Code signing certificate

Alex_Farber · June 16, 2010, 1:03am

I am learning kernel-mode drivers signing issue. Currently I know to test-sign my driver, and want to make release signing.
I understand that my company needs to by code signing certificate. For example, GlobalSign: http://www.globalsign.com/code-signing/
Having such certificate, I can use it instead of test-sign certificate, and this allows to install my driver on Win7 x64 computer. Is this correct?
Another question: Microsoft Cross-Certificates page (http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx) allows to download GlobalSign certificate MSCV-GlobalSign.cer. What is the meaning of this free download and how this certificate file can be used?

OSR_Community_User · June 16, 2010, 1:24am

Hello Alex,

On 16/06/2010 3:05 PM, xxxxx@yahoo.com wrote:

I am learning kernel-mode drivers signing issue. Currently I know to test-sign my driver, and want to make release signing.
I understand that my company needs to by code signing certificate. For example, GlobalSign: http://www.globalsign.com/code-signing/
Having such certificate, I can use it instead of test-sign certificate, and this allows to install my driver on Win7 x64 computer. Is this correct?

Yes

Another question: Microsoft Cross-Certificates page (http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx) allows to download GlobalSign certificate MSCV-GlobalSign.cer. What is the meaning of this free download and how this certificate file can be used?

The cross cert is used so that when company X (e.g. GlobalSign) signs a
cert, it’s trust chain can be established back to Microsoft. Otherwise
it will just be another self sign cert.

Alex_Farber · June 16, 2010, 1:41am

Thank you.

Christiaan_Ghijselinck · June 16, 2010, 2:10am

>I am learning kernel-mode drivers signing issue. Currently I know to test-sign my driver, and want to make release signing.

I understand that my company needs to by code signing certificate. For example, GlobalSign:
http://www.globalsign.com/code-signing/
Having such certificate, I can use it instead of test-sign certificate, and this allows to install my driver on Win7 x64 computer.
Is this correct?
Another question: Microsoft Cross-Certificates page (http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx) allows
to download GlobalSign certificate MSCV-GlobalSign.cer. What is the meaning of this free download and how this certificate file
can be used?

A Google with “microsoft device driver code signing” will show up http://www.microsoft.com/whdc/driver/install/drvsign/default.mspx
and there you can find http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/KMCS_Walkthrough.doc

After removing all the dust and chat , you will come summarized to something similar like this :

Signing <yourdriver.sys>

signtool sign /v /ac “\MSCV-GlobalSign.cer” /sha1 /t
http://timestamp.verisign.com/scripts/timestamp.dll <yourdriver.sys>

2. generating the *.CAT file :

inf2cat /driver: /os:XP_X64,Server2003_X64,Vista_X64,Server2008_X64 /v

3. signing the *.CAT file :

signtool sign /v /ac “\MSCV-GlobalSign.cer” /sha1 /t
http://timestamp.verisign.com/scripts/timestamp.dll <yourdriver.cat>

>…
> If I don’t do this, my driver can be installed, but with additional warning during installation. This is OK for me, and I can
> forget about WHQL for now. Is this correct?

Correct in most cases , but depending on the kind of driver. .

Regards ,

Christiaan

> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</yourdriver.cat></yourdriver.sys></yourdriver.sys>

Alex_Farber · June 16, 2010, 2:30am

> http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a
/KMCS_Walkthrough.doc

Thank you, Christiaan, I am working with this document, and learned to make test signing with it.

Correct in most cases , but depending on the kind of driver.
This is kernel-mode PCI board device driver, written in KMDF, PNP, with StartType = 3. Our product is shipped as PC with special PCI board, driver, user-mode program and some additional equipment. So, in my case, WHDL is an option, but not obligatory?

Christiaan_Ghijselinck · June 16, 2010, 3:03am

> This is kernel-mode PCI board device driver, written in KMDF, PNP, with StartType = 3. Our product is shipped as PC with special

PCI board, driver, user-mode program and some
additional equipment. So, in my case, WHDL is an option, but not obligatory?

I think it will not be necessary to WHDL sign it , but I expect that someone else on this forum will confirm this.

Christiaan

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Wednesday, June 16, 2010 8:32 AM
Subject: RE:[ntdev] Code signing certificate

>> http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a
> /KMCS_Walkthrough.doc
>
> Thank you, Christiaan, I am working with this document, and learned to make test signing with it.
>
>> Correct in most cases , but depending on the kind of driver.
> This is kernel-mode PCI board device driver, written in KMDF, PNP, with StartType = 3. Our product is shipped as PC with special
> PCI board, driver, user-mode program and some additional equipment. So, in my case, WHDL is an option, but not obligatory?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Gary_Little-3 · June 16, 2010, 11:09am

The WHQL certificate will remove the final warning dialogue. If the OP can
live with that warning about his driver possibly being unsafe then they need
not acquire it.

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Christiaan
Ghijselinck
Sent: Wednesday, June 16, 2010 2:02 AM
To: Windows System Software Devs Interest List
Subject: Re: RE:[ntdev] Code signing certificate

This is kernel-mode PCI board device driver, written in KMDF, PNP,
with StartType = 3. Our product is shipped as PC with special PCI
board, driver, user-mode program and some additional equipment. So, in my
case, WHDL is an option, but not obligatory?

I think it will not be necessary to WHDL sign it , but I expect that someone
else on this forum will confirm this.

Christiaan

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Wednesday, June 16, 2010 8:32 AM
Subject: RE:[ntdev] Code signing certificate

>>
http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac
8184a
> /KMCS_Walkthrough.doc
>
> Thank you, Christiaan, I am working with this document, and learned to
make test signing with it.
>
>> Correct in most cases , but depending on the kind of driver.
> This is kernel-mode PCI board device driver, written in KMDF, PNP, with
StartType = 3. Our product is shipped as PC with special
> PCI board, driver, user-mode program and some additional equipment. So, in
my case, WHDL is an option, but not obligatory?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer