/Integritycheck ,driver signing and test certificate

Taras_Malivanchuk · February 1, 2016, 11:11am

Encountered such problem. A driver is compiled with /integritycheck to get access to some API and test digital signature.
In Win7x64 after regular boot and “bcdedit.exe -set TESTSIGNING ON” everything works OK.
In Win7x32, 32-bit version of same driver, after regular boot and “bcdedit.exe -set TESTSIGNING ON” - driver not loaded because of signature check failure, at least OSRLoader writes so. Driver compiled without /integritycheck - loaded fine in same environment.
After boot with disabled driver signature check- driver loaded OK.

Tim_Roberts · February 1, 2016, 1:52pm

xxxxx@gmail.com wrote:

Encountered such problem. A driver is compiled with /integritycheck to get access to some API and test digital signature.
In Win7x64 after regular boot and “bcdedit.exe -set TESTSIGNING ON” everything works OK.
In Win7x32, 32-bit version of same driver, after regular boot and “bcdedit.exe -set TESTSIGNING ON” - driver not loaded because of signature check failure, at least OSRLoader writes so. Driver compiled without /integritycheck - loaded fine in same environment.
After boot with disabled driver signature check- driver loaded OK.

I may be misreading your description, but it is a fact that “bcdedit”
changes do not take effect until the next boot. If it worked in your
64-bit system, then you just have had testingsigning already enabled, or
perhaps had a kernel debugger attached.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Maxim_S_Shatskih · February 1, 2016, 3:15pm

> In Win7x32, 32-bit version of same driver

Just do not do KMCS with a test certificate for this OS. The worst you will get is the failure event from Ci in Security log.

Just plain debug and test unsigned driver, and then do the real KMCS signing for a shipping binary just to be cultural. You can re-test the signed binary once more if you want.

Test signing on Win7x32 serves no purpose except suppressing a single insignificant (during the developer’s testing) event being logged.

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

Taras_Malivanchuk · February 2, 2016, 7:43am

I need signed driver for /integritycheck compilation, that is needed for PsSetCreateProcessNotifyRoutineEx.

but it is a fact that “bcdedit” changes do not take effect until the next boot.

Thanks , this was the point! Now Win7x32 works OK.