Tim,
It seems like you’re both agreeing and disagreeing with what I said in two
different paragraphs.
Your reply said “an x64 driver that is used by the boot loader must have the
signature embedded in the driver binary” and then your reply also said “The
x64 KMCS signature check happens every single time the driver is loaded”.
My understanding is (unless you are in a special debugging/test mode) that
EVERY x64 driver on Vista/W2K8 will need an embedded signature, no matter
when it starts. Are you saying your believe a non-boot start x64 driver on
Vista/W2K8 does not need an embedded signature, or am misinterpreting what
your saying?
Yes, I was not totally clear about the validity of a GlobalSign certificate,
and yes there would need to be a valid certificate chain to a valid root,
and that requires adding the correct cross-certificate. I always have used
VeriSign certificates, so don’t have any personal knowledge about using
GlobalSign certificates.
My overall point was that “signed driver” has multiple meanings, and the
correct kind of signature is required for a desired purpose. Putting a KMCS
signature on a driver will not make it show up as “signed” in device
manager, or make it install silently. As I remember, a correctly signed
.cat, and unsigned binary (on x64 Vista/W2K8) will show up as signed in
device manager, but when the OS tries to start the driver, it fails with an
error that says the binary is not signed.
Jan
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Tuesday, March 17, 2009 9:49 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Vista 64-bit code signing: “windows
can’t verify the publisher of this driver”Jan Bottorff wrote:
> Lert me ask a few questions. Are you signing the .sys binary or the
> .cat fle? Or both? They are totally different signatures.
>
> During driver installation, you need the .cat signed. On Vista/W2K8
> x64, you also need the binary signed.This is not quite correct. The .cat signature is all you
need in every case except one: an x64 driver that is used by
the boot loader must have the signature embedded in the
driver binary. That’s the only exception. For all other
drivers, the .cat signature is sufficient.> On Vista x64 the expected behaivor would be: the first time you
> install a driver with your Authenticode signature a dialog
will come
> up, and it will have an option to “always trust drivers
from xxx”. To
> prevent this, you need either a) a WHQL signature, b) the the
> Authenticode cerificate already installed as I believe a trusted
> publisher. I belive you can get option B to happen via a
network doman
> group policy, so all machines that are domain members will trust
> drivers from that company.You also can add the publisher
certificate
> on first install, and then laters installs of that device should be
> silent.You’re talking about the “install time” behavior on all
systems, not the
x64 KMCS behavior. The x64 KMCS signature check happens
every single time the driver is loaded. There are no easy
policies to override that. You can either (1) attach a
kernel debugger, (2) press F8 at boot time to turn it off, or
(3) enable /testsign and install your certificate as a trusted root.> I’d have to verify if GlobalSign is a valid Authenticode
certificate
> provider, with installed roots.For KMCS, it doesn’t matter. There is only one valid root
provider (Microsoft), and you must embed a cross-certificate
that chains from your provider to Microsoft.–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer