Scribd
Upload
41 views3 pages

Test Signing Windows Drivers Guide

The document provides instructions for signing drivers using the Windows Device Driver Kit, including creating a test certificate and signing drivers for testing and production. It details the necessary commands and steps for both test signing with a self-created certificate and release signing with a Software Publisher Certificate from a commercial authority. Additionally, it emphasizes the importance of ensuring no Windows 2000 INF files are present in the signing directory and provides links for further guidance on obtaining certificates.

Uploaded by

Vũ Ngô Quốc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
41 views3 pages

Test Signing Windows Drivers Guide

The document provides instructions for signing drivers using the Windows Device Driver Kit, including creating a test certificate and signing drivers for testing and production. It details the necessary commands and steps for both test signing with a self-created certificate and release signing with a Software Publisher Certificate from a commercial authority. Additionally, it emphasizes the importance of ensuring no Windows 2000 INF files are present in the signing directory and provides links for further guidance on obtaining certificates.

Uploaded by

Vũ Ngô Quốc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd

Test Signing the Drivers

------------------------

Signing the drivers requires Windows Device Driver Kit version 7600.16385.1
or later. The following commands should be executed in a tree containing the
INF files you want to sign. Note that Windows 2000 INF file syntax is not
understood by inf2cat. Since inf2cat operates recursively on all directories
below the one it is executed in it is important to ensure that no Windows 2000
INF files exist in the subtree.

This information is derived from a Microsoft document named "Code Signing Best
Practices" which can be found at
[Link]
best_practices.doc

This file contains instructions on test signing drivers using a certificate


that you create yourself and also production signing drivers using a
certificate issued by a trusted commercial certificate authority.

Creating a test certificate


---------------------------

Prior to running the signtool command, you must create a test certificate for
use in signing your drivers and install this certificate on your machine. This
need only be done once using the following commands from a Windows Device
Driver Kit build environment command prompt:

1. [Link] -$ individual -r -pe -ss TestCertStore -n


CN="<YourTestCertificateName>" [Link]

where you replace <YourTestCertificateName> with a string identifying the


certificate source and the fact that it is a test certificate. An example may
be "Company XYZ Software Test Certificate".

2. CertMgr -add [Link] -s -r localMachine root

to add the newly created certificate to your machine's local store.

Test Signing the Drivers


------------------------

In a directory containing all the INF files for drivers you wish to sign,
execute the following commands:

1. Build catalog files for each driver with the command:

inf2cat /driver:. /os:7_X64,7_X86,Vista_X64,Vista_X86,XP_X86,XP_X64

2. Sign the catalog files with our software test certificate:

signtool sign /v /s TestCertStore /n "<YourTestCertificateName>" /t


[Link] [Link]

calling this tool once for each of the cat files generated by inf2cat. This
assumes that the "<YourTestCertificateName>" certificate has been installed
on your build machine in the TestCertStore certificate store.

Release Signing Drivers


-----------------------
Release signing drivers involves the use of a Software Publisher Certificate
(SPC) issued by a commercial certificate authority (CA). See

[Link]

for information on obtaining such a certificate.

To set up your build machine with the correct certificates, do the


following. This only needs to be done once (or whenever your signing
certificate expires and needs to be updated).

1. Obtain a Software Publisher Certificate. This may be provided in the form


of a Personal Information Exchange (.pfx) file or as an .spc file containing
the certificate and a seperate .pvk file containing the private key.

2. If you received a .spc file and a .pvk file, convert them to a .pfx
file as described in

[Link]

The required command will look something along the lines of the
following with filenames and passwords replaced with customer-specific
values:

Pvk2Pfx -pvk [Link] -pi pvkpassword -spc [Link] -pfx [Link] -po pfxpassword -f

3. Import the PFX file into the Windows Certificate Store using:

certutil -user -p pfxpassword -importPFX [Link]

where "pfxpassword" is the password for the PFX file as provided either
to the issuing CA or in the pvk2pfx step above.

If you don't have "[Link]" (which is likely if you're not running


Windows Server), you can also use the CertMgr tool that is included in
the DDK. Run this in GUI mode (start using "certmgr" with no command line
parameters) and choose "Import". Add the .pfx file to your Personal
certificate store.

4. Obtain the Microsoft cross certificate associated with your CA by


following the instructions found at:

[Link]

If you find that the thumbprint of the root authority certificate in


your certificate chain doesn't match the one in this document and you
used Verisign, get the closest matching cross certificate then perform
some additional certificate juggling to install two intermediate
certificates as described here:

[Link]
3-primary-ca-g5-certificate/

Make sure you install the intermediate certificates into the


"Trusted Root Certification Authorities" store rather than the default
that is offered when you double-click the .der files.

5. Copy the Microsoft cross-certificate into a known location on the


build system hard disk since you will need to reference it directly
during future signing operations.

Each time you want to sign a driver, do the following from within the
driver directory (the directory containing the driver INF file(s)):

1. Create your driver CAT files as usual using inf2cat

inf2cat /driver:. /os:7_X64,7_X86,Vista_X64,Vista_X86,XP_X86,XP_X64

2. Sign the catalog files with your release certificate:

signtool sign /v /n "<YourCertificateName>" /ac


"<FullPathToCrossCertificate>.cer" /t
[Link] <YourCATFile>.cat

calling this tool once for each of the cat files generated by inf2cat. This
assumes that the "<YourCertificateName>" certificate has been installed
on your build machine in the Personal certificate store for the current user.

You might also like