jennifer stepler wdk program manager. agenda catalog signing vs. embedded signing. how to...
TRANSCRIPT
Embedded Signing of DriversJennifer Stepler
WDK Program Manager
AgendaCatalog signing vs. embedded signing.How to embed-sign:
Getting StartedPreparing your signing certificateUsing SignTool
Validate your signature.Tips.
Catalog Signing and Embedded SigningCatalog signing:
Catalog contains a hash of all the files in the INF file. Signing the catalog signs the driver package for device installation purposes.
NOTE: Bugs in INF files will result in “unsigned driver” error messages.
Embedded signing:Every binary in the driver package is signed. Embed signing the binaries improves boot loading performance.
Catalog Signing or Embedded Signing
Catalog Signing Embedded Signing
What The .cat file All of the binaries in the Driver Package
Who WHQL YOU
When When you pass the logo tests
Before or after the catalog file is generated and signed
How Logo submission SignTool PLUS code -signing certificate PLUS cross-certificate
Why Seamless device installation
Improve boot performance – x86 TOO
Getting StartedYou need:
Your code signing certificate. The same certificate you use to sign catalog files to submit to WHQL.
Signtool.exe – The tool you use to sign catalog files and binaries.
A cross-signing certificate – Download from:http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx
Preparing Your Signing CertificateFirst, add your code-signing certificate in
your Personal certificate store:You received a .pvk and a .spc file from
VeriSign. Convert them to a .pfx file:pvk2pfx –pvk mypvkfile.pvk –pi mypvkpassword –
spc myspcfile.spc –pfx mypfxfile.pfx –o pfxpassword –f
Add the .pfx file to your Personal certificate store:
Double-click the .pfx file and use the wizard.
Your Signing Certificate
Using SignToolSignTool sign /v /ac <absolutepath>\CrossCertificateFile /s my /
n ”SPCCertificateName’”/t http://timestamp.verisign.com/scripts/timestamp.dll DriverFileName.sys
Where: The sign command configures SignTool to embed a signature in the file
DriverFileName.sys. The /v verbose option configures the tool to print execution and warning
messages. The /ac CrossCertificateFile option specifies the cross-certificate .cer file
that is associated with the SPC that is specified by SPCCertificateName. USE ABSOLUTE PATH.
The /s SPCCertificateStore option specifies the name of the certificate store that holds the SPC that is specified by SPCCertificateName. As described in Software Publisher Certificate (SPC), the certificate information must be contained in .pfx file, and the information in the .pfx file must be added to the Personal certificate store of the local computer. The Personal certificate store is specified by the option /s my.
The /n SPCCertificateName option specifies the name of the certificate in the SPCCertificateStore certificate store. USE QUOTES
The /t http://timestamp.verisign.com/scripts/timestamp.dll option supplies the URL to the publicly-available time-stamp server that VeriSign provides.
DriverFileName.sys is the name of the driver file.
Validate Your SignatureUse SignTool:
SignTool verify /v /kp DriverFileName.sys
The TOP certificate in the chain should be:Microsoft Code Verification Root:
TipsYou cannot see a cross-certificate in any GUI
that displays a certificate chain (such as File Properties).
You cannot see your signature on the individual binaries in Device Manager (until they fix the bug…).
You can validate that a given binary is “signed” by a given cat file by using SignTool:
SignTool verify /v /kp /c catalogfile.cat DriverFileName.sys
You should embed sign ALL boot load Windows Vista drivers (even x86) to improve boot performance.
ReferencesWHDC Web siteWDK Documentation Collection
Disclaimer© 2007 Microsoft Corporation. All rights reserved. Microsoft,
Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.