On Wed, Sep 29, 2010 at 12:29 PM, Hagen Patzke wrote:
> Tim Roberts wrote:
>> I don’t know where you looked, but without taking special steps at
>> each boot, there’s no way to load an unsigned driver in 64-bit
>> Windows.
>
> Well, there is one: UMDF 
I never used UMDF, neither know much about it but I was under the
impression that it required signed drivers, even if running in user
mode. Was my impression incorrect? (Also, does anybody use UMDF? Does
Windows ship with a single UMDF driver?).
–
Aram Hăvărneanu
On 09/29/2010 11:36 AM, Aram Hăvărneanu wrote:
I never used UMDF, neither know much about it but I was under the
impression that it required signed drivers, even if running in user
mode. Was my impression incorrect?
(Also, does anybody use UMDF?
My first shot at a simple USB driver for our device and Vista/64bit was
an UMDF driver. Installing this did not require a signature. The
framework takes a lot of work from you, and I recommend using it.
Unfortunately, we cannot use it for our device and production:
Our device protocol uses small-ish transfer blocks. The latency added by
using a user-mode driver means we lose 10-15% of throughput. Too much.
Also we need to support legacy OS versions (originally Win98SE and up).
Luckily we don’t need to support selective suspend, so our simple WDM
driver works reliably from Win98SE/32bit up to Win7/64bit.
Does Windows ship with a single UMDF driver?).
Good question. I’d assume yes, because they are much easier to write.
And if they are in-box you don’t need to consider multiple platforms.
Yes Microsoft ships several umdf drivers in box since
vista
d
dent from a phpne with no keynoard
-----Original Message-----
From: Aram H?v?rneanu
Sent: September 29, 2010 2:38 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] how to disable “Digitally signed driver” check for 64 bits OSes?
On Wed, Sep 29, 2010 at 12:29 PM, Hagen Patzke wrote:
> Tim Roberts wrote:
>> I don’t know where you looked, but without taking special steps at
>> each boot, there’s no way to load an unsigned driver in 64-bit
>> Windows.
>
> Well, there is one: UMDF
I never used UMDF, neither know much about it but I was under the
impression that it required signed drivers, even if running in user
mode. Was my impression incorrect? (Also, does anybody use UMDF? Does
Windows ship with a single UMDF driver?).
–
Aram H?v?rneanu
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Doron Holan wrote:
Yes Microsoft ships several umdf drivers in box since vista
IIRC, Windows Media Player 10/11 required installing UMDF so maybe wpdusb is one.
sarbojit,
For a quick tutorial on test signing, find selfsign_example.cmd in the WDK and run it.
Jennifer
selfsign_example.cmd is a great document but it doesn’t give you a “Here’s what to do day to day” method.
Here’s what I do.
- I attach Windbg to my target machine any time I’m running a development driver. The act of enabling debug and attaching Windbg allows non signed drivers to load. You don’t have to use the F8 menu, or test sign the driver , or enable test signing in BCDEDIT. Just attach Windbg and you can load the unsigned driver.
I use it this way in particular because if I load a really bad driver which hangs windows, all I have to do is unplug my debug cable and reboot the target machine and it will boot up without loading the bad driver (because it’s not signed). Then I do whatever I need to get a “fixed” driver on the target, attach windbg, and I’m off again.
Currently I use USB for Windbg. Our current target has no serial or firewire, and no expansion ports. I have Windbg upload my latest driver automatically any time windows tries to load it.
This makes for very quick driver testing. I make code changes and recompile on the machine running Windbg. On the target I disable and re-enable the device. Windbg downloads my new driver and I’m running. I can find a minor bug, code change, compile, and have a new driver copied and loaded within a minute.
-
I do a bit of test signing with our PV department where I install the test sign cert on their computers and enable test signing. This prevents one of my seriously experimental drivers from getting on their systems, and prevents the somewhat stable drivers from getting out into the wild.
-
We have a build system controlled by a “build guy” and that system has access to the company cert private key. We submit requests to have a release build of a driver done to the build guy which results in a fully integrated and signed driver install. We try not to do this on a whim.
SYS vs CAT signing. This might have been covered previously, but here’s my take.
Signing the CAT file is strictly about install time. If you don’t have a properly signed CAT file, the user will get the BIG RED UGLY WARNING BOX (BRUWB) telling him that the world will end if he loads your driver.
If the user says Yes, load the driver anyway, then the purpose of the CAT file is basically done. Windows will install the SYS file whether it’s signed or not. See my point #1 above. You can install a 64bit driver without a signed cat file and without a signed sys file and get it to run if you have Windbg connected (or use F8) and say yes to the BRUWB.
If you have a signed SYS file, either signed with a properly installed and enabled test certificate, or signed and counter signed with a real Developer certificate, but you do not have a signed CAT file, all you have to do is say yes to BRUWB and that driver will be installed and loaded. You don’t have to have a signed CAT file, but your users will get BRUWB and must say yes.
If you can sign your SYS, there is no reason why you can’t make a signed CAT file to go with it.
FYI
Windows also evaluates which of multiple drivers to load based on the CAT file. If you have a developer signed CAT file, you cannot load over the top of a driver with a WHQL signed CAT file even if your driver has a higher version or newer date. You have to actually take ownership and rename or otherwise hide the WHQL driver before you can get your driver to load. This shouldn’t normally be an issue but I thought I’d point it out.
