Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

2008 x64 signing

1 view
Skip to first unread message

muriwai

unread,
May 20, 2008, 5:43:33 PM5/20/08
to
Hi,

I had the impression that I need to get a WHQL signature to have my driver
loaded on Server 2008 x64.

After carefully studying the latest DDK documentation along with the white
paper
http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/kmsigning.doc I
started to think that an SPC from Verisign with a cross-certificate is
enough, as long as the Windows Logo is not required, even for the drivers
for which there's a WHQL test.

ms-help://MS.WDK.v10.6001.071220/DevInst_d/hh/DevInst_d/driver-signing-over_838ed908-96ff-411c-a5f3-c253e7e7cb53.xml.htm

"To be considered signed by PnP device installation, the catalog file of the
driver must be signed by WHQL ***or*** signed by a third-party release
certificate (a Software Publisher Certificate (SPC) or a commercial release
certificate). A WHQL release signature ***should*** (not MUST) be used if
one can be obtained. "

"Note also that for 64-bit versions of Windows Server 2008 and Windows
Vista, the kernel-mode code signing policy further requires that a
kernel-mode driver be signed by WHQL ***or*** by an SPC"

I did a quick test and my non-boot driver doesn't get loaded on Windows 2008
x64 even when it has an embedded SPC signature and an SPC-signed .CAT file,
both with the cross certificate. 2008 x64 doesn't even recognize the INF as
valid (it works fine on 2003 x64).

Where's the truth?

Thanks

Gianluca Varenni

unread,
May 21, 2008, 12:17:58 PM5/21/08
to

"muriwai" <mur...@nospam.nospam> wrote in message
news:edL9JKsu...@TK2MSFTNGP04.phx.gbl...

On vista x64 and 2k8 x64, drivers should either be WHQL signed or signed
with a third certificate+cross signing. I have at least a couple of drivers
that are in the latter way.
Did you follow the instructions at
http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx to sign
your driver?
It's my understanding that you signed both the binary and the CAT file. You
need to sign just one of them. If you sign both (binary and CAT) you need to
be careful to generate the CAT file *after* you have signed the binary,
otherwise the CAT file does not contain the right hash for the binary.

Have a nice day
GV

--
Gianluca Varenni, Windows DDK MVP

CACE Technologies
http://www.cacetech.com


>
> Thanks


muriwai

unread,
May 23, 2008, 4:05:04 AM5/23/08
to
Thank you Gianluca.

The problem of the INF file not being recognized was because of Windows
failing to install drivers from Z:\ mapped to VMWare's \\.host. Once copied
to a local drive, the INF file is displayed as signed with Authenticode and
installs. It took hours to figure out what was happening.

However, the driver still won't start. I will post an updated question
separately.

Cheers


"Gianluca Varenni" <gianluca...@community.nospam> wrote in message
news:%23MNk341...@TK2MSFTNGP06.phx.gbl...

muriwai

unread,
May 23, 2008, 6:29:25 AM5/23/08
to
"Gianluca Varenni" <gianluca...@community.nospam> wrote in message
news:%23MNk341...@TK2MSFTNGP06.phx.gbl...
> On vista x64 and 2k8 x64, drivers should either be WHQL signed or signed
> with a third certificate+cross signing. I have at least a couple of
> drivers that are in the latter way.

Well, it does not seem to be the case. During installation, my tape driver
is displayed as signed by my company.

Once installed, the driver fails to start - "Windows cannot load the device
driver for this hardware. The driver may be corrupted or missing (Code 39)".

The CodeIntegrity log displays "3004 Windows is unable to verify the image
integrity of the file
\Device\HarddiskVolume1\Windows\System32\drivers\MyDriver.sys because file
hash could not be found on the system. A recent hardware or software change
might have installed a file that is signed incorrectly or damaged, or that
might be malicious software from an unknown source."

When I do "bcdedit -set TESTSIGNING ON" and restart, the driver starts up
OK.

When I do "bcdedit -set TESTSIGNING OFF" and restart, the driver fails to
start.

In both cases, Windows displays "Digital signer: My Company" in the driver's
properties.

I sign the CAT file with:
c:\winddk\6001.18001\BIN\catalog\signtool.exe sign /ac
c:\CrossCertificates\MSCV-VSClass3.cer /du "http://www.company.com"
/n "Company Name" /t "http://timestamp.verisign.com/scripts/timstamp.dll"
MyDriver.cat

I verify the signature with:
SignTool verify /kp /v /c MyDriver.cat MyDriver.sys

It looks like it wants ONLY WHQL-signed drivers.

I also suspect that the cross-certificate doesn't get embedded into the
signature. SignTool produces a file of the same length regardless of whether
the "/ac MSCV-VSClass3.cer" option is specified or not. How do I verify the
cross-certificate is there?


Thanks,

Andrew

"Gianluca Varenni" <gianluca...@community.nospam> wrote in message
news:%23MNk341...@TK2MSFTNGP06.phx.gbl...
>

Maxim S. Shatskih

unread,
May 23, 2008, 10:00:27 AM5/23/08
to
Try signing the binary itself instead of the CAT file.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
ma...@storagecraft.com
http://www.storagecraft.com

"muriwai" <mur...@nospam.nospam> wrote in message

news:uM0oa$LvIHA...@TK2MSFTNGP02.phx.gbl...

muriwai

unread,
May 23, 2008, 3:19:21 PM5/23/08
to
It doesn't help to sign the binaries.

I can't see "Microsoft Root" in the signature. It looks like the
cross-certificate is not embedded. /ac is definitely processed by SignTool
because it fails when I pass an invalid file. I checked that the thumbprint
of the Verisign root certificate matches the cross-certificate. I use a
"Verisign Class 3 Code Signing 2004 CA" certificate issued in March this
year. I tried SignTool from recent both DDK and WDK.

Thanks

"Maxim S. Shatskih" <ma...@storagecraft.com> wrote in message
news:u3qQc1N...@TK2MSFTNGP06.phx.gbl...

0 new messages