Digital sign a driver for XP and Vista
- From: Elvandar <gas_NOSPAMmarco@xxxxxxxxxxxxxxx>
- Date: Wed, 08 Apr 2009 17:30:54 +0200
Hi all.
My company has just bought a Class 3 certificate from Verisign to digitally sign some drivers.
The driver is made up by a .inf file, a .sys file and a .dll file.
I'm currently using WinDDK build 6000 under Windows XP Professional 32 bit SP3 to sign the drivers.
The procedure followed to sign the driver is this:
* Created the PFX key-file from our public SPC certificate
* Added the PFX certificate to Personal certificate store in Windows
* Downloaded the cross-certificate from Microsoft: MSCV-VSClass3.cer
* Generated the Catalog file from the .inf file using inf2cat in this way:
inf2cat.exe /driver:D:\Progetti\MyProd\Driver_32\ /os:2000,XP_X86,Vista_X86
The cat file is generated without errors nor warnings.
* Signed the catalog file using SignTool.exe:
signtool.exe sign /ac d:\Progetti\MyProd\Class3Cert\MSCV-VSClass3.cer /s MY /n %MyCompanyName% /t http://timestamp.verisign.com/scripts/tims
tamp.dll MyProd.cat
The process ends with this message:
"Done Adding Additional Store
Successfully signed and timestamped: MyProd.cat"
* Verified the signing process using SignTool:
signtool.exe verify /kp /v /c MyProd.cat libusb.sys
signtool.exe verify /kp /v /c MyProd.cat libusb.dll
Everything works well, the sign chain shown is this (for both files):
Verifying: libusb.sys
File is signed in catalog: MyProd.cat
Signing Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: 01/11/2025 15.54.03
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Class 3 Public Primary Certification Authority
Issued by: Microsoft Code Verification Root
Expires: 23/05/2016 19.11.29
SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408
Issued to: VeriSign Class 3 Code Signing 2004 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 16/07/2014 1.59.59
SHA1 hash: 197A4AEBDB25F0170079BB8C73CB2D655E0018A4
Issued to: %MyCompanyName%
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 25/03/2010 1.59.59
SHA1 hash: 6E3724050DCA7FA2627DD025A7801FFACE1CC4C2
The signature is timestamped: 08/04/2009 16.57.57
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: 01/01/2021 1.59.59
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: 04/12/2013 1.59.59
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: 15/06/2012 1.59.59
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Successfully verified: libusb.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
* Verified the sign chain using SignTool.exe (for both files):
signtool.exe verify /pa /v /c MyProd.cat libusb.sys
signtool.exe verify /pa /v /c MyProd.cat libusb.dll
Verifying: libusb.sys
File is signed in catalog: MyProd.cat
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: 02/08/2028 1.59.59
SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2
Issued to: VeriSign Class 3 Code Signing 2004 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 16/07/2014 1.59.59
SHA1 hash: 197A4AEBDB25F0170079BB8C73CB2D655E0018A4
Issued to: %MyCompanyName%
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 25/03/2010 1.59.59
SHA1 hash: 6E3724050DCA7FA2627DD025A7801FFACE1CC4C2
The signature is timestamped: 08/04/2009 16.57.57
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: 01/01/2021 1.59.59
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: 04/12/2013 1.59.59
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: 15/06/2012 1.59.59
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Successfully verified: libusb.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
So, the driver seems to be signed correctly. In fact, if I right-click on the catalog file, choose "properties" and go to the "Digital sign" tab, the sign is shown with the timestamp and my company name.
Now, the problem is that under Windows Vista the driver is correctly recognized as digitally signed, both 32 bit and 64 bit (above I showed the process for the 32-bit version, but I did the same for the 64-bit version using Inf2Cat with /os:XP_X64,Vista_X64), and it installs without any problem, but in Windows XP the driver isn't recognized as digitally signed! If I go to the device manager and check the driver properties for my device Windows says that it isn't signed...
Did I do something wrong? Is there any other operation to do in order to make the driver correctly recognized by Windows XP? I also tried using the old Signability.exe to create the catalog file, but same result.
Thanks to all that can help me, and sorry for this long post!!
.
- Follow-Ups:
- Re: Digital sign a driver for XP and Vista
- From: Tim Roberts
- Re: Digital sign a driver for XP and Vista
- Prev by Date: WinUsb DeviceIoControl problem
- Next by Date: Re: URB cancellation
- Previous by thread: WinUsb DeviceIoControl problem
- Next by thread: Re: Digital sign a driver for XP and Vista
- Index(es):
Relevant Pages
|
Loading