Disclaimer - As with anything I write, my fingers might not have properly interpreted what my brain thinks is knows, and my brain often thinks it knows something that is later proven wrong.
Test signing is trivial to incorporate into a build environment, so
I’ve basically gone away from ever using unsigned drivers of any sort.
For developer builds everything is test signed using a cert from the
developers machine. That cert gets installed on the test machine and
the system gets set to testsign=on mode.
Mark Roddy
On Tue, Oct 5, 2010 at 4:13 PM, wrote:
> selfsign_example.cmd is a great document but it doesn’t give you a “Here’s what to do day to day” method.
>
> Here’s what I do.
>
> 1) I attach Windbg to my target machine any time I’m running a development driver. ?The act of enabling debug and attaching Windbg allows non signed drivers to load. ?You don’t have to use the F8 menu, or test sign the driver , or enable test signing in BCDEDIT. ?Just attach Windbg and you can load the unsigned driver.
>
> I use it this way in particular because if I load a really bad driver which hangs windows, all I have to do is unplug my debug cable and reboot the target machine and it will boot up without loading the bad driver (because it’s not signed). ?Then I do whatever I need to get a “fixed” driver on the target, attach windbg, and I’m off again.
>
> Currently I use USB for Windbg. ?Our current target has no serial or firewire, and no expansion ports. ?I have Windbg upload my latest driver automatically any time windows tries to load it.
>
> This makes for very quick driver testing. ?I make code changes and recompile on the machine running Windbg. ?On the target I disable and re-enable the device. ?Windbg downloads my new driver and I’m running. ?I can find a minor bug, code change, compile, and have a new driver copied and loaded within a minute.
>
> 2) I do a bit of test signing with our PV department where I install the test sign cert on their computers and enable test signing. ?This prevents one of my seriously experimental drivers from getting on their systems, and prevents the somewhat stable drivers from getting out into the wild.
>
> 3) We have a build system controlled by a “build guy” and that system has access to the company cert private key. ?We submit requests to have a release build of a driver done to the build guy which results in a fully integrated and signed driver install. ?We try not to do this on a whim.
>
> ------------------
>
> SYS vs CAT signing. ?This might have been covered previously, but here’s my take.
>
> Signing the CAT file is strictly about install time. ?If you don’t have a properly signed CAT file, the user will get the BIG RED UGLY WARNING BOX (BRUWB) telling him that the world will end if he loads your driver.
>
> If the user says Yes, load the driver anyway, then the purpose of the CAT file is basically done. ?Windows will install the SYS file whether it’s signed or not. ?See my point #1 above. ?You can install a 64bit driver without a signed cat file and without a signed sys file and get it to run if you have Windbg connected (or use F8) and say yes to the BRUWB.
>
> If you have a signed SYS file, either signed with a properly installed and enabled test certificate, or signed and counter signed with a real Developer certificate, but you do not have a signed CAT file, all you have to do is say yes to BRUWB and that driver will be installed and loaded. ?You don’t have to have a signed CAT file, but your users will get BRUWB and must say yes.
>
> If you can sign your SYS, there is no reason why you can’t make a signed CAT file to go with it.
>
> FYI
>
> Windows also evaluates which of multiple drivers to load based on the CAT file. ?If you have a developer signed CAT file, you cannot load over the top of a driver with a WHQL signed CAT file even if your driver has a higher version or newer date. ?You have to actually take ownership and rename or otherwise hide the WHQL driver before you can get your driver to load. ?This shouldn’t normally be an issue but I thought I’d point it out.
>
> Disclaimer - As with anything I write, my fingers might not have properly interpreted what my brain thinks is knows, and my brain often thinks it knows something that is later proven wrong.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
+1
It’s really quite easy to get working, once you find the ‘Kernel Mode Code
Signing Walkthrough’ document:
http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac
8184a/KMCS_Walkthrough.doc
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
Sent: Tuesday, October 05, 2010 4:48 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] how to disable “Digitally signed driver” check for 64
bits OSes?
Test signing is trivial to incorporate into a build environment, so
I’ve basically gone away from ever using unsigned drivers of any sort.
For developer builds everything is test signed using a cert from the
developers machine. That cert gets installed on the test machine and
the system gets set to testsign=on mode.
Mark Roddy
On Tue, Oct 5, 2010 at 4:13 PM, wrote:
> selfsign_example.cmd is a great document but it doesn’t give you a “Here’s
what to do day to day” method.
>
> Here’s what I do.
>
> 1) I attach Windbg to my target machine any time I’m running a development
driver. ?The act of enabling debug and attaching Windbg allows non signed
drivers to load. ?You don’t have to use the F8 menu, or test sign the driver
, or enable test signing in BCDEDIT. ?Just attach Windbg and you can load
the unsigned driver.
>
> I use it this way in particular because if I load a really bad driver
which hangs windows, all I have to do is unplug my debug cable and reboot
the target machine and it will boot up without loading the bad driver
(because it’s not signed). ?Then I do whatever I need to get a “fixed”
driver on the target, attach windbg, and I’m off again.
