Steps to get PCIe driver signed for Windows 10

We have a 32-bit and 64-bit PCIe drivers that we developed using the Jungo software (https://www.jungo.com/st/products/windriver/). We have purchased an EV from Sertico. At this point we have the USB token and can access it from SafeNet. My question is, what are the next steps to getting this signed so that our customers can use it on Windows 10?

Do I use SafeNet to create a certificate that I then register on MS Partner portal?

Do I send the DLL’s to MS?

As you can see, I am currently lost in what to do.

Thanks for any help.

Brian

Have you created your dashboard account yet? When you create your dashboard account, they will have you download a file. You then sign the file with your EV certificate and send it back. That’s how you register a certificate. There are a number of hoops to jump through, including the signing of a number of legal documents.

https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/register-for-the-hardware-program

Once your account is set up, you will need to create a driver package (SYS, INF, CAT). You put all of those into a “cabinet” file, sign the cabinet, and upload it for attestation signing.

https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release

Tim, thank you so much for the information. I’ll give it a try.

For the millionth time on this forum: https://www.osr.com/blog/2017/07/06/attestation-signing-mystery/

1 Like

@Peter_Viscarola_(OSR) I read your article. I really wish it was so easy…but for me, I’m not getting it. @Tim_Roberts, I have the CERT key in the computer. I can open and view the information in it using SafetNet Authentication Tools. How do I ‘sign’ a file using it?

Sorry, forgot to add something. @“Peter_Viscarola_(OSR)” I tried to make an account on Microsoft Hardware Dev Center. Seemed like my MS account is not administrator? How do I use the EV Cert to sign-up for the account on MHDC?

Thanks so much.

Brian

I tried to make an account on Microsoft Hardware Dev Center. Seemed like my MS account is not administrator?

Ah, well, there IS a problem that’s been discussed here just recently. Does this discussion sound like the problem you’re having. If so, perhaps the OP in that discussion can advise if/how he fixed it.

Peter

How do I ‘sign’ a file using it?

You fetch the certificate’s thumbprint (a 24-byte value; the SafeNet client will show you this), and provide that as the /sha1 parameter to signtool sign, or to the <ProductionCertificate> value in your vcxproj file.

Hello. I was able to create a CAB file finally, and submitted it. It comes back with “failed” with this error:

“InfVerif failed for Driver. Partial Log:Error 1233 in StKvdPCIe3264.inf, line 13 : Missing directive CatalogFile required for digital signature.”

There was a Catalog = statement that pointed to a CAT file in my DDF. I removed it, then tried a different name. I still get this same exact error message when resibmitting.

Any ideas?

Thanks, Brian

The directive is CatalogFile, not Catalog. It is absolutely required, and has been since Windows 8.

Thank you, @Tim Roberts

Hello again. It was “CatalogFile” in my INF file. Any other ideas? Or maybe how to debug this? Thanks.

@Tim_Roberts I have made it further in the process now.

This is the last error message I received from the CAB submission:

No installation INF found in the root path of the driver. For the driver to be digitally signed, and for it to install properly the installation inf must be in the root of each driver path you have provided. If you have separate folders with different driver packages for different languages, operating systems or device categories then specify each driver set as a separate driver. Each driver package must be selected separately and must contain an installation INF.

Not sure what I need to do.

I tried to upload my DFF file and could not. Same with n image for the DFF file.

Thanks, Brian

The required layout of the CAB often confuses people the first time they go through the process.

You can see an example here of how it needs to look.

Peter

Right. Even if there is only one driver package in the cabinet, it must be in a subdirectory. That subdirectory need your SYS and your INF.

@BrianDColorado said:
Not sure what I need to do.

I tried to upload my DFF file and could not. Same with n image for the DFF file.

You can find a simple sample DDF here: https://kerneldrivers.com/dual-signed-binaries-windows-7-beyond/

Here is a powershell script that constructs the cab using makecab from a generated ddf file.

param(
    [string] $name,
    [string] $path,
    [string[]] $files,
    [switch] $keepFiles
)
$ErrorActionPreference = 'Stop'
$ret = 0
$pushValue = $null
try {
    if (-Not (test-path $path)) {
        throw "$path not found"
    }
     
    $pushValue = Push-Location $path
    $tempFiles = @(".\setup.inf",".\setup.rpt",".\$($name).ddf")

    $t = @"
.OPTION EXPLICIT     ; Generate errors
.Set CabinetFileCountThreshold=0
.Set FolderFileCountThreshold=0
.Set FolderSizeThreshold=0
.Set MaxCabinetSize=0
.Set MaxDiskFileCount=0
.Set MaxDiskSize=0
.Set CompressionType=MSZIP
.Set Cabinet=on
.Set Compress=on
.Set CabinetNameTemplate=$($name).cab
.Set DiskDirectoryTemplate=$((resolve-path $path).Path)
.Set DestinationDir=Driver
"@
    foreach  ($file in $files) {
        if (-Not (test-path $file)) {
            throw "$file not found"
        }
        $t += "`r`n$((resolve-path $file).Path)"
    }
    $t += "`r`n"
    $t | set-content -path "$path\$($name).ddf" -Force
    if ($verbose) {
        & makecab /f "$path\$($name).ddf" -V3
    } else {
        $null = & makecab /f "$path\$($name).ddf"
    }
    $ret = $LastExitCode

    if (!$keepFiles) {
        $tempFiles | foreach-Object {
            if (Test-Path $_ ) {
                Remove-Item -Path $_ -Force
            }
        }
    }
}
catch {
    "Exception: $($Error[0])"
    $ret = 1
} 
finally {
    if ($pushValue) {
        pop-location
    }
    exit $ret
}

1 Like