Embedded Signing of DriversJennifer Stepler

WDK Program Manager

AgendaCatalog signing vs. embedded signing.How to embed-sign:

Getting StartedPreparing your signing certificateUsing SignTool

Validate your signature.Tips.

Catalog Signing and Embedded SigningCatalog signing:

Catalog contains a hash of all the files in the INF file. Signing the catalog signs the driver package for device installation purposes.

NOTE: Bugs in INF files will result in “unsigned driver” error messages.

Embedded signing:Every binary in the driver package is signed. Embed signing the binaries improves boot loading performance.

Catalog Signing or Embedded Signing

Catalog Signing Embedded Signing

What The .cat file All of the binaries in the Driver Package

Who WHQL YOU

When When you pass the logo tests

Before or after the catalog file is generated and signed

How Logo submission SignTool PLUS code -signing certificate PLUS cross-certificate

Why Seamless device installation

Improve boot performance – x86 TOO

Getting StartedYou need:

Your code signing certificate. The same certificate you use to sign catalog files to submit to WHQL.

Signtool.exe – The tool you use to sign catalog files and binaries.

A cross-signing certificate – Download from:http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx

Preparing Your Signing CertificateFirst, add your code-signing certificate in

your Personal certificate store:You received a .pvk and a .spc file from

VeriSign. Convert them to a .pfx file:pvk2pfx –pvk mypvkfile.pvk –pi mypvkpassword –

spc myspcfile.spc –pfx mypfxfile.pfx –o pfxpassword –f

Add the .pfx file to your Personal certificate store:

Double-click the .pfx file and use the wizard.

Your Signing Certificate

Using SignToolSignTool sign /v /ac <absolutepath>\CrossCertificateFile /s my /

n ”SPCCertificateName’”/t http://timestamp.verisign.com/scripts/timestamp.dll DriverFileName.sys

Where: The sign command configures SignTool to embed a signature in the file

DriverFileName.sys. The /v verbose option configures the tool to print execution and warning

messages. The /ac CrossCertificateFile option specifies the cross-certificate .cer file

that is associated with the SPC that is specified by SPCCertificateName. USE ABSOLUTE PATH.

The /s SPCCertificateStore option specifies the name of the certificate store that holds the SPC that is specified by SPCCertificateName. As described in Software Publisher Certificate (SPC), the certificate information must be contained in .pfx file, and the information in the .pfx file must be added to the Personal certificate store of the local computer. The Personal certificate store is specified by the option /s my.

The /n SPCCertificateName option specifies the name of the certificate in the SPCCertificateStore certificate store. USE QUOTES

The /t http://timestamp.verisign.com/scripts/timestamp.dll option supplies the URL to the publicly-available time-stamp server that VeriSign provides.

DriverFileName.sys is the name of the driver file.

Validate Your SignatureUse SignTool:

SignTool verify /v /kp DriverFileName.sys

The TOP certificate in the chain should be:Microsoft Code Verification Root:

TipsYou cannot see a cross-certificate in any GUI

that displays a certificate chain (such as File Properties).

You cannot see your signature on the individual binaries in Device Manager (until they fix the bug…).

You can validate that a given binary is “signed” by a given cat file by using SignTool:

SignTool verify /v /kp /c catalogfile.cat DriverFileName.sys

You should embed sign ALL boot load Windows Vista drivers (even x86) to improve boot performance.

ReferencesWHDC Web siteWDK Documentation Collection

Disclaimer© 2007 Microsoft Corporation. All rights reserved. Microsoft,

Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.