>
> Currently I use USB for Windbg. ?Our current target has no serial or
firewire, and no expansion ports. ?I have Windbg upload my latest driver
automatically any time windows tries to load it.
>
> This makes for very quick driver testing. ?I make code changes and
recompile on the machine running Windbg. ?On the target I disable and
re-enable the device. ?Windbg downloads my new driver and I’m running. ?I
can find a minor bug, code change, compile, and have a new driver copied and
loaded within a minute.
>
> 2) I do a bit of test signing with our PV department where I install the
test sign cert on their computers and enable test signing. ?This prevents
one of my seriously experimental drivers from getting on their systems, and
prevents the somewhat stable drivers from getting out into the wild.
>
> 3) We have a build system controlled by a “build guy” and that system has
access to the company cert private key. ?We submit requests to have a
release build of a driver done to the build guy which results in a fully
integrated and signed driver install. ?We try not to do this on a whim.
>
> ------------------
>
> SYS vs CAT signing. ?This might have been covered previously, but here’s
my take.
>
> Signing the CAT file is strictly about install time. ?If you don’t have a
properly signed CAT file, the user will get the BIG RED UGLY WARNING BOX
(BRUWB) telling him that the world will end if he loads your driver.
>
> If the user says Yes, load the driver anyway, then the purpose of the CAT
file is basically done. ?Windows will install the SYS file whether it’s
signed or not. ?See my point #1 above. ?You can install a 64bit driver
without a signed cat file and without a signed sys file and get it to run if
you have Windbg connected (or use F8) and say yes to the BRUWB.
>
> If you have a signed SYS file, either signed with a properly installed and
enabled test certificate, or signed and counter signed with a real Developer
certificate, but you do not have a signed CAT file, all you have to do is
say yes to BRUWB and that driver will be installed and loaded. ?You don’t
have to have a signed CAT file, but your users will get BRUWB and must say
yes.
>
> If you can sign your SYS, there is no reason why you can’t make a signed
CAT file to go with it.
>
> FYI
>
> Windows also evaluates which of multiple drivers to load based on the CAT
file. ?If you have a developer signed CAT file, you cannot load over the top
of a driver with a WHQL signed CAT file even if your driver has a higher
version or newer date. ?You have to actually take ownership and rename or
otherwise hide the WHQL driver before you can get your driver to load. ?This
shouldn’t normally be an issue but I thought I’d point it out.
>
> Disclaimer - As with anything I write, my fingers might not have properly
interpreted what my brain thinks is knows, and my brain often thinks it
knows something that is later proven wrong.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Thanks for providing all responses. KMCS_Walkthrough.doc is really very very
help full.
Now I am able to load the driver with testsigning mode ON.
But when I am trying to load the driver with signing certificate that we
have bought from verisign, driver is not getting loaded. In event viewer log
I found following error message,
“Code integrity determined that the image hash of a file is not valid. The
file could be corrupt due to unauthorized modification or the invalid hash
could indicate a potential disk device error.”
I am having following doubts
-
I have made .sys and .cat file as digitally signed using the UI that is
given by them. They have given .spc file and .pvk file. My doubt is can’t we
add .spc file into Trusted Publisher as we are adding in case of
ContosoTest.cer?
I have tried to add it is same way but it is giving some error message,
“Error: HAs to specify -all, -c, -CTL, or -CRL for add or delete
createMgr Failed”
cmd that I have used is “certmgr.exe /add MyCertificate.spc /s /r
localMachine root” -
I found other softwares are adding their certificate under Trusted
Publisher at the time of driver installation.
Please let me know if I am missing something here.
/sarbojit
On Wed, Oct 6, 2010 at 2:21 AM, Martin O’Brien <
xxxxx@gmail.com> wrote:
+1
It’s really quite easy to get working, once you find the ‘Kernel Mode Code
Signing Walkthrough’ document:http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac
8184a/KMCS_Walkthrough.docmm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
Sent: Tuesday, October 05, 2010 4:48 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] how to disable “Digitally signed driver” check for 64
bits OSes?Test signing is trivial to incorporate into a build environment, so
I’ve basically gone away from ever using unsigned drivers of any sort.
For developer builds everything is test signed using a cert from the
developers machine. That cert gets installed on the test machine and
the system gets set to testsign=on mode.Mark Roddy
On Tue, Oct 5, 2010 at 4:13 PM, wrote:
> > selfsign_example.cmd is a great document but it doesn’t give you a
> “Here’s
> what to do day to day” method.
> >
> > Here’s what I do.
> >
> > 1) I attach Windbg to my target machine any time I’m running a
> development
> driver. The act of enabling debug and attaching Windbg allows non signed
> drivers to load. You don’t have to use the F8 menu, or test sign the
> driver
> , or enable test signing in BCDEDIT. Just attach Windbg and you can load
> the unsigned driver.
> >
> > I use it this way in particular because if I load a really bad driver
> which hangs windows, all I have to do is unplug my debug cable and reboot
> the target machine and it will boot up without loading the bad driver
> (because it’s not signed). Then I do whatever I need to get a “fixed”
> driver on the target, attach windbg, and I’m off again.
> >
> > Currently I use USB for Windbg. Our current target has no serial or
> firewire, and no expansion ports. I have Windbg upload my latest driver
> automatically any time windows tries to load it.
> >
> > This makes for very quick driver testing. I make code changes and
> recompile on the machine running Windbg. On the target I disable and
> re-enable the device. Windbg downloads my new driver and I’m running. I
> can find a minor bug, code change, compile, and have a new driver copied
> and
> loaded within a minute.
> >
> > 2) I do a bit of test signing with our PV department where I install the
> test sign cert on their computers and enable test signing. This prevents
> one of my seriously experimental drivers from getting on their systems, and
> prevents the somewhat stable drivers from getting out into the wild.
> >
> > 3) We have a build system controlled by a “build guy” and that system has
> access to the company cert private key. We submit requests to have a
> release build of a driver done to the build guy which results in a fully
> integrated and signed driver install. We try not to do this on a whim.
> >
> > ------------------
> >
> > SYS vs CAT signing. This might have been covered previously, but here’s
> my take.
> >
> > Signing the CAT file is strictly about install time. If you don’t have a
> properly signed CAT file, the user will get the BIG RED UGLY WARNING BOX
> (BRUWB) telling him that the world will end if he loads your driver.
> >
> > If the user says Yes, load the driver anyway, then the purpose of the CAT
> file is basically done. Windows will install the SYS file whether it’s
> signed or not. See my point #1 above. You can install a 64bit driver
> without a signed cat file and without a signed sys file and get it to run
> if
> you have Windbg connected (or use F8) and say yes to the BRUWB.
> >
> > If you have a signed SYS file, either signed with a properly installed
> and
> enabled test certificate, or signed and counter signed with a real
> Developer
> certificate, but you do not have a signed CAT file, all you have to do is
> say yes to BRUWB and that driver will be installed and loaded. You don’t
> have to have a signed CAT file, but your users will get BRUWB and must say
> yes.
> >
> > If you can sign your SYS, there is no reason why you can’t make a signed
> CAT file to go with it.
> >
> > FYI
> >
> > Windows also evaluates which of multiple drivers to load based on the CAT
> file. If you have a developer signed CAT file, you cannot load over the
> top
> of a driver with a WHQL signed CAT file even if your driver has a higher
> version or newer date. You have to actually take ownership and rename or
> otherwise hide the WHQL driver before you can get your driver to load.
> This
> shouldn’t normally be an issue but I thought I’d point it out.
> >
> > Disclaimer - As with anything I write, my fingers might not have properly
> interpreted what my brain thinks is knows, and my brain often thinks it
> knows something that is later proven wrong.
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> >
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
On the machine that use for signing double-click your .pvk file and follow the installing directions.
If you have an INF file for your install then use signtool from the WDK to sign your .SYS file. Then use the inf2cat tool from WHQL to make your security catalog. Make sure you specify the desired target Windows versions when running inf2cat.
After these two steps use signtool a second time to sign your .CAT file.
After following these steps your driver package (.CAT, .INF and all files referenced by the .INF) should install on all machines that you have selected when building your .CAT.
Thomas F. Divine
From: Sarbojit Sarkar
Sent: Wednesday, October 06, 2010 8:55 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] how to disable “Digitally signed driver” check for 64 bits OSes?
Thanks for providing all responses. KMCS_Walkthrough.doc is really very very help full.
Now I am able to load the driver with testsigning mode ON.
But when I am trying to load the driver with signing certificate that we have bought from verisign, driver is not getting loaded. In event viewer log I found following error message,
“Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.”
I am having following doubts
-
I have made .sys and .cat file as digitally signed using the UI that is given by them. They have given .spc file and .pvk file. My doubt is can’t we add .spc file into Trusted Publisher as we are adding in case of ContosoTest.cer? I have tried to add it is same way but it is giving some error message,
“Error: HAs to specify -all, -c, -CTL, or -CRL for add or delete
createMgr Failed”
cmd that I have used is “certmgr.exe /add MyCertificate.spc /s /r localMachine root” -
I found other softwares are adding their certificate under Trusted Publisher at the time of driver installation.
Please let me know if I am missing something here.
/sarbojit
On Wed, Oct 6, 2010 at 2:21 AM, Martin O’Brien wrote:
+1
It’s really quite easy to get working, once you find the ‘Kernel Mode Code
Signing Walkthrough’ document:
http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac
8184a/KMCS_Walkthrough.doc
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
Sent: Tuesday, October 05, 2010 4:48 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] how to disable “Digitally signed driver” check for 64
bits OSes?
Test signing is trivial to incorporate into a build environment, so
I’ve basically gone away from ever using unsigned drivers of any sort.
For developer builds everything is test signed using a cert from the
developers machine. That cert gets installed on the test machine and
the system gets set to testsign=on mode.
Mark Roddy
On Tue, Oct 5, 2010 at 4:13 PM, wrote:
> selfsign_example.cmd is a great document but it doesn’t give you a “Here’s
what to do day to day” method.
>
> Here’s what I do.
>
> 1) I attach Windbg to my target machine any time I’m running a development
driver. The act of enabling debug and attaching Windbg allows non signed
drivers to load. You don’t have to use the F8 menu, or test sign the driver
, or enable test signing in BCDEDIT. Just attach Windbg and you can load
the unsigned driver.
