I’ve been digging through the MS docs on driver signing for Vista64.
I’m considering using a cross cert to sign my pnp driver package.
Being a little lazy, I’d like the flexibility of being able to alter the *.inf on the fly without having to re-hash & re-sign the entire package.
I can’t find any info on the mandatory file hash requirements in the cat.
I know the *.sys binary must be in there, and *.dll’s are optional, but what about the *.inf?
So, in a nutshell, when self signing a pnp cat for VistaX64 with a cross cert, does the *.inf hash have to be in the signed *.cat for the driver to load & run?
Thanks
Chris
I think the cat does contain the hash of the inf file (at least if you use
inf2cat to generate the cat file), but you can definitely just
sign+cross-sign the .sys file directly, without signing the INF file. I do
that all the time.
Have a nice day
GV
----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Thursday, May 21, 2009 11:46 AM
Subject: [ntdev] Mandatory files for signed cat
> I’ve been digging through the MS docs on driver signing for Vista64.
>
> I’m considering using a cross cert to sign my pnp driver package.
> Being a little lazy, I’d like the flexibility of being able to alter the
> *.inf on the fly without having to re-hash & re-sign the entire package.
>
> I can’t find any info on the mandatory file hash requirements in the cat.
> I know the *.sys binary must be in there, and *.dll’s are optional, but
> what about the *.inf?
>
> So, in a nutshell, when self signing a pnp cat for VistaX64 with a cross
> cert, does the *.inf hash have to be in the signed *.cat for the driver to
> load & run?
>
> Thanks
>
> Chris
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
xxxxx@cox.net wrote:
I’ve been digging through the MS docs on driver signing for Vista64.
I’m considering using a cross cert to sign my pnp driver package.
There isn’t any alternative, at least for KMCS. You have to use a
cross-certificate, to cross over from the certificate provider you used
to the Microsoft KMCS root. Are you talking about self-signing as a way
to get around the WHQL warning, or are you talking about KMCS for 64-bit?
Being a little lazy, I’d like the flexibility of being able to alter the *.inf on the fly without having to re-hash & re-sign the entire package.
Well, this is all encapsulated in one batch file or one makefile,
right? It’s not like it costs money every time you recreate the package.
I can’t find any info on the mandatory file hash requirements in the cat.
I know the *.sys binary must be in there, and *.dll’s are optional, but what about the *.inf?
So, in a nutshell, when self signing a pnp cat for VistaX64 with a cross cert, does the *.inf hash have to be in the signed *.cat for the driver to load & run?
If this is for your own testing, or your own internal distribution, then
you don’t need a cat file at all. All KMCS requires is that the .sys be
signed. The only time a .cat file comes into play is when you want to
get a WHQL signature. In that case, the inf and the sys must both be in
the cat file.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thanks Tim,
I just want a package that will run under Vista 64Bit, I’m not concerned with getting WHQL.
So, can I just use KMCS to sign the *.sys, as Gianluca sugests above, or MUST I use a KMCS signed *.cat.
If I use the signed *.cat, MUST the signed *.cat include a hash of the *.inf?
I’m looking for the flexibility of not having to re-sign the files every time the VID & PID of the *.inf changes. I know you can’t get around this with WHQL, as the *.inf hash MUST be in the *.cat, but was looking for a way around it with KMCS.
Thanks
Chris
> So, can I just use KMCS to sign the *.sys, as Gianluca sugests above, or MUST I use a KMCS signed
*.cat.
You can sign .sys, you can sign .cat
For boot-start drivers, .sys must be signed.
If I use the signed *.cat, MUST the signed *.cat include a hash of the *.inf?
Yes.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
xxxxx@cox.net wrote:
I just want a package that will run under Vista 64Bit, I’m not concerned with getting WHQL.
Then there’s no need to construct a .cat file, unless your build process
is already set up to create one.
So, can I just use KMCS to sign the *.sys, as Gianluca sugests above, or MUST I use a KMCS signed *.cat.
As Maxim said, either way. You can sign the .sys, with or without a
.cat, or you can sign the .cat. I’ve developed the habit of signing the
.sys file so I can copy a new version into \windows\system32\drivers
without the uninstall/reinstall dance.
If I use the signed *.cat, MUST the signed *.cat include a hash of the *.inf?
I don’t think it matters for KMCS, but I’m not 100% sure about that.
I’m looking for the flexibility of not having to re-sign the files every time the VID & PID of the *.inf changes. I know you can’t get around this with WHQL, as the *.inf hash MUST be in the *.cat, but was looking for a way around it with KMCS.
How are you installing these? DPInst? Your own installer? DPInst
copies all of the files referenced by an INF file into the driver
store. If you have two different INFs that use the same driver, the
driver file will get copied to the driver store twice, in two
subdirectories.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thanks Guys, looks like signing the *.sys will work for me. I just wanted to be sure before I dropped $500 on a SPC cert.
Also, I’m using a custom installer that builds a *.inf based on a couple of command line args, and then calls DriverPackageInstall() using the new *.inf.
Thanks for the help.
Chris