About certificates used while signing a driver

seetha_rama_sarma_Jayanthy · October 18, 2015, 3:13am

So far I had been signing my driver using signtool.exe with a certificate
(say X.cer) I created using makecert.exe some time ago. Recently I created
another certificate Y.cer. Now if I create a new driver binary and run
signtool.exe, which certificate will be used among X.cer and Y.cer for
signing by signtool?

This answer is really important to me, because I assumed signtool will
always use the most recently created certificate and I delivered Y.cer
along with the driver to validation.

Peter_Viscarola_OSR · October 18, 2015, 10:00am

Seriously? Whichever one you select.

Signtool takes which cert to use as input on the command line.

Peter
OSR
@OSRDrivers

seetha_rama_sarma_Jayanthy · October 18, 2015, 11:33am

The command that I am using is taking the certificate store name as input.
and my certificate store has two certificates X and Y.

On Sun, 18 Oct 2015 at 19:31 wrote:

>

>
> Seriously? Whichever one you select.
>
> Signtool takes which cert to use as input on the command line.
>
> Peter
> OSR
> @OSRDrivers
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

seetha_rama_sarma_Jayanthy · October 18, 2015, 11:39am

I know that there is an option to specify the certificate name but the
command that I ran is not using this parameter.

Now my doubt is if I use the option for specifying the certificate store
alone, and the certificate store contains two certificates, which
certificate is chosen by signtool?

On Sun, 18 Oct 2015 at 21:03 jayanth sharma wrote:

> The command that I am using is taking the certificate store name as input.
> and my certificate store has two certificates X and Y.
>
> On Sun, 18 Oct 2015 at 19:31 wrote:
>
>>

>>
>> Seriously? Whichever one you select.
>>
>> Signtool takes which cert to use as input on the command line.
>>
>> Peter
>> OSR
>> @OSRDrivers
>>
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>

Jan_Bottorff · October 18, 2015, 2:32pm

And why don’t you just right click for properties in File Explorer on your .sys file and look at the digital signature tab, and look at which key fingerprint/date your file is signed with. It takes less time to do than to send a message to this list.

Jan

From: > on behalf of jayanth sharma >
Reply-To: Windows List >
Date: Sunday, October 18, 2015 at 8:33 AM
To: Windows List >
Subject: Re: [ntdev] About certificates used while signing a driver

The command that I am using is taking the certificate store name as input. and my certificate store has two certificates X and Y.

On Sun, 18 Oct 2015 at 19:31 > wrote:

Seriously? Whichever one you select.

Signtool takes which cert to use as input on the command line.

Peter
OSR
@OSRDrivers

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Peter_Viscarola_OSR · October 19, 2015, 9:14am

Dude, again, SERIOUSLY? Why not just TRY it, read the output from Signtool, perhaps try the /V option… and find out what happens. DO YOUR HOMEWORK and if you REALLY can’t figure it out after spending, say, a couple of hours… THEN post here. THAT’s the way you LEARN, not by asking people to do your work for you.

Or did you perhaps want one of us to come over to your place and type the command for you and walk you through the various options?

I don’t understand questions like this. Back in the day, if I walked into the office of one of the senior engineers I worked with and asked a question like this, I would have been cursed and thrown out of the office. No joke. Folks here should view this forum as they would view asking a senior colleague for information. We’re happy to help, but I for one, am not so very happy to help those who don’t take the time to try to help themselves first.

Peter
OSR
@OSRDrivers

Tim_Roberts · October 19, 2015, 2:52pm

jayanth sharma wrote:

So far I had been signing my driver using signtool.exe with a
certificate (say X.cer) I created using makecert.exe some time ago.
Recently I created another certificate Y.cer. Now if I create a new
driver binary and run signtool.exe, which certificate will be used
among X.cer and Y.cer for signing by signtool?

This is the danger in using names to select certificates. I have
transitioned to using the SHA thumbprint to select the certificate in
all cases. Nice and unambiguous.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.