Self signing drivers

NTDEV
1

I’d like to test my driver at x64 Vista so tried to sign it using WDK utilities from bin\SelfSign directory. I never worked with certificates before so I’m probably missing something obvious. I followed the procedure described in selfsign_readme.doc and can’t make it working. Well, it DOES work at XP but the same procedure doesn’t work at w2k3, XP64 and Vista x64 (5365):

d:\>test\signtool.exe verify tcusb_x64.cat
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
SignTool Error: File not valid: tcusb_x64.cat

Number of errors: 1

The catalog file was successfully signed by the same tool with no complain. In addition, signability tool also works at XP only. At other systems it reports “Runtime error 429: ActiveX component can’t create object”. That’s ugly. For tools from both 5308 and 5365 WDKs.

I have a suspicion above error message is misleading. The same error is reported when certificate isn’t imported to the Trusted Root Certification Authorities. At XP certificate import resolves error, at other systems doesn’t.

Does it work for anybody?
Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

2

Ha! Must be the time of year or something…

I spent several hours yesterday afternoon playing “driver signing” – And none of my experiences had happy endings. Damn, it took me darn close to an hour to figure out that the certificate name signtool wants is the CN from the cert store. I’m still trying to figure out other parameters. Not to mention the fact that SOME types of files seem to be accepted only in SOME formats and not others by signtool (arrrgh… WHY??). PVK? PFX? CER?? It’s freakin’ maddening. Darn good thing I didn’t have a gun with me yesterday at work.

While I can’t provide you answers to any of your qusetions, I can provide a couple of data points:

  1. If you google about signtool (as I did yesterday), you’ll see LOTS of people have trouble getting signing (of everything from .net something-or-others to VBScripts) working initially. The good news is, once they learn the “tricks” they seem to be able to get on with their lives. In other words, it seems the learning curve is steep but once you’ve got things figured out, you’re OK.

  2. I’ve heard rumors that MS is authoring a white paper and a tutorial walk-through document that’ll demonstrate how to sign both driver executables and cat files. I hope these are good quality papers, cuz obviously we driver devs need it… We’re not security or PKI geeks (well, most of us aren’t) and most of us haven’t even SEEN signtool before.

  3. If you’re going to WinHEC next week, there are talks and a hands-on lab planned that’ll focus on driver signing. Given my experiences yesterday, I’m going to try to attend this talk.

I’d love it if somebody who’s been through this (perhaps for an app or something) would post some info in this forum, or write up a quick and dirty tutorial on this for The NT Insider or OSR Online. If I learn anything useful at WinHEC, I’ll try to write it up. And let’s all actively pray for a useful walk-through guide from the powers-that-be at Microsoft.

Peter
OSR

3

Thanks, at least I don’t feel SO stupid :slight_smile:

Did you notice there is selfsign_readme.doc which described necessary procedure and selfsign_example.cmd batch which demonstrates it (WDK 5365 version is improved over 5308)? What makes me crazy is the fact the described procedure works well at XP but isn’t sufficient at later OS versions. Driver is successfully signed but signature can’t be verified (and of course, x64 Vista refuses to install driver).

Well, I’ll continue today with company certificate which is in different format so I expect even more fun.

Oh, I decided to not have a gun at all. With this kind of work it’d be really dangerous. Yesterday I seriously pondered the possibility to sacrifice some coworker as no other goat was available :wink:

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, May 18, 2006 4:10 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Self signing drivers

Ha! Must be the time of year or something…

I spent several hours yesterday afternoon playing “driver signing” – And none of my experiences had happy endings. Damn, it took me darn close to an hour to figure out that the certificate name signtool wants is the CN from the cert store. I’m still trying to figure out other parameters. Not to mention the fact that SOME types of files seem to be accepted only in SOME formats and not others by signtool (arrrgh… WHY??). PVK? PFX? CER?? It’s freakin’ maddening. Darn good thing I didn’t have a gun with me yesterday at work.

While I can’t provide you answers to any of your qusetions, I can provide a couple of data points:

  1. If you google about signtool (as I did yesterday), you’ll see LOTS of people have trouble getting signing (of everything from .net something-or-others to VBScripts) working initially. The good news is, once they learn the “tricks” they seem to be able to get on with their lives. In other words, it seems the learning curve is steep but once you’ve got things figured out, you’re OK.

  2. I’ve heard rumors that MS is authoring a white paper and a tutorial walk-through document that’ll demonstrate how to sign both driver executables and cat files. I hope these are good quality papers, cuz obviously we driver devs need it… We’re not security or PKI geeks (well, most of us aren’t) and most of us haven’t even SEEN signtool before.

  3. If you’re going to WinHEC next week, there are talks and a hands-on lab planned that’ll focus on driver signing. Given my experiences yesterday, I’m going to try to attend this talk.

I’d love it if somebody who’s been through this (perhaps for an app or something) would post some info in this forum, or write up a quick and dirty tutorial on this for The NT Insider or OSR Online. If I learn anything useful at WinHEC, I’ll try to write it up. And let’s all actively pray for a useful walk-through guide from the powers-that-be at Microsoft.

Peter
OSR

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

4

I have to correct one thing from below text. Signability tool crash isn’t dependent on the OS. It crashes when it is started from OS on which the WDK wasn’t installed. Accidentally I had it installed at XP in both cases. It is ugly anyway, DDK/WDK was always usable from any system and installation was just the way how to get files. I guess it is common for developers to have more OSes on one drive. Oh, it seems to be written in Visual Basic :-#

All other info below is valid. I tried provided signing example and the signed cat was verified at XP and wasn’t at w2k3. In both cases WDK was installed to eliminate possible problem. I just reported it to WDK feedback address which batch offers. Hopefully somebody reads it.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Michal Vodicka[SMTP:xxxxx@upek.com]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, May 18, 2006 7:20 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Self signing drivers

I’d like to test my driver at x64 Vista so tried to sign it using WDK utilities from bin\SelfSign directory. I never worked with certificates before so I’m probably missing something obvious. I followed the procedure described in selfsign_readme.doc and can’t make it working. Well, it DOES work at XP but the same procedure doesn’t work at w2k3, XP64 and Vista x64 (5365):

d:\>test\signtool.exe verify tcusb_x64.cat
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
SignTool Error: File not valid: tcusb_x64.cat

Number of errors: 1

The catalog file was successfully signed by the same tool with no complain. In addition, signability tool also works at XP only. At other systems it reports “Runtime error 429: ActiveX component can’t create object”. That’s ugly. For tools from both 5308 and 5365 WDKs.

I have a suspicion above error message is misleading. The same error is reported when certificate isn’t imported to the Trusted Root Certification Authorities. At XP certificate import resolves error, at other systems doesn’t.

Does it work for anybody?
Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer