Workarounds are possible but I was mainly complaining about “smart” MS desicion to remove the useful option.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Pavel A.[SMTP:xxxxx@writeme.com]
Reply To: Windows System Software Devs Interest List
Sent: Saturday, September 09, 2006 7:15 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] nointegritychecks boot options is gone in Vista RC1Ok, suppose I know how dbgview installs it’s driver and have the dbgv.sys file.
Suppose that dbgview won’t try to rewrite and start it if it already is running.
Can I sign dbgv.sys with my own signature so that it will run under Vista, even if it has
no INF file ( since it is not a PnP driver ) ?–PA
“Brown, Beverly” wrote in message news:xxxxx@ntdev…
> That’s not possiblke with DbgView. When it starts in installs its driver
> (which is embedded in the executable) and removes the driver when it
> exits. It does not use an INF file to install the driver. It’s a legacy
> NT 4.0 style driver that is started via the service manager.
>
> MS owns sysinternals now, though, so who i=knows if things will change
> with that one.
>
> I’m curious though about OSRs DbgMon. I use Windbg so I haven’t used
> either tool for a while (though they do come in handy when it’s not
> possible to connect a debugger to the target machine) so I don’t know if
> it has been changed to take the whole driver-signing business into
> account yet or not. If not, I suspect it won’t be long. OSR is usually
> on top of things like that.
>
> Beverly
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
> Sent: Saturday, September 09, 2006 8:52 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] nointegritychecks boot options is gone in Vista RC1
>
> How about signing these 3rd party drivers with your own key and
> installng your own cert? Vista should let you do this.
>
> --PA
>
>
> “Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> Great decision! Many thanks to MS to make developers’ life easier! I’m
> sure I’d like to use F8 boot options during every boot and I’m pleased
> to learn our QA to do it on every test machine!
>
> (Yes, I have my drivers signed. But we use 3rd party tools like DbgView
> which use unsigned drivers. No, we don’t use WinDbg)
>
> Well, it already stopped work in some previous build. At least now it is
> documented :-/
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
Michal,
I’m not saying removing /nointegritychecks switch was a GOOD idea, but… Are you aware that Vista systems now support test signing? So you can sign your drivers with a makecert type cert, and use that. I believe that’s what most test labs will do… as opposed to using F8 which is ridiculous (as it was designed to be).
Peter
OSR
Peter,
I don’t have problem with my drivers, I sign them all with our company certificate. I have problem with unsigned 3rd party drivers as the one included in the DebugView tool. Test signing won’t help there; if I manage to extract, sign and update this driver, I can use our company certificate as well.
BTW, does test signing really work now? I tested it with some pre-beta2 builds and it didn’t.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
Reply To: Windows System Software Devs Interest List
Sent: Monday, September 11, 2006 10:27 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] nointegritychecks boot options is gone in Vista RC1Michal,
I’m not saying removing /nointegritychecks switch was a GOOD idea, but… Are you aware that Vista systems now support test signing? So you can sign your drivers with a makecert type cert, and use that. I believe that’s what most test labs will do… as opposed to using F8 which is ridiculous (as it was designed to be).
Peter
OSR
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Good question. To be perfectly honest, I haven’t tried it. I’ve been TOLD it works. After spending A LOT of time working with driver signing when it first came out, I basically gave up due to frustration with the attrocious documentation, bugs in the tools, crappy/inconsistent tool interfaces, and a raft of other factors I don’t care to mention or name.
But, I hear things are better now: I’m told that people ARE signing drivers, both “real” and test signing. So, perhaps it’s time for me to turn my attention back to this and give it a try.
Regarding the OSR tools with embedded drivers (or, should I say, the ones that will still work on Vista): We realize these drivers needs to be signed and we WILL sign them.
Peter
OSR
xxxxx@osr.com wrote:
Good question. To be perfectly honest, I haven’t tried it. I’ve been TOLD it works. After spending A LOT of time working with driver signing when it first came out, I basically gave up due to frustration with the attrocious documentation, bugs in the tools, crappy/inconsistent tool interfaces, and a raft of other factors I don’t care to mention or name.
But, I hear things are better now: I’m told that people ARE signing drivers, both “real” and test signing. So, perhaps it’s time for me to turn my attention back to this and give it a try.
The best experience I’ve had with driver signing was in the driver
signing hands-on lab at WinHEC. To be sure, it was a carefully
controlled and pristine environment, but all of the steps were there,
and they did work as advertised.
I asked at the conference, and again afterwards, whether the excellent
step-by-step handout from the lab could be made available for download.
So far, unless I have missed it, it hasn’t appeared, and it isn’t on the
WinHEC DVD.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
You may have missed it. I just checked WHDC and found this:
http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
It’s dated July 7,2006.
Beverly
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Monday, September 11, 2006 5:37 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] nointegritychecks boot options is gone in Vista RC1
xxxxx@osr.com wrote:
Good question. To be perfectly honest, I haven’t tried it. I’ve been
TOLD it works. After spending A LOT of time working with driver signing
when it first came out, I basically gave up due to frustration with the
attrocious documentation, bugs in the tools, crappy/inconsistent tool
interfaces, and a raft of other factors I don’t care to mention or name.But, I hear things are better now: I’m told that people ARE signing
drivers, both “real” and test signing. So, perhaps it’s time for me to
turn my attention back to this and give it a try.
The best experience I’ve had with driver signing was in the driver
signing hands-on lab at WinHEC. To be sure, it was a carefully
controlled and pristine environment, but all of the steps were there,
and they did work as advertised.
I asked at the conference, and again afterwards, whether the excellent
step-by-step handout from the lab could be made available for download.
So far, unless I have missed it, it hasn’t appeared, and it isn’t on the
WinHEC DVD.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Brown, Beverly wrote:
You may have missed it. I just checked WHDC and found this:
http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
It’s dated July 7,2006.
Yes, that looks like the same document. Thanks for pointing this out!
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Actually, the one on the WHDC web site is an updated and improved version of the one from the WinHEC lab.
So carefully controlled as to be, IMHO, totally contrived and worse than useless. For example, MY cert from Verisign wasn’t in the same very specific format the the play cert was supplied in. I spent more than four hours with the WinHEC tutorial and I couldn’t sign *anything* – This was BEFORE the tools were fixed and the original tutorial was augmented and put onto the WHDC site (where the July version lives today).
ANYhow, I’m going to spend some time playing with this again “very soon” and I’ll report back here to let you know how it goes. If it works, we’ll write up something brief and useful for The NT Insider.
Peter
OSR
> ----------
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
Reply To: Windows System Software Devs Interest List
Sent: Tuesday, September 12, 2006 4:09 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] nointegritychecks boot options is gone in Vista RC1So carefully controlled as to be, IMHO, totally contrived and worse than useless. For example, MY cert from Verisign wasn’t in the same very specific format the the play cert was supplied in. I spent more than four hours with the WinHEC tutorial and I couldn’t sign *anything* – This was BEFORE the tools were fixed and the original tutorial was augmented and put onto the WHDC site (where the July version lives today).
I have the same experience. After hours of wasted time with miserable buggy tools and insufficient docs I was finally able to sign driver binaries with our certificate and added it to our buildengine. I gave up signing INF files, though. Signed binaries are enough for testing but for release it’ll be necessary to sign INFs, too. Sigh. Hopefully things improved since then. It was probably my most frustrating experience with driver development ever.
BTW, is the current signtool finally able to use .PFX files directly?
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
Success!
Using the July 6th walkthrough (URL below), and a lot of patience, I was actually able to sign both a .sys and .cat file with our Verisign release signing cert this afternoon.
After converting the .SPC/.PVK pair to a .PFX file, I *thought* I was ready to rock. BUT, I was not able to use a .PFX file directly with signtool when using a cross cert. I got:
D:\signing\driver>signtool sign /f osrc3.pfx /p xxxxxxxx /v /t http://timestamp.verisign.com/scripts/timestamp.dll /ac mscv-vsClass3.cer usbfx2lk.sys
SignTool Error: The /f option is incompatible with the /ac option.
Sooooo… I had to add the .PFX to my private cert store (wasn’t this supposed to be fixed after Beta 2??). After putting your cert into the private cert store, you need to get the certificate’s NAME (start certmgr.msc, double click the cert, select details, and find CN=xxxxxx – That xxxxxx is the cert name to use with SIGNTOOL. Any spaces in the name? Be sure to enclose the name in QUOTES.
After that… it was as easy as:
D:\signing\driver>signtool sign /n “OSR Open Systems Resources, Inc.” /t http://timestamp.verisign.com/scripts/timestamp.dll /ac mscv-vsClass3.cer usbfx2lk.sys
Done Adding Additional Store
Attempting to sign: usbfx2lk.sys
Successfully signed and timestamped: usbfx2lk.sys
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
Oh, the excitement. I went on to sign the CAT file with similar results.
As previously noted, check out the walkthrough document – While not great, this document is actually very helpful: http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
Finally, be sure to get the RIGHT cross certs (the ones available before WinHEC were broken) from: http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx
We’ll definitely write something up in the September/October issue of The NT Insider on this (the next issue is the July/August issue, which is presently at the printer… we refuse to let go of August here at OSR).
Peter
OSR
Congratulations!
So .PFX files still can’t be used directly. Oh well. The error message implicates something bad about signtools developers.
Instead of -n parameter we use -sha1 for certificate selection. The hash value is unique and you won’t end with files signed by wrong certificate (as I saw several times). BTW, have you verified a) your binaries and catalogs are signed correctly (signtool verify /kp and /pa) and b) OS also believes so? The most frustrating part of my experience was when all tools succeeded and the result didn’t work.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
Reply To: Windows System Software Devs Interest List
Sent: Tuesday, September 12, 2006 11:44 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] nointegritychecks boot options is gone in Vista RC1Success!
Using the July 6th walkthrough (URL below), and a lot of patience, I was actually able to sign both a .sys and .cat file with our Verisign release signing cert this afternoon.
After converting the .SPC/.PVK pair to a .PFX file, I *thought* I was ready to rock. BUT, I was not able to use a .PFX file directly with signtool when using a cross cert. I got:
D:\signing\driver>signtool sign /f osrc3.pfx /p 29840ow /v /t http://timestamp.verisign.com/scripts/timestamp.dll /ac mscv-vsClass3.cer usbfx2lk.sys
SignTool Error: The /f option is incompatible with the /ac option.
Sooooo… I had to add the .PFX to my private cert store (wasn’t this supposed to be fixed after Beta 2??). After putting your cert into the private cert store, you need to get the certificate’s NAME (start certmgr.msc, double click the cert, select details, and find CN=xxxxxx – That xxxxxx is the cert name to use with SIGNTOOL. Any spaces in the name? Be sure to enclose the name in QUOTES.
After that… it was as easy as:
D:\signing\driver>signtool sign /n “OSR Open Systems Resources, Inc.” /t http://timestamp.verisign.com/scripts/timestamp.dll /ac mscv-vsClass3.cer usbfx2lk.sys
Done Adding Additional Store
Attempting to sign: usbfx2lk.sys
Successfully signed and timestamped: usbfx2lk.sysNumber of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0Oh, the excitement. I went on to sign the CAT file with similar results.
As previously noted, check out the walkthrough document – While not great, this document is actually very helpful: http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
Finally, be sure to get the RIGHT cross certs (the ones available before WinHEC were broken) from: http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx
We’ll definitely write something up in the September/October issue of The NT Insider on this (the next issue is the July/August issue, which is presently at the printer… we refuse to let go of August here at OSR).
Peter
OSR
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I didn’t do a “signtool verify” but I put the driver package (.sys, .cat, and .inf) onto an RC1 x86 machine, and it installed without any problem.
Here at OSR, we typically use a USB-based smart-card call an eToken to hold our certificates. Now, if I could just figure out how to sign a driver using a cert on an eToken, I’d be satisfied. I can sign the driver with the cert from the eToken using “signtool signwizard” – but it won’t let me specify the cross cert. And I can’t seem to get signtool to successfully grab the cert from the eToken via the command line (some of the parameters described in the on-line help don’t even appear to be valid).
Fun, fun, fun… but at least it’s progress,
Peter
OSR
> ----------
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, September 13, 2006 1:49 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] nointegritychecks boot options is gone in Vista RC1I didn’t do a “signtool verify” but I put the driver package (.sys, .cat, and .inf) onto an RC1 x86 machine, and it installed without any problem.
Everything installs at x86 without any problem 
The real test is installation at x64 machine.
Here at OSR, we typically use a USB-based smart-card call an eToken to hold our certificates. Now, if I could just figure out how to sign a driver using a cert on an eToken, I’d be satisfied. I can sign the driver with the cert from the eToken using “signtool signwizard” – but it won’t let me specify the cross cert.
