IIRC, boot start drivers must have an embedded signature, and drivers that start later can use either an embedded signature or a .cat signature.
(For in-box things, a .cat is preferred where possible so that the large cert blobs aren’t duplicated for every single PE image, but rather are stored in a more efficient, centralized location. The sig blob embedded in a binary with the certs included might be on the order of 10k per binary, whereas a .cat doesn’t need to duplicate the certificate parts (largest by far) over and over.
For example, win32k.sys on my Vista SP1 x64 box has a .cat signature and not an embedded one (no security directory in the PE header). However, ntfs.sys has a security directory with the certificate blob + signature.
-----Original Message-----
From: Jan Bottorff
Sent: Tuesday, March 17, 2009 11:55
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Vista 64-bit code signing: “windows can’t verify the publisher of this driver”
Tim,
It seems like you’re both agreeing and disagreeing with what I said in two
different paragraphs.
Your reply said “an x64 driver that is used by the boot loader must have the
signature embedded in the driver binary” and then your reply also said “The
x64 KMCS signature check happens every single time the driver is loaded”.
My understanding is (unless you are in a special debugging/test mode) that
EVERY x64 driver on Vista/W2K8 will need an embedded signature, no matter
when it starts. Are you saying your believe a non-boot start x64 driver on
Vista/W2K8 does not need an embedded signature, or am misinterpreting what
your saying?
Yes, I was not totally clear about the validity of a GlobalSign certificate,
and yes there would need to be a valid certificate chain to a valid root,
and that requires adding the correct cross-certificate. I always have used
VeriSign certificates, so don’t have any personal knowledge about using
GlobalSign certificates.
My overall point was that “signed driver” has multiple meanings, and the
correct kind of signature is required for a desired purpose. Putting a KMCS
signature on a driver will not make it show up as “signed” in device
manager, or make it install silently. As I remember, a correctly signed
.cat, and unsigned binary (on x64 Vista/W2K8) will show up as signed in
device manager, but when the OS tries to start the driver, it fails with an
error that says the binary is not signed.
Jan
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
> Sent: Tuesday, March 17, 2009 9:49 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Vista 64-bit code signing: “windows
> can’t verify the publisher of this driver”
>
> Jan Bottorff wrote:
> > Lert me ask a few questions. Are you signing the .sys binary or the
> > .cat fle? Or both? They are totally different signatures.
> >
> > During driver installation, you need the .cat signed. On Vista/W2K8
> > x64, you also need the binary signed.
>
> This is not quite correct. The .cat signature is all you
> need in every case except one: an x64 driver that is used by
> the boot loader must have the signature embedded in the
> driver binary. That’s the only exception. For all other
> drivers, the .cat signature is sufficient.
>
>
> > On Vista x64 the expected behaivor would be: the first time you
> > install a driver with your Authenticode signature a dialog
> will come
> > up, and it will have an option to “always trust drivers
> from xxx”. To
> > prevent this, you need either a) a WHQL signature, b) the the
> > Authenticode cerificate already installed as I believe a trusted
> > publisher. I belive you can get option B to happen via a
> network doman
> > group policy, so all machines that are domain members will trust
> > drivers from that company.You also can add the publisher
> certificate
> > on first install, and then laters installs of that device should be
> > silent.
>
> You’re talking about the “install time” behavior on all
> systems, not the
> x64 KMCS behavior. The x64 KMCS signature check happens
> every single time the driver is loaded. There are no easy
> policies to override that. You can either (1) attach a
> kernel debugger, (2) press F8 at boot time to turn it off, or
> (3) enable /testsign and install your certificate as a trusted root.
>
>
> > I’d have to verify if GlobalSign is a valid Authenticode
> certificate
> > provider, with installed roots.
>
> For KMCS, it doesn’t matter. There is only one valid root
> provider (Microsoft), and you must embed a cross-certificate
> that chains from your provider to Microsoft.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online
> at http://www.osronline.com/page.cfm?name=ListServer
>
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer