On 5/21/2012 6:59 PM, Dejan Maksimovic wrote:
> Microsoft had not issued a cross-certificate for GoDaddy. So they were not eligible. This has
> changed. Today they are.
Then, I hope someone can confirm that GoDaddy certs can be used to sign x64 drivers.
Amen.
> You should probably just buy a VeriSign certificate. Alternatively, you could read up on PK, signatures, signature
> chains and Authenticode, and check my arguments for yourself.
Verisign is 3x the price of any other, GlobalSign does not offer certs for all countries, so I am looking for
others.
Yes, of course. On the other hand $134 should also not exactly be
bank-breaking, compared to the developer time.
BTW, Microsoft offered cross certs for Thawte some time ago - I tried to sign with a Thawte certificate at the
time, and did NOT work for x64 drivers. Hence my doubts on this.
Actually I’m not surprised if anyone has a problem using certificates
for signing, simply because the available signing tools are far, far
from “easy-to-use”.
The “KMCS walkthrough” document is very good, but you have to follow it
to the letter. And as soon as you set up your own scripts for automation
you need to experiment to see what you can safely add or change and what
not.
When I last time signed our driver, Signtool embedded the wrong
certificate in the driver binary.
The driver would install without any warning, but it did not load on a
Win7/64bit system.
Turned out this was actually caused by an automatic certificate update!
From two available CA root certs, Signtool selected the “newer” one for
embedding.
This is normally a good strategy, but unfortunately Signtool selected
the one for which MS did not provide a cross-certificate yet.
With WDK7600 and up, Signtool now at least issues a somewhat cryptic
warning that “not all certificates could be embedded”.
What it does not tell you is that your driver package will install on
Win7/64bit, but the driver load will fail.
Also you cannot detect this on the signing PC, because Signtool
happily imports all used certificates into the registry.
So the certificates are found there and any driver test will work happily.
The “non-developer” Win7/64bit system has these certs not in the
registry, of course.
Thus load fails. (The full story is in the OSR archives.)
Subsequently I learned to peruse the “certmgr ” incantation
quite intensely. Not funny.
This is the reason why Tim properly pointed out that embedding the
certificate chain into a driver makes all the difference between
Authenticode signing and Driver signing, and this difference is a major one.
Technically, however, the code signing certificate is good for both
(Authenticode and KMCS), all depends on having the cross-certificate
made by Microsoft.
You have to make sure everything needed is embedded in the binary, then
you ave to make sure you get the signing order right.
And of course you may not change a single bit of the INF after the
CAT/sign process (someone did this when our company name changed several
yeras ago - they meant well but of course broke the signature).
NB: Additional free fun: there can be up to three different certificate
stores on a Windows PC: one in the registry, one in the JRE, and another
one in Mozilla. Better make sure you import your cert into the correct
cert store. ![:wink: :wink:](/images/emoji/twitter/wink.png?v=12)