Yes, the same experience. It is fascinating how is the tool inconsistent. I tried to report it long time before in beta program with no resuls.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
Yes, test signing works- heard from a co-worker who uses this often.
Actually this is a good news. “Smart” apps won’t be able to silently drop
various kernel hooks and rootkits without my approval, even from
admin account. They will have all their driver stuff unpacked so that user
could easily sign it. Time of miracles has gone, now it’s time of
security, annoyances…
–PA
~~
“Michal Vodicka” wrote in message news:xxxxx@ntdev…
Sure, you can sign driver binary and this is what I’ll do if there isn’t a new DebugView version in the near future (I asked MR
to sign it but he is probably busy with other things). I guess it’d be even possible to extract driver binary, sign it and
update the resource in the EXE file. It can violate the licence, though.
Workarounds are possible but I was mainly complaining about “smart” MS desicion to remove the useful option.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
> ----------
> From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Pavel
> A.[SMTP:xxxxx@writeme.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Saturday, September 09, 2006 7:15 PM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] nointegritychecks boot options is gone in Vista RC1
>
> Ok, suppose I know how dbgview installs it’s driver and have the dbgv.sys file.
> Suppose that dbgview won’t try to rewrite and start it if it already is running.
> Can I sign dbgv.sys with my own signature so that it will run under Vista, even if it has
> no INF file ( since it is not a PnP driver ) ?
>
> --PA
>
>
> “Brown, Beverly” wrote in message news:xxxxx@ntdev…
> That’s not possiblke with DbgView. When it starts in installs its driver
> (which is embedded in the executable) and removes the driver when it
> exits. It does not use an INF file to install the driver. It’s a legacy
> NT 4.0 style driver that is started via the service manager.
>
> MS owns sysinternals now, though, so who i=knows if things will change
> with that one.
>
> I’m curious though about OSRs DbgMon. I use Windbg so I haven’t used
> either tool for a while (though they do come in handy when it’s not
> possible to connect a debugger to the target machine) so I don’t know if
> it has been changed to take the whole driver-signing business into
> account yet or not. If not, I suspect it won’t be long. OSR is usually
> on top of things like that.
>
> Beverly
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
> Sent: Saturday, September 09, 2006 8:52 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] nointegritychecks boot options is gone in Vista RC1
>
> How about signing these 3rd party drivers with your own key and
> installng your own cert? Vista should let you do this.
>
> --PA
>
>
> “Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> Great decision! Many thanks to MS to make developers’ life easier! I’m
> sure I’d like to use F8 boot options during every boot and I’m pleased
> to learn our QA to do it on every test machine!
>
> (Yes, I have my drivers signed. But we use 3rd party tools like DbgView
> which use unsigned drivers. No, we don’t use WinDbg)
>
> Well, it already stopped work in some previous build. At least now it is
> documented :-/
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
> > I didn’t do a “signtool verify” but I put the driver package (.sys,
.cat, and .inf)
> onto an RC1 x86 machine, and it installed without any problem.
Everything installs at x86 without any problem
installation at x64 machine.
I’ve tested on an x64 machine, and can confirm that signing works. I
tested with both a “real” Verisign cert (and Microsoft cross cert), and
a with self-signed cert in testsigning mode.
–John
P.S. The signability tool in the WDK is not designed for integration
with automated build processes (e.g. it leaves a notepad window open
after you run it). inf2cat is MUCH nicer. inf2cat is part of the new
Winqual Submission Tool, but it can also be used separately. See
https://winqual.microsoft.com/Help/Inf2cat_FAQ.htm.
> ----------
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of McNamee, John[SMTP:john.mcnamee@hp.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, September 13, 2006 3:24 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] nointegritychecks boot options is gone in Vista RC1P.S. The signability tool in the WDK is not designed for integration
with automated build processes (e.g. it leaves a notepad window open
after you run it). inf2cat is MUCH nicer. inf2cat is part of the new
Winqual Submission Tool, but it can also be used separately. See
https://winqual.microsoft.com/Help/Inf2cat_FAQ.htm.
Thanks! I hate signability tool and the notepad window is only one of reasons. If inf2cat can replace it, it’d solve one signing PITA. Yes, we use automated build engine and signing (currently only binaries) is part of the process.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]