Fandom

coLinux

Dashboard for developing a 64 bit coLinux/Driver Signing

< Dashboard for developing a 64 bit coLinux

237pages on
this wiki
Add New Page
Talk0 Share

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.

Driver SigningEdit

Driver Signing ChecklistEdit

Here is a walkthrough for the process: Kernel-Mode Code Signing Walkthrough

Basically, you need to do:

  • Install the WDK
  • Create your own certificate and get it signed by one of the approved vendors; see Cross-Certificate Vendors
  • Download the Cross-Certificate for the vendor you used (see above)
  • Import your certificate and the cross-certificate into your local certificate store (right click each and click "Install")
  • Use the "inf2cat" tool (from the WDK) to create a .cat file for your .inf and related files:
inf2cat.exe /driver:C:\path\to\the\driver\dir\ /os:XP_X86,XP_X64,<all the OS variants you want to support>
  • Double click the .cat file to see that it is valid, but not signed
  • Use the "signtool" tool (from the WDK) to sign the .cat file with your certificate:
signtool.exe sign /v /ac <Cross-Certificate.cer> /sha1 <sha1 hash of your own certificate> \
     /t <your cross-certificate vendor's timestamp URL> <all the inf and executable files>
  • Double click the .cat file to see that it is valid and signed

ExampleEdit

This example assumes you've set up your PATH to include the tools automatically. Or you can use the full path to the tool.

The hashes and such have been changed to protect the innocent!

First we create the .cat file

C:\> inf2cat /driver:.\my-drivers\ /os:XP_X86,XP_X64,Vista_X86,Vista_X64,7_X86,7_X64
 ..................................................................
 Signability test complete.
 
 Errors:
 None
 
 Warnings:
 None
 
 Catalog generation complete.
 C:\my-drivers\test.cat

Then we sign it using the VeriSign cross-certificate

C:\> cd my-drivers
 C:\> signtool sign /v /ac MSCV-VSClass3.cer /sha1 D1BA2F35B069C02F53A9CE06435842EE5E5254F9 \
               /t http://timestamp.verisign.com/scripts/timstamp.dll *
 The following certificate was selected:
     Issued to: My Special Company
     Issued by: VeriSign Class 3 Code Signing 2009-2 CA
     Expires:   Fri Dec 02 08:01:08 2010
     SHA1 hash: D1BA2F35B069C02F53A9CE06435842EE5E5254F9
 
 Cross certificate chain (using machine store):
     Issued to: Microsoft Code Verification Root
     Issued by: Microsoft Code Verification Root
     Expires:   Sat Nov 01 08:54:03 2025
     SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
 
         Issued to: Class 3 Public Primary Certification Authority
         Issued by: Microsoft Code Verification Root
         Expires:   Mon May 23 12:11:29 2016
         SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408
 
             Issued to: VeriSign Class 3 Code Signing 2009-2 CA
             Issued by: Class 3 Public Primary Certification Authority
             Expires:   Mon May 20 18:59:59 2019
             SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
 
                 Issued to: My Special Company
                 Issued by: VeriSign Class 3 Code Signing 2009-2 CA
                 Expires:   Fri Dec 02 08:01:08 2010
                 SHA1 hash: D1BA2F35B069C02F53A9CE06435842EE5E5254F9
 
 Done Adding Additional Store
 Successfully signed and timestamped: DPInst.exe
 Successfully signed and timestamped: test.cat
 SignTool Error: This file format cannot be signed because it is not recognized.
 SignTool Error: An error occurred while attempting to sign: test.inf
 Successfully signed and timestamped: test.dll
 Successfully signed and timestamped: test.sys
 
 Number of files successfully Signed: 4
 Number of warnings: 0
 Number of errors: 1

The errors about not being able to sign non-executable files can be safely ignored. If the exact files were specified instead of just globbing everything with *, you wouldn't see any errors, but simply using * makes scripts simpler.

Or we can even do this step under Linux using Mono's signcode program:

$ cd my-drivers
 $ signcode -spc my.spc -v my.pvk \
            -t http://timestamp.verisign.com/scripts/timstamp.dll \
            `find . -name '*.cat'` \
            `find . -type f -exec file {} + | grep ':.*PE' | cut -d: -f1`

While the Windows signtool is forgiving of non-signable files, Mono's signcode will abort as soon as it finds one. So we limit the signed list to catalog files (.cat) and PE programs (.dll/.exe/.sys/etc...).

Also on Fandom

Random Wiki