Driver Signing[]
Driver Signing Checklist[]
Here is a walkthrough for the process: Kernel-Mode Code Signing Walkthrough
Basically, you need to do:
- Install the WDK
- Create your own certificate and get it signed by one of the approved vendors; see Cross-Certificate Vendors
- Download the Cross-Certificate for the vendor you used (see above)
- Import your certificate and the cross-certificate into your local certificate store (right click each and click "Install")
- Use the "inf2cat" tool (from the WDK) to create a .cat file for your .inf and related files:
inf2cat.exe /driver:C:\path\to\the\driver\dir\ /os:XP_X86,XP_X64,<all the OS variants you want to support>
- Double click the .cat file to see that it is valid, but not signed
- Use the "signtool" tool (from the WDK) to sign the .cat file with your certificate:
signtool.exe sign /v /ac <Cross-Certificate.cer> /sha1 <sha1 hash of your own certificate> \
/t <your cross-certificate vendor's timestamp URL> <all the inf and executable files>
- Double click the .cat file to see that it is valid and signed
Example[]
This example assumes you've set up your PATH to include the tools automatically. Or you can use the full path to the tool.
The hashes and such have been changed to protect the innocent!
First we create the .cat file
C:\> inf2cat /driver:.\my-drivers\ /os:XP_X86,XP_X64,Vista_X86,Vista_X64,7_X86,7_X64 .................................................................. Signability test complete. Errors: None Warnings: None Catalog generation complete. C:\my-drivers\test.cat
Then we sign it using the VeriSign cross-certificate
C:\> cd my-drivers
C:\> signtool sign /v /ac MSCV-VSClass3.cer /sha1 D1BA2F35B069C02F53A9CE06435842EE5E5254F9 \
/t http://timestamp.verisign.com/scripts/timstamp.dll *
The following certificate was selected:
Issued to: My Special Company
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Fri Dec 02 08:01:08 2010
SHA1 hash: D1BA2F35B069C02F53A9CE06435842EE5E5254F9
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 08:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Class 3 Public Primary Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Mon May 23 12:11:29 2016
SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Mon May 20 18:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: My Special Company
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Fri Dec 02 08:01:08 2010
SHA1 hash: D1BA2F35B069C02F53A9CE06435842EE5E5254F9
Done Adding Additional Store
Successfully signed and timestamped: DPInst.exe
Successfully signed and timestamped: test.cat
SignTool Error: This file format cannot be signed because it is not recognized.
SignTool Error: An error occurred while attempting to sign: test.inf
Successfully signed and timestamped: test.dll
Successfully signed and timestamped: test.sys
Number of files successfully Signed: 4
Number of warnings: 0
Number of errors: 1
The errors about not being able to sign non-executable files can be safely ignored. If the exact files were specified instead of just globbing everything with *, you wouldn't see any errors, but simply using * makes scripts simpler.
Or we can even do this step under Linux using Mono's signcode program:
$ cd my-drivers
$ signcode -spc my.spc -v my.pvk \
-t http://timestamp.verisign.com/scripts/timstamp.dll \
`find . -name '*.cat'` \
`find . -type f -exec file {} + | grep ':.*PE' | cut -d: -f1`
While the Windows signtool is forgiving of non-signable files, Mono's signcode will abort as soon as it finds one. So we limit the signed list to catalog files (.cat) and PE programs (.dll/.exe/.sys/etc...).