Do not get intimidated by the expert memos and posts about how difficult the
process is, they are unbased. There is no need to read all the lengthy
documentation on the topic such as the ‘kernel mode code signing
walkthough’, instead you can take an ignorants approach and only take the
steps which are really necessary. You just need to know you need the
certicicate imported in the browser and you need a cross certificate (.cer
file). You can forget about test signing the driver with all the complicated
boot options, who needs that anyway ? You can forget about creating a cat
file or signing the inf file, what is that good for if you can just sign the
driver binary ? Am I missing something ? All you need to know is how to
issue the signtool command:
signtool.exe sign /v /ac crosscertificate.cer /s my /n certificatename /t
http://timestamp.verisign.com/scripts/timestamp.dll mydriver.sys
(wildcards also accepted)
Once you got a certificate (not so easy I admit) you can do the whole thing
in 15 minutes and save yourself months of worrying and procrastinating and
hours of reading and testing uninteresting unnecessary documentation. The
only caveat is that you need to know that the personal certificate store is
specified as ‘my’ at the command line.
I was delighted when I realized I had some devices lying around for which
the manufacturer only offered a Windows Xp x64 beta driver (one of which is
a M-Audio firewire sound card) and could get them to work on Vista by
issuing the signtool command.
My conclusion is that the many memos and messages from expert kernel
developers about how difficult the process is are unfounded. If they would
have complaint about how ridiculous it is in the first place that we need to
buy signatures to be able to distribute our drivers I would wholeheartedly
agree. If they would say that this measure is seriously depriving the
developercommunity of innovation, or that codesigning is a very weak
security measure, considering that everybody can go and buy a signature with
a forged passport and a prepaid creditcard, they would have a very good
point. But the codesigning process is easy, simple and straightforward, it’s
just a snack.
/Daniel