>
> I use it this way in particular because if I load a really bad driver
which hangs windows, all I have to do is unplug my debug cable and reboot
the target machine and it will boot up without loading the bad driver
(because it’s not signed). Then I do whatever I need to get a “fixed”
driver on the target, attach windbg, and I’m off again.
>
> Currently I use USB for Windbg. Our current target has no serial or
firewire, and no expansion ports. I have Windbg upload my latest driver
automatically any time windows tries to load it.
>
> This makes for very quick driver testing. I make code changes and
recompile on the machine running Windbg. On the target I disable and
re-enable the device. Windbg downloads my new driver and I’m running. I
can find a minor bug, code change, compile, and have a new driver copied and
loaded within a minute.
>
> 2) I do a bit of test signing with our PV department where I install the
test sign cert on their computers and enable test signing. This prevents
one of my seriously experimental drivers from getting on their systems, and
prevents the somewhat stable drivers from getting out into the wild.
>
> 3) We have a build system controlled by a “build guy” and that system has
access to the company cert private key. We submit requests to have a
release build of a driver done to the build guy which results in a fully
integrated and signed driver install. We try not to do this on a whim.
>
> ------------------
>
> SYS vs CAT signing. This might have been covered previously, but here’s
my take.
>
> Signing the CAT file is strictly about install time. If you don’t have a
properly signed CAT file, the user will get the BIG RED UGLY WARNING BOX
(BRUWB) telling him that the world will end if he loads your driver.
>
> If the user says Yes, load the driver anyway, then the purpose of the CAT
file is basically done. Windows will install the SYS file whether it’s
signed or not. See my point #1 above. You can install a 64bit driver
without a signed cat file and without a signed sys file and get it to run if
you have Windbg connected (or use F8) and say yes to the BRUWB.
>
> If you have a signed SYS file, either signed with a properly installed and
enabled test certificate, or signed and counter signed with a real Developer
certificate, but you do not have a signed CAT file, all you have to do is
say yes to BRUWB and that driver will be installed and loaded. You don’t
have to have a signed CAT file, but your users will get BRUWB and must say
yes.
>
> If you can sign your SYS, there is no reason why you can’t make a signed
CAT file to go with it.
>
> FYI
>
> Windows also evaluates which of multiple drivers to load based on the CAT
file. If you have a developer signed CAT file, you cannot load over the top
of a driver with a WHQL signed CAT file even if your driver has a higher
version or newer date. You have to actually take ownership and rename or
otherwise hide the WHQL driver before you can get your driver to load. This
shouldn’t normally be an issue but I thought I’d point it out.
>
> Disclaimer - As with anything I write, my fingers might not have properly
interpreted what my brain thinks is knows, and my brain often thinks it
knows something that is later proven wrong.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Hey Thomas,
I have done all these man. I don;t under stand how this is going to
help towards resolving my issue. could you please let me know the reason why
I am getting these issue?
/sarbojit
On Wed, Oct 6, 2010 at 6:36 PM, Thomas F. Divine wrote:
> On the machine that use for signing double-click your .pvk file and
> follow the installing directions.
>
> If you have an INF file for your install then use signtool from the WDK to
> sign your .SYS file. Then use the inf2cat tool from WHQL to make your
> security catalog. Make sure you specify the desired target Windows versions
> when running inf2cat.
>
> After these two steps use signtool a second time to sign your .CAT file.
>
> After following these steps your driver package (.CAT, .INF and all files
> referenced by the .INF) should install on all machines that you have
> selected when building your .CAT.
>
> Thomas F. Divine
>
>
> From: Sarbojit Sarkar
> Sent: Wednesday, October 06, 2010 8:55 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] how to disable “Digitally signed driver” check for
> 64 bits OSes?
>
> Thanks for providing all responses. KMCS_Walkthrough.doc is really very
> very help full.
> Now I am able to load the driver with testsigning mode ON.
>
> But when I am trying to load the driver with signing certificate that we
> have bought from verisign, driver is not getting loaded. In event viewer log
> I found following error message,
> “Code integrity determined that the image hash of a file is not valid. The
> file could be corrupt due to unauthorized modification or the invalid hash
> could indicate a potential disk device error.”
>
>
> I am having following doubts
> 1. I have made .sys and .cat file as digitally signed using the UI that is
> given by them. They have given .spc file and .pvk file. My doubt is can’t we
> add .spc file into Trusted Publisher as we are adding in case of ContosoTest.cer?
> I have tried to add it is same way but it is giving some error message,
> “Error: HAs to specify -all, -c, -CTL, or -CRL for add or delete
> createMgr Failed”
> cmd that I have used is “certmgr.exe /add MyCertificate.spc /s /r
> localMachine root”
>
> 2. I found other softwares are adding their certificate under Trusted
> Publisher at the time of driver installation.
>
> Please let me know if I am missing something here.
