Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Getting a Driver Signed

Bill_OlsonBill_Olson Member Posts: 67

I've been working off and on getting my customer's old driver ported to the new driver framework and compiling an x64 version. I got the driver working a few months ago, but had to put it on the back burner while they got an EV certificate from IdenTrust. I got the certificate installed and I was able to export a .cer file. I tried to sign the driver using signtool. It found the certificate and tried to sign the driver, but I got the error message
"The specified timestamp server either could not be reached or returned an invalid response"

I double checked and I entered the address of the timestamp server correctly. I tried writing IdenTrust tech support and they said the server address is intended to be entered into an IDE. I tried running the tool with my virus scanner off. Their tech support has not been great.

As I understand it the next step after this is for my customer to set up a Hardware Dashboard account? I thought that was just for drivers included in Windows Update, but comments I've seen in other signing threads here indicate it needs to be done for all drivers? This is for industrial hardware with a limited user base who all know where to go for software updates.

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 9,025

    Yes… you need a dashboard account.

    There’s a lot of good and bad documentation available. Start here, which also points to a good msft doc page.

    Peter Viscarola
    OSR
    @OSRDrivers

  • Bill_OlsonBill_Olson Member Posts: 67

    That is more helpful, but I still have the same problem. I made a .cab file. The article says that the cab file should include the pdb and cat file for the driver, but further down the example only includes the sys and inf files. Are the pdb and cat files required? I included them anyway.

    In any case attempting to sign the cab file gets the same error
    "The specified timestamp server either could not be reached or returned an invalid response"

    IdenTrust claims the URL I'm using is their timestamp server. Windows Firewall is off and virus checker removed from memory for this attempt.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,373

    The CAT file is not required. Microsoft throws yours away and builds a new one from scratch. The PDB is optional.

    What timestamp URL are you using? I used to use verisign.com, but that stopped working a year or so ago, so I believe I now use digicert.com.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Bill_OlsonBill_Olson Member Posts: 67

    I use IdenTrust's because it's an IdenTrust certificate. Can I use any timestamp server?

  • Bill_OlsonBill_Olson Member Posts: 67

    Here is the command line

    signtool sign /v /debug /ac RTICert.cer /s My /n "Company Name" /t "http://timestamp.identrust.com" x86cab\disk1\MTIsaDrv.cab

    Company Name is replaced with the actual name of the company

    I tried the digitrust server and got the same error

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,373

    Yes, you can use any timestamp server.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Bill_OlsonBill_Olson Member Posts: 67

    Weird thing, I don't know what exactly I did, but it finally signed with digicert. I found a list of servers and was going to try one at a time. I put them all in the bat and remarked them out. Digicert was first on the list. I don't know why it worked this way, but it did.

    Now we have to get the Hardware Dashboard account set up and I think we'll finally have the finish line in sight.

    Thanks

  • Alan_AdamsAlan_Adams Member - All Emails Posts: 31

    signtool sign /v /debug /ac RTICert.cer /s My /n "Company Name" /t "http://timestamp.identrust.com" x86cab\disk1\MTIsaDrv.cab

    For what it's worth, IdenTrust seems to only overtly declare RFC 3161 support, which requires the /TR option instead of /T.

    The other "keeps saying my URL isn't valid" possibility that came to mind seeing your post was HTTP versus HTTPS, either because HTTP won't leave your site and/or because HTTP might not be supported at their end.

  • Bill_OlsonBill_Olson Member Posts: 67

    One of the things I tried was using https instead of http. It had an immediate error.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 12 September 2022 Live, Online
Internals & Software Drivers 23 October 2022 Live, Online
Kernel Debugging 14 November 2022 Live, Online
Developing Minifilters 5 December 2022 Live, Online