How to sign an unsigned driver for x64

Windows 10, 8.1 or 7 with a self-signed certificate

signed
By default, all 64-bit versions of Windows, starting from Windows 7, prohibit the installation of drivers.
of devices that are not signed with a valid digital signature. Unsigned drivers are
blocked by the operating system. The digital signature guarantees (to a certain extent) that the driver has been released
by a specific developer or vendor, and its code has not been modified after it was signed.

In Windows 10, 8.1, and 7 (64-bit x64), there are several ways to disable the signature verification.
driver for unsigned drivers: using a group policy or a test mode.
Today we will show you how to sign any unsigned driver for the 64-bit version of Windows 10.
You use Windows 7.

Suppose you have a certain unsigned device driver (without digital signature) for the
Windows 10 x64 or Windows 7 x64. In this example, it is the driver for the old graphics card. The file with
drivers for your version of Windows has been downloaded from the vendor's website (I was able to find the version of
video driver for Windows Vista x64) and its content was extracted to c: \ tools \ drv1 \ . Let's try
install the driver by adding it to the Windows driver repository with a standard tool pnputil
Pnputil -ac:\tools\drv1\xg20gr.inf

Note: This command and all subsequent ones must be executed in the command prompt as an administrator.

During the driver installation, Windows 7 displays a warning that the system cannot verify the signature.
digital of this driver:

Windows can't verify the publisher of this driver software.

On Windows 10, this warning does not appear, but a warning is displayed in the console:

Processing inf: xg20gr.inf

Adding the driver package failed: The third-party INF does not contain digital
signature information.
If you right-click on the inf driver file and select Install, you will install a driver.
File manager will encounter an error:

The third-party INF does not contain digital signature information.

Let's try to sign this driver with a self-signed certificate.

Content:

Tools to sign drivers

Create a self-signed certificate and a private key
Creating a catalog file (CAT) for the driver package
Signing the driver using a self-signed certificate
Installing the self-signed certificate
Installation of the driver signed with the self-signed certificate

Tools to sign drivers

To generate a signature and sign the driver, you need to download and install the following tools from
Windows application development (with default settings):

Windows SDK (or Microsoft Visual Studio 2005 or later) for your version of Windows. These
packages include the Windows SDK for Desktop signing tools, which include the
necessary utility -signtool.exe;
Windows 7.1.0 driver kit.

In Windows 10, you can use the latest versions of the Windows SDK and the Windows Driver Kit.
Before installing these tools, check if .NET Framework 4 is installed on your computer.

Create a self-signed certificate and a private key

Create a folder C: \ DriverCert at the root of the system drive.

Open the command prompt and go to the following directory:

cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\bin

Create a self-signed certificate and a private key, which is issued, for example, to the company
WinOSHub:

makecert -r -sv C:\DriverCert\myDrivers.pvk -n CN="WinOSHub"

C:\DriverCert\myDrivers.cer

During the creation of the certificate, the tool will ask you to specify a password for the key, either
elaP @ ss0wrd.

Create a public key for a publisher certificate (PKSC) that we created earlier:

cert2spc C:\DriverCert\myDrivers.cer C:\DriverCert\myDrivers.spc

Combine the public key (.spc) and the private key (.pvk) into a single certificate file in the format
Personal Information Exchange (.pfx):

pvk2pfx -pvk C:\DriverCert\Drivers.pvk -pi P@ss0wrd -spc C:\DriverCert\Drivers.spc -pfx

C:\DriverCert\Drivers.pfx -po P@ss0wrd

You can create a self-signed code signing certificate without using third-party tools.
using the PowerShell 5.0 cmdlet -New-SelfSignedCertificate:
$cert = New-SelfSignedCertificate -Subject "Woshub" -Type CodeSigningCert -
CertStoreLocation cert:\LocalMachine\My

So you need to export this certificate to the pfx file with the password:

$CertPassword = ConvertTo-SecureString -String "P@ss0wrd" -Force -AsPlainText

Export-PfxCertificate -Cert $cert -FilePath C:\DriverCert\myDrivers.pfx -Password
CertPassword

Note: Although the certificate has a limited validity period, the expiration of the CodeSigning certificate
means that you cannot create new signatures. The validity of the driver already signed by this certificate is
unlimited (or the old subscriptions are valid during the specified date and time registration).

Creating a catalog file (CAT) for the driver package

Create the directory C:\DriverCert\xg20e copy all the files from the folder where the driver of the file was
originally extracted (c: \ tools \ drv1 \). Make sure there are files with the extensions .syse.inf
among these files (in our case, they are xg20grp.sys and xg20gr.inf).

Go to the directory:

cd C:\WinDDK\7600.16385.1\bin\selfsign

Generate a CAT file (contains information about all files in the driver package) based on the file
INF. On the basis of an INF file using the tool inf2cat.exe (included in the Windows Driver Kit - WDK),
generate a cat file for your platform (it contains information about all the files in the package of
driver):

inf2cat.exe /driver:"C:\DriverCert\xg20" /os:7_X64 /verbose

To ensure that the procedure was correct, check if the log file contains the messages:

Complete signaling test.

Complete catalog generation.

Note In my case, the command Inf2Cat.exe returned an error:

Signability test failed.

Errors
22.9.7: DriverVer set to incorrect date (must be postdated to 4/21/2009 for newest OS)
in dx861a.inf

To correct the error, locate the line with DriverVer = in the [Version] section and replace it with:

DriverVer=05/01/2009,9.9.9.9

After the command is executed, the file xg20gr.cat must be updated in the drivers directory.
Signing the driver using a self-signed certificate
Go to the following folder:

cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\Bin

Sign the driver file set with the certificate you created earlier using Globalsign.
as a date and time stamp service. The following command will sign the CAT file with a
digital signature using a certificate stored in a PFX file, protected by a password:

signtool sign /f C:\DriverCert\myDrivers.pfx /p P@ss0wrd /t

http://timestamp.verisign.com/scripts/timstamp.dll /v C:\DriverCert\xg20\xg20gr.cat

If the file is successfully signed, the following message should appear:

Successfully signed: C:\DriverCert\xg\xg20gr.cat
Number of files successfully Signed: 1

The digital signature of the driver is contained in the .cat file mentioned in the .inf file. You can
verify the digital signature of the driver in the cat file using the following command:

SignTool verify /v /pa c:\DriverCert\xg\xg20gr.cat

In the file properties on the Digital Signatures tab:

The CAT file contains digital signatures (fingerprints) of all the files that are in the directory.
of the driver (files listed in the INF file in the CopyFiles section). If any of these files have been
changed, the checksum of the files will not match the data in the CAT file and, as
As a result, the installation of this driver will fail.

Installing the self-signed certificate

Since the certificate we created is self-signed, by default, the system does not trust it. Add your
certificate to the storage of certificates of the local computer. You can do this using the
following commands:

certmgr.exe -add C:\DriverCert\Drivers.cer -s -r localMachine ROOT

certmgr.exe -add C:\DriverCert\Drivers.cer -s -r localMachine TRUSTEDPUBLISHER

Or do this with the graphic certificate import assistant (you need to place the certificate in the)
repositories of trusted Suppliers and Trusted Root Certification Authorities of the machine
In a domain, you candistribute this certificate to the client computer using the Policy of
Group.
Note You can check if the certificate we created is in the list of trusted certificates by opening the snap-
in the certificate management (certmgr.msc) and making sure that our certificate (issued for
our company) is in the corresponding warehouses.

Say When youcheck the certificate storage with theutilitariano Sigcheckthis certificate will be
displayed as untrusted because it is not listed in Microsoft's root certificate list (this list
need ifrupdatedperiodically.
Installation of the driver signed with the self-signed certificate
Try installing the driver we signed again using the command:

Pnputil -i -a C:\DriverCert\xg20\xg20gr.inf

Now you will not see the warning about the missing digital signature of the driver.

Successfully installed the driver on a device on the system.

Driver package added successfully.

The following notice appears on Windows 7 x64: Would you like to install the device software? In
Windows 10 x64 1803, this pop-up window does not appear. When you click 'Install', you install the driver on
system.

If, for some reason, the driver is not installed, the detailed installation log of the driver will be contained
in the file C:\Windows\inf\setupapi.dev.log. This log file allows you to obtain more
information about driver installation errors. In most cases, there is an error 'Validation of'
failed signature on the driver package - most likely, this means that the driver certificate
was not added to the trusted certificate store.
If the driver installation was successful, the setupapi.dev.log file should contain the following lines:

[Device Install (DiInstallDriver) -

C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr
.inf
>>> Section start 2018/07/22 23:32:57.015
cmd: Pnputil -i -ac:\DriverCert\xg\xg20gr.inf
ndv: Flags: 0x00000000
INF path:
C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr
.inf
inf: {SetupCopyOEMInf:
C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr
13:23:37.046
inf: Copy style: 0x00000000
inf: Driver Store Path:
C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr
.inf
Published Inf Path: C:\WINDOWS\INF\oem23.inf
inf: {SetupCopyOEMInf exit (0x00000000)} 13:23:37.077
<<< Section end 2018/07/22 13:23:37.155
<<< [Exit status: SUCCESS]

As you can see, to install the self-signed driver, we didn't even need to disable the verification.
digital signature of the drivers with the commands bcdedit.exe:

bcdedit.exe /set loadoptions DISABLE_INTEGRITY_CHECKS

bcdedit.exe /set testsigning ON

How to Sign an Unsigned Driver for x64 Windows

10, 8.1 or 7 with a Self-signed Certificate
By default, all 64-bit Windows versions, starting from Windows 7, prohibit the installation of device drivers that are
not signed with a valid digital signature. Unsigned drivers are blocked by the operating system. The digital
signature guarantees (to some extent) that the driver has been released by a certain developer or vendor, and
its code hasn’t been modified after it was signed.

In 64-bit (x64) Windows 10, 8.1 and 7 there are several ways to disable driver signature verification for the
unsigned drivers: using a group policy or a test boot mode. Today we’ll show how to sign any unsigned
driver for the 64-bit version of Windows 10 or Windows 7.

Suppose you have a certain unsigned device driver (without digital signature) for Windows 10 x64 or
Windows 7 x64. In this example, it is the driver for quite old graphics card. The archive with drivers for
Your Windows version has been downloaded from the vendor's website (I was able to find the video driver.
version for Windows Vista x64) and its contents has been extracted to c:\tools\drv1\. Let’s try to install the
driver by adding it to Windows driver store with a standard pnputil tool:
Pnputil–a c:\tools\drv1\xg20gr.inf

Note. This command and all the next ones must be run in the command prompt as administrator.
During driver installation, Windows 7 displays a warning that the system can’t verify the digital signature of
this driver:

Windows can’t verify the publisher of this driver software.

In Windows 10 this warning doesn’t appear, but a warning appears in the console:

Processing inf: xg20gr.inf

Adding the driver package failed: The third-party INF does not contain digital
signature information.

If you right click on the inf driver file and select Install when installing a driver from File Explorer, you
receive an error:

The third-party INF does not contain digital signature information.

Let’s try to sign this driver with a self-signed certificate.

Contents:

Tools for Signing Drivers

Create a Self-Signed Certificate and Private Key
Creating a Catalog File (CAT) for Driver Package
Signing the Driver Using Self-signed Certificate
Installing the Self-Signed Certificate
Installation of the Driver Signed with the Self-signed Certificate

Tools for Signing Drivers

To generate a signature and sign the driver, you need to download and install the following Windows
application development tools (with the default settings):

Windows SDK (or Microsoft Visual Studio 2005 or later) for your version of Windows. These
packages include Windows SDK Signing tools for Desktop, which includes the necessary utility–
signtool.exe
Windows Driver Kit 7.1.0.

Tip. In Windows 10 you can use the newer versions of Windows SDK and Windows Driver Kit. Before
installing these tools, make sure that the .NET Framework 4 is installed on your computer.

Create a Self-Signed Certificate and Private Key

Create a C:\DriverCert folder in the root of the system drive.

Open the command prompt and go to the following directory:

cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\bin

Create a self-signed certificate and private key, that is issued, for example, for the company WinOSHub:

makecert -r -sv C:\DriverCert\myDrivers.pvk -n CN="WinOSHub"

C:\DriverCert\myDrivers.cer

During the creation of the certificate, the tool will prompt you to specify a password for the key, let it be
P@ss0wrd.
Create a public key for a publisher certificate (PKSC) we have created earlier:

cert2spc C:\DriverCert\myDrivers.cer C:\DriverCert\myDrivers.spc

Combine the public key (.spc) and the private key (.pvk) in a single certificate file with format Personal
Information Exchange (.pfx):

pvk2pfx -pvk C:\DriverCert\Drivers.pvk -pi P@ss0wrd -spc C:\DriverCert\Drivers.spc -pfx

C:\DriverCert\Drivers.pfx -po P@ss0wrd

Tip. You can create a self-signed Code Signing certificate without using third-party tools by using the
PowerShell 5.0 cmdlet–New-SelfSignedCertificate:

$cert = New-SelfSignedCertificate -Subject "Woshub" -Type CodeSigningCert -

CertStoreLocation cert:\LocalMachine\My

Then you need to export this certificate to the pfx file with the password:

ConvertTo-SecureString -String "P@ss0wrd" -Force -AsPlainText

Export-PfxCertificate -Cert $cert -FilePath C:\DriverCert\myDrivers.pfx -Password
$CertPassword
Note. Although the certificate has a limited validity period, the expiration of the CodeSigning certificate
means that you can’t create new signatures. The validity of the driver already signed by this certificate is
unlimited (or old signatures are valid during the specified timestamp).

Creating a Catalog File (CAT) for Driver Package

Create the directory C:\DriverCert\xg20 and copy all files from the folder into which the driver from the
The archive has been originally extracted (c:\tools\drv1\). Make sure that there are files with the extensions .sys
and.infamong these files (in our case, they are xg20grp.sys and xg20gr.inf).

Go to the directory:

cd C:\WinDDK\7600.16385.1\bin\selfsign

Generate a CAT file (contains information about all the files in the driver package) based on the INF
file. Based on an inf file using the inf2cat.exe tool (included in the Windows Driver Kit - WDK)
generate a cat file for your platform (it contains information about all files in the driver package):

inf2cat.exe /driver:"C:\DriverCert\xg20" /os:7_X64 /verbose

To make sure that the procedure was correct, check if the log file contains the messages:

Signability test complete.

and

Catalog generation complete.

Note. In my case the command Inf2Cat.exe returned an error:

Signability test failed.

Errors
22.9.7: DriverVer set to incorrect date (must be postdated to 4/21/2009 for newest OS)
in hdx861a.inf

To fix the error, find the line with DriverVer = in the [Version] section and replace it with:

05/01/2009,9.9.9.9

After the command is executed, the xg20gr.cat file should be updated in the drivers' directory.

Signing the Driver Using Self-signed Certificate

Go to the following folder:

cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\Bin

Sign the set of driver files with the certificate you created earlier using Globalsign as a timestamp.
service. The following command will sign the CAT file with a digital signature using a certificate
stored in a PFX file, protected by a password:

signtool sign /f C:\DriverCert\myDrivers.pfx /p P@ss0wrd /t

http://timestamp.verisign.com/scripts/timstamp.dll /v C:\DriverCert\xg20\xg20gr.cat

If the file is successfully signed, the following message should appear:

Successfully signed: C:\DriverCert\xg\xg20gr.cat
Number of files successfully Signed: 1

Tip. The digital signature of the driver is contained in the .cat file referenced in the .inf file. You can check
the digital signature of the driver in the cat file using the following command:

SignTool verify /v /pa c:\DriverCert\xg\xg20gr.cat

Or in the file properties on the Digital Signatures tab:
The CAT file contains digital signatures (thumbprints) of all the files that are in the driver directory (files
listed in the INF file in the CopyFiles section). If any of these files has been changed, the checksum of the
Files will not match the data in the CAT file, and, as a result, the installation of such a driver will fail.

Installing the Self-Signed Certificate

Since the certificate we created is self-signed, by default the system doesn’t trust it. Add your certificate to
the local computer certificate store. You can do it using the following commands:

certmgr.exe -add C:\DriverCert\Drivers.cer -s -r localMachine ROOT

certmgr.exe -add C:\DriverCert\Drivers.cer -s -r localMachine TRUSTEDPUBLISHER

Or do it with the graphical certificate import wizard (you need to place the certificate in the Trusted
Publishers and Trusted Root Certification Authorities stores of the local machine). In a domain, you can
Distribute this certificate to client computers using Group Policy.

Note. You can check if the certificate we created is in the list of trusted certificates by opening the
certificate management snap-in (certmgr.msc) and making sure that our certificate (issued for our company)
is in the corresponding stores.
Tip. When yorcheck the certificate store with the Sigcheckutility, this certificate will be displayed as
untrusted, because it is not on the list of Microsoft root certificates (this list needs to beupdated
periodically).

Installation of the Driver Signed with the Self-signed Certificate

Try to install the driver we have signed again using the command:

Pnputil – i – a C:\DriverCert\xg20\xg20gr.inf

Now you won’t see the warning about the missing digital signature of the driver.

Successfully installed the driver on a device on the system.

Driver package added successfully.
The following warning appears in Windows 7 x64: Would you like to install this device software?
Windows 10 x64 1803, this pop-up window doesn’t appear. By clicking 'Install', you install the driver in
the system.

If for some reason the driver is not installed, the detailed driver installation log is contained in the file
C:\Windows\inf\setupapi.dev.log. This log file allows you to get more information about the driver
installation errors. In most cases, there is a “Driver package failed signature validation” error –most likely
This means that the driver certificate is not added to the trusted certificates store.

If the driver installation was successful, the setupapi.dev.log file should contain the following lines:

[Device Install (DiInstallDriver) -

C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr
.inf
>>> Section start 2018/07/22 23:32:57.015
cmd: Pnputil -i -a c:\DriverCert\xg\xg20gr.inf
ndv: Flags: 0x00000000
INF path:
C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr
.inf
inf: {SetupCopyOEMInf:
C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr
.inf} 13:23:37.046
inf: Copy style: 0x00000000
inf: Driver Store Path:
C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181214aa12b\xg20gr
.inf
Published Inf Path: C:\WINDOWS\INF\oem23.inf
inf: {SetupCopyOEMInf exit (0x00000000)} 13:23:37.077
<<< Section end 2018/07/22 13:23:37.155
[Exit status: SUCCESS]

As you can see, to install the self-signed driver we did not even have to disable the digital signature.
verification of the drivers with the bcdedit.exe commands:

bcdedit.exe /set loadoptions DISABLE_INTEGRITY_CHECKS

bcdedit.exe /set testsigning ON