>
> /sarbojit
>
> On Wed, Oct 6, 2010 at 2:21 AM, Martin O’Brien <
> xxxxx@gmail.com> wrote:
>
>> +1
>>
>> It’s really quite easy to get working, once you find the ‘Kernel Mode Code
>> Signing Walkthrough’ document:
>>
>>
>> http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac
>> 8184a/KMCS_Walkthrough.doc
>>
>>
>>
>> mm
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
>> Sent: Tuesday, October 05, 2010 4:48 PM
>> To: Windows System Software Devs Interest List
>> Subject: Re: [ntdev] how to disable “Digitally signed driver” check for 64
>> bits OSes?
>>
>> Test signing is trivial to incorporate into a build environment, so
>> I’ve basically gone away from ever using unsigned drivers of any sort.
>> For developer builds everything is test signed using a cert from the
>> developers machine. That cert gets installed on the test machine and
>> the system gets set to testsign=on mode.
>>
>>
>> Mark Roddy
>>
>>
>>
>> On Tue, Oct 5, 2010 at 4:13 PM, wrote:
>> > selfsign_example.cmd is a great document but it doesn’t give you a
>> “Here’s
>> what to do day to day” method.
>> >
>> > Here’s what I do.
>> >
>> > 1) I attach Windbg to my target machine any time I’m running a
>> development
>> driver. The act of enabling debug and attaching Windbg allows non signed
>> drivers to load. You don’t have to use the F8 menu, or test sign the
>> driver
>> , or enable test signing in BCDEDIT. Just attach Windbg and you can load
>> the unsigned driver.
>> >
>> > I use it this way in particular because if I load a really bad driver
>> which hangs windows, all I have to do is unplug my debug cable and reboot
>> the target machine and it will boot up without loading the bad driver
>> (because it’s not signed). Then I do whatever I need to get a “fixed”
>> driver on the target, attach windbg, and I’m off again.
>> >
>> > Currently I use USB for Windbg. Our current target has no serial or
>> firewire, and no expansion ports. I have Windbg upload my latest driver
>> automatically any time windows tries to load it.
>> >
>> > This makes for very quick driver testing. I make code changes and
>> recompile on the machine running Windbg. On the target I disable and
>> re-enable the device. Windbg downloads my new driver and I’m running. I
>> can find a minor bug, code change, compile, and have a new driver copied
>> and
>> loaded within a minute.
>> >
>> > 2) I do a bit of test signing with our PV department where I install the
>> test sign cert on their computers and enable test signing. This prevents
>> one of my seriously experimental drivers from getting on their systems,
>> and
>> prevents the somewhat stable drivers from getting out into the wild.
>> >
>> > 3) We have a build system controlled by a “build guy” and that system
>> has
>> access to the company cert private key. We submit requests to have a
>> release build of a driver done to the build guy which results in a fully
>> integrated and signed driver install. We try not to do this on a whim.
>> >
>> > ------------------
>> >
>> > SYS vs CAT signing. This might have been covered previously, but here’s
>> my take.
>> >
>> > Signing the CAT file is strictly about install time. If you don’t have
>> a
>> properly signed CAT file, the user will get the BIG RED UGLY WARNING BOX
>> (BRUWB) telling him that the world will end if he loads your driver.
>> >
>> > If the user says Yes, load the driver anyway, then the purpose of the
>> CAT
>> file is basically done. Windows will install the SYS file whether it’s
>> signed or not. See my point #1 above. You can install a 64bit driver
>> without a signed cat file and without a signed sys file and get it to run
>> if
>> you have Windbg connected (or use F8) and say yes to the BRUWB.
>> >
>> > If you have a signed SYS file, either signed with a properly installed
>> and
>> enabled test certificate, or signed and counter signed with a real
>> Developer
>> certificate, but you do not have a signed CAT file, all you have to do is
>> say yes to BRUWB and that driver will be installed and loaded. You don’t
>> have to have a signed CAT file, but your users will get BRUWB and must say
>> yes.
>> >
>> > If you can sign your SYS, there is no reason why you can’t make a signed
>> CAT file to go with it.
>> >
>> > FYI
>> >
>> > Windows also evaluates which of multiple drivers to load based on the
>> CAT
>> file. If you have a developer signed CAT file, you cannot load over the
>> top
>> of a driver with a WHQL signed CAT file even if your driver has a higher
>> version or newer date. You have to actually take ownership and rename or
>> otherwise hide the WHQL driver before you can get your driver to load.
>> This
>> shouldn’t normally be an issue but I thought I’d point it out.
>> >
>> > Disclaimer - As with anything I write, my fingers might not have
>> properly
>> interpreted what my brain thinks is knows, and my brain often thinks it
>> knows something that is later proven wrong.
>> >
>> > —
>> > NTDEV is sponsored by OSR
>> >
>> > For our schedule of WDF, WDM, debugging and other seminars visit:
>> > http://www.osr.com/seminars
>> >
>> > To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>> >
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Sarbojit,
But when I am trying to load the driver with signing certificate that
we have bought from verisign, driver is not getting loaded. <
Try using pvk2pfx.exe from the WDK to convert your .spc and .pvk files to a
PFX. Use a good password on the PFX. Dowload _MSCV-VSClass3.cer from
Microsoft. Then use the following command to sign your driver:
signtool.exe sign /v /ac MSCV-VSClass3.cer /f mycert.pfx /t
http://timestamp.verisign.com/scripts/timestamp.dll /p password mydriver.sys
And please delete your certificate from the Windows certificate store before
somebody steals it. Burn the PFX to a CD and just insert it into the
computer when you need it.
