Jennifer Stepler WDK Program Manager
Agenda Catalog signing vs. embedded signing. How to embed-sign: Getting Started Preparing your signing certificate Using SignTool Validate your signature. Tips.
Catalog Signing and Embedded Signing Catalog signing: Catalog contains a hash of all the files in the INF file. Signing the catalog signs the driver package for device installation purposes. NOTE: Bugs in INF files will result in “unsigned driver” error messages. Embedded signing: Every binary in the driver package is signed. Embed signing the binaries improves boot loading performance.
Catalog Signing or Embedded Signing Catalog SigningEmbedded Signing WhatThe.cat fileAll of the binaries in the Driver Package WhoWHQLYOU WhenWhen you pass the logo tests Before or after the catalog file is generated and signed HowLogo submissionSignTool PLUS code - signing certificate PLUS cross-certificate WhySeamless device installation Improve boot performance – x86 TOO
Getting Started You need: Your code signing certificate. The same certificate you use to sign catalog files to submit to WHQL. Signtool.exe – The tool you use to sign catalog files and binaries. A cross-signing certificate – Download from:
Preparing Your Signing Certificate First, add your code-signing certificate in your Personal certificate store: You received a.pvk and a.spc file from VeriSign. Convert them to a.pfx file: pvk2pfx –pvk mypvkfile.pvk –pi mypvkpassword – spc myspcfile.spc –pfx mypfxfile.pfx –o pfxpassword –f Add the.pfx file to your Personal certificate store: Double-click the.pfx file and use the wizard.
Your Signing Certificate
Using SignTool SignTool sign /v /ac \CrossCertificateFile /s my /n ”SPCCertificateName’”/t DriverFileName.sys Where: The sign command configures SignTool to embed a signature in the file DriverFileName.sys. The /v verbose option configures the tool to print execution and warning messages. The /ac CrossCertificateFile option specifies the cross-certificate.cer file that is associated with the SPC that is specified by SPCCertificateName. USE ABSOLUTE PATH. The /s SPCCertificateStore option specifies the name of the certificate store that holds the SPC that is specified by SPCCertificateName. As described in Software Publisher Certificate (SPC), the certificate information must be contained in.pfx file, and the information in the.pfx file must be added to the Personal certificate store of the local computer. The Personal certificate store is specified by the option /s my.Software Publisher Certificate (SPC) The /n SPCCertificateName option specifies the name of the certificate in the SPCCertificateStore certificate store. USE QUOTES The /t option supplies the URL to the publicly-available time-stamp server that VeriSign provides. DriverFileName.sys is the name of the driver file.
Validate Your Signature Use SignTool: SignTool verify /v /kp DriverFileName.sys The TOP certificate in the chain should be: Microsoft Code Verification Root:
Tips You cannot see a cross-certificate in any GUI that displays a certificate chain (such as File Properties). You cannot see your signature on the individual binaries in Device Manager (until they fix the bug…). You can validate that a given binary is “signed” by a given cat file by using SignTool: SignTool verify /v /kp /c catalogfile.cat DriverFileName.sys You should embed sign ALL boot load Windows Vista drivers (even x86) to improve boot performance.
References WHDC Web site WDK Documentation Collection
Disclaimer © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.