Re: 2008 x64 signing
- From: "Maxim S. Shatskih" <maxim@xxxxxxxxxxxxxxxx>
- Date: Fri, 23 May 2008 18:00:27 +0400
Try signing the binary itself instead of the CAT file.
--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@xxxxxxxxxxxxxxxx
http://www.storagecraft.com
"muriwai" <muriwai@xxxxxxxxxxxxx> wrote in message
news:uM0oa$LvIHA.4876@xxxxxxxxxxxxxxxxxxxxxxx
"Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxxxxxx> wrote in messagehttp://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/kmsigning.doc I
news:%23MNk341uIHA.5472@xxxxxxxxxxxxxxxxxxxxxxx
On vista x64 and 2k8 x64, drivers should either be WHQL signed or signed
with a third certificate+cross signing. I have at least a couple of
drivers that are in the latter way.
Well, it does not seem to be the case. During installation, my tape driver
is displayed as signed by my company.
Once installed, the driver fails to start - "Windows cannot load the device
driver for this hardware. The driver may be corrupted or missing (Code 39)".
The CodeIntegrity log displays "3004 Windows is unable to verify the image
integrity of the file
\Device\HarddiskVolume1\Windows\System32\drivers\MyDriver.sys because file
hash could not be found on the system. A recent hardware or software change
might have installed a file that is signed incorrectly or damaged, or that
might be malicious software from an unknown source."
When I do "bcdedit -set TESTSIGNING ON" and restart, the driver starts up
OK.
When I do "bcdedit -set TESTSIGNING OFF" and restart, the driver fails to
start.
In both cases, Windows displays "Digital signer: My Company" in the driver's
properties.
I sign the CAT file with:
c:\winddk\6001.18001\BIN\catalog\signtool.exe sign /ac
c:\CrossCertificates\MSCV-VSClass3.cer /du "http://www.company.com";
/n "Company Name" /t "http://timestamp.verisign.com/scripts/timstamp.dll";
MyDriver.cat
I verify the signature with:
SignTool verify /kp /v /c MyDriver.cat MyDriver.sys
It looks like it wants ONLY WHQL-signed drivers.
I also suspect that the cross-certificate doesn't get embedded into the
signature. SignTool produces a file of the same length regardless of whether
the "/ac MSCV-VSClass3.cer" option is specified or not. How do I verify the
cross-certificate is there?
Thanks,
Andrew
"Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxxxxxx> wrote in message
news:%23MNk341uIHA.5472@xxxxxxxxxxxxxxxxxxxxxxx
"muriwai" <muriwai@xxxxxxxxxxxxx> wrote in message
news:edL9JKsuIHA.1220@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I had the impression that I need to get a WHQL signature to have my
driver loaded on Server 2008 x64.
After carefully studying the latest DDK documentation along with the
white paper
ms-help://MS.WDK.v10.6001.071220/DevInst_d/hh/DevInst_d/driver-signing-over_838started to think that an SPC from Verisign with a cross-certificate is
enough, as long as the Windows Logo is not required, even for the drivers
for which there's a WHQL test.
ed908-96ff-411c-a5f3-c253e7e7cb53.xml.htm
"To be considered signed by PnP device installation, the catalog file of
the driver must be signed by WHQL ***or*** signed by a third-party
release certificate (a Software Publisher Certificate (SPC) or a
commercial release certificate). A WHQL release signature ***should***
(not MUST) be used if one can be obtained. "
"Note also that for 64-bit versions of Windows Server 2008 and Windows
Vista, the kernel-mode code signing policy further requires that a
kernel-mode driver be signed by WHQL ***or*** by an SPC"
I did a quick test and my non-boot driver doesn't get loaded on Windows
2008 x64 even when it has an embedded SPC signature and an SPC-signed
.CAT file, both with the cross certificate. 2008 x64 doesn't even
recognize the INF as valid (it works fine on 2003 x64).
Where's the truth?
On vista x64 and 2k8 x64, drivers should either be WHQL signed or signed
with a third certificate+cross signing. I have at least a couple of
drivers that are in the latter way.
Did you follow the instructions at
http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx to
sign your driver?
It's my understanding that you signed both the binary and the CAT file.
You need to sign just one of them. If you sign both (binary and CAT) you
need to be careful to generate the CAT file *after* you have signed the
binary, otherwise the CAT file does not contain the right hash for the
binary.
Have a nice day
GV
--
Gianluca Varenni, Windows DDK MVP
CACE Technologies
http://www.cacetech.com
Thanks
.
- Follow-Ups:
- Re: 2008 x64 signing
- From: muriwai
- Re: 2008 x64 signing
- References:
- 2008 x64 signing
- From: muriwai
- Re: 2008 x64 signing
- From: Gianluca Varenni
- Re: 2008 x64 signing
- From: muriwai
- 2008 x64 signing
- Prev by Date: Re: How to block system copy commands at driver level
- Next by Date: Re: How to block system copy commands at driver level
- Previous by thread: Re: 2008 x64 signing
- Next by thread: Re: 2008 x64 signing
- Index(es):
Relevant Pages
|