Don’t forget the password. 
Regards,
George.
The reason you’re getting the issue is that you’re doing something
wrong. You need to be a lot more precise here about exactly what you are
doing if you want someone to tell you what you are doing wrong, and you
need to follow the instructions exactly.
In the message Thomas replied to you said you signed the .sys “using the
UI that is given by them”. Thomas told you to sign the .sys using
signtool from the WDK. Now you say “I have done all these”. So which is
it? Did you use “the UI that is given by them” or did you use signtool
from the WDK? What is “the UI that is given by them” anyway, and who are
“they”?
I suggest you post the exact command lines you have used to do each
step, in the order that you did them, and with information on which
system you did them on (development system or test system). Then there’s
a possibility that someone will be able to tell you what you did wrong.
This stuff can seem a bit like black magic, and requires you to get
everything precisely right, but if you follow the instructions in the
KMCS walk-through document it works fine. There are too many detailed
steps which you could have done incorrectly for us to be able to guess
what you did wrong. We need to know exactly what you did.
Sarbojit Sarkar wrote:
Hey Thomas,
I have done all these man. I don;t under stand how this is going to
help towards resolving my issue. could you please let me know the reason
why I am getting these issue?/sarbojit
On Wed, Oct 6, 2010 at 6:36 PM, Thomas F. Divine > mailto:xxxxx> wrote:
>
> On the machine that use for signing double-click your .pvk file and
> follow the installing directions.
>
> If you have an INF file for your install then use signtool from the
> WDK to sign your .SYS file. Then use the inf2cat tool from WHQL to
> make your security catalog. Make sure you specify the desired target
> Windows versions when running inf2cat.
>
> After these two steps use signtool a second time to sign your .CAT file.
>
> After following these steps your driver package (.CAT, .INF and all
> files referenced by the .INF) should install on all machines that
> you have selected when building your .CAT.
>
> Thomas F. Divine
>
>
> From: Sarbojit Sarkar mailto:xxxxx
> Sent: Wednesday, October 06, 2010 8:55 AM
> To: Windows System Software Devs Interest List
> mailto:xxxxx
> Subject: Re: [ntdev] how to disable “Digitally signed driver”
> check for 64 bits OSes?
>
> Thanks for providing all responses. KMCS_Walkthrough.doc is really
> very very help full.
> Now I am able to load the driver with testsigning mode ON.
>
> But when I am trying to load the driver with signing certificate
> that we have bought from verisign, driver is not getting loaded. In
> event viewer log I found following error message,
> “Code integrity determined that the image hash of a file is not
> valid. The file could be corrupt due to unauthorized modification
> or the invalid hash could indicate a potential disk device error.”
>
>
> I am having following doubts
> 1. I have made .sys and .cat file as digitally signed using the UI
> that is given by them. They have given .spc file and .pvk file. My
> doubt is can’t we add .spc file into Trusted Publisher as we are
> adding in case of ContosoTest.cer? I have tried to add it is same
> way but it is giving some error message,
> “Error: HAs to specify -all, -c, -CTL, or -CRL for add or delete
> createMgr Failed”
> cmd that I have used is “certmgr.exe /add MyCertificate.spc /s /r
> localMachine root”
>
> 2. I found other softwares are adding their certificate under
> Trusted Publisher at the time of driver installation.
>
> Please let me know if I am missing something here.
>
> /sarbojit</mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>
On Wed, Oct 6, 2010 at 4:34 PM, J. J. Farrell wrote:
> if you follow the instructions in the KMCS walk-through document it works
> fine
+1000
First do it JUST AS DOCUMENTED. Once that works feel free to experiment.
Mark Roddy
The answer to the question of “how to disable “Digitally signed
driver” check for 64 bits OSes?” is that you can’t. Why is there a 54
reply thread about it?!?
–
Aram Hăvărneanu
yes the discussion has diverged.
now we are into a meta discussion about discussion divergence
somebody make us stop.
Mark Roddy
On Wed, Oct 6, 2010 at 5:37 PM, Aram Hăvărneanu wrote:
> The answer to the question of “how to disable “Digitally signed
> driver” check for 64 bits OSes?” is that you can’t. Why is there a 54
> reply thread about it?!?
>
> –
> Aram Hăvărneanu
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
And there’s yet another thread on this topic more or less going on too.
Welcome to ntdev…
Mm
On Oct 6, 2010 6:41 PM, “Mark Roddy” wrote:
> yes the discussion has diverged.
> now we are into a meta discussion about discussion divergence
>
> somebody make us stop.
> Mark Roddy
>
>
>
> On Wed, Oct 6, 2010 at 5:37 PM, Aram Hăvărneanu wrote:
>> The answer to the question of “how to disable “Digitally signed
>> driver” check for 64 bits OSes?” is that you can’t. Why is there a 54
>> reply thread about it?!?
>>
>> –
>> Aram Hăvărneanu
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Actually, it is fairly trivial to do. Whether it is suitable for a
commercial driver is another matter.
Regards,
George.
First of all I apologies for stretching out this thread so long.
I think I got the clue what is the problem, wanted to confirm the same…
*Now I am using WDK for creating .pfx/.cat files and signing driver
components (.cat and .sys).* *Earlier I was using given UI to sign my driver
components. *
I have used following cmds in sequence.
*To create .pfx file*
Pvk2pfx -pvk filename.pvk *-*pi pvkpassword *-*spc filename.spc *-*pfx
filename.pfx *-*po pfxpassword *-*f
[It is able to create .pfx file successfully.]
Import this as per the instruction given in KMCS_WALKthrough.doc
[import it into personal store]
*To create .cat file*
Inf2cat.exe /driver:C:\WinDDK\5739\src\general\toaster\toastpkg\toastcd\
/os:Vista_x64
[It is getting created with 2 warnings
Warnings:
22.9.8: Possible Windows Vista/Windows Server 2008 file redistribution
violation
(\setreg.exe –> setreg.exe). File not copied by installation inf so this
is a
warning only.
22.9.8: Possible Windows Vista/Windows Server 2008 file redistribution
violation
(\test\setreg.exe –> setreg.exe). File not copied by installation inf so
this
is a warning only.
]
Is this a issue?
When I tried to sign .cat & .sys file using WDK I got following error
message.
signtool.exe sign /v /ac MSCV-VSClass3.cer /f mypfxfile.pfx /t
http://timestamp.verisign.com/scripts/timestamp.dll /p pwd mycatfile.cat
[
The following certificate was selected:
Issued to: My company name
Issued by: Thawte Code Signing CA
Expires: Wed Apr 18 05:29:59 2012
SHA1 hash: 5F0AA34FE15B13EEDA3E3200940630618C9F32A0
Cross certificate chain (using user store):
Issued to: Thawte Premium Server CA
Issued by: Thawte Premium Server CA
Expires: Fri Jan 01 05:29:59 2021
SHA1 hash: 627F8D7827656399D27D7F9044C9FEB3F33EFA9A
Issued to: Thawte Code Signing CA
Issued by: Thawte Premium Server CA
Expires: Tue Aug 06 05:29:59 2013
SHA1 hash: A706BA1ECAB6A2AB18699FC0D7DD8C7DE36F290F
Issued to: my company name
Issued by: Thawte Code Signing CA
Expires: Wed Apr 18 05:29:59 2012
SHA1 hash: 5F0AA34FE15B13EEDA3E3200940630618C9F32A0
Signtool Error: The provided cross certificate would not be present in the
certi
ficate chain.
]
I searched for this error and found the link :
http://www.osronline.com/showthread.cfm?link=184369
which was describing same issue. It seems my certificate is not capable of
signing kernel mode components. Please let me know if I have missed anything
or I should do some more experiments to confirm this.
Thanks & regards
/sarbojit
On Thu, Oct 7, 2010 at 4:26 AM, George M. Garner Jr. wrote:
> Actually, it is fairly trivial to do. Whether it is suitable for a
> commercial driver is another matter.
>
> Regards,
>
> George.
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
On 07/10/2010 12:00, Sarbojit Sarkar wrote:
When I tried to sign .cat & .sys file using WDK I got following error
message.signtool.exe sign /v /ac MSCV-VSClass3.cer /f mypfxfile.pfx /t
http://timestamp.verisign.com/scripts/timestamp.dll /p pwd
mycatfile.cat http:
> [
> The following certificate was selected:
> Issued to: My company name
> Issued by: Thawte Code Signing CA
> Expires: Wed Apr 18 05:29:59 2012
> SHA1 hash: 5F0AA34FE15B13EEDA3E3200940630618C9F32A0
>
> Cross certificate chain (using user store):
> Issued to: Thawte Premium Server CA
> Issued by: Thawte Premium Server CA
> Expires: Fri Jan 01 05:29:59 2021
> SHA1 hash: 627F8D7827656399D27D7F9044C9FEB3F33EFA9A
>
> Issued to: Thawte Code Signing CA
> Issued by: Thawte Premium Server CA
> Expires: Tue Aug 06 05:29:59 2013
> SHA1 hash: A706BA1ECAB6A2AB18699FC0D7DD8C7DE36F290F
>
> Issued to: my company name
> Issued by: Thawte Code Signing CA
> Expires: Wed Apr 18 05:29:59 2012
> SHA1 hash: 5F0AA34FE15B13EEDA3E3200940630618C9F32A0
>
> Signtool Error: The provided cross certificate would not be present in
> the certi
> ficate chain.
>]
You are trying to use the Verisign cross certificate (MSCV-VSClass3.cer)
with a certiificate issued by Thawte. That won’t work. You need a
cross certificate for “Thawte Premium Server CA” or “Thawte Premium
Server CA”, which Microsoft does not appear to have made available:
http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx
Therefore it would appear your code signing certificate is not suitable
for signing kernel mode code. You’ll need a new certificate from one of
the certificate authorities mentioned on the page above. If you have
the choice, pick Verisign. For no other reason than they just seem to
work. For example, I have heard people have also had problems accessing
WinQual if they are not using a Verisign certificate.
Best regards,
Andrew
–
Andrew Lee Solarflare Communications
mailto:xxxxx@solarflare.com http://www.solarflare.com/</http:>