Hello,
I’m developing a device driver for windows server 2008-64bit.
The hardware is a customized PCIe card.
I read the KMCS_Walkthrough document and also ran the selfsign_example.cmd on the toaster example.
According to this cmd: “IMPORTANT: If you are signing a driver for public release you should be using a Software Publisher Certificate with a Cross Certificate to the Microsoft
root. And you should TIMESTAMP your signature. The syntax for production signing is …”
My driver is for company internal use only. It is not for “public release”.
Is it possible to skip the “SPC” step and install the driver on windows server 2008-64bit ?
I’m aware that I can press F8 to bypass the signature requirement but I do not want to do it.
Thanks,
Zvika.
xxxxx@gmail.com wrote:
I’m developing a device driver for windows server 2008-64bit.
The hardware is a customized PCIe card.
I read the KMCS_Walkthrough document and also ran the selfsign_example.cmd on the toaster example.
According to this cmd: “IMPORTANT: If you are signing a driver for public release you should be using a Software Publisher Certificate with a Cross Certificate to the Microsoft
root. And you should TIMESTAMP your signature. The syntax for production signing is …”
My driver is for company internal use only. It is not for “public release”.
Is it possible to skip the “SPC” step and install the driver on windows server 2008-64bit ?
Not without using one of the override options. That even applies on
your development and test machine.
I’m aware that I can press F8 to bypass the signature requirement but I do not want to do it.
There are three choices. (1) Hook up a kernel debugger. (2) Press F8
to bypass. (3) Sign your driver.
Really, the KMCS signing process is not that hard. Once you get the
recipe down, it works forever. I’d advise you to spend the few hundred
dollars to get your class 3 code signing certificate. Then you don’t
have to worry about it any more.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Dear Mr. Roberts,
According to kmsigning.doc there are 4 options to sign a driver:
- Windows Logo Program
- KMCS by using an SPC
- WHQL Test Signature program
- KMCS test signing
I think KMCS_Walkthrough.doc and selfsign_example.cmd covers only the second
option. Am I right ?
What is the added value of signing with the “Windows logo program” ?
If I understand correctly, this is much more complicated process than “KMCS
by using an SPC”.
Thanks,
Zvika.
----- Original Message -----
From: “Tim Roberts”
To: “Windows System Software Devs Interest List”
Sent: Thursday, April 28, 2011 0:43
Subject: Re: [ntdev] Sign a driver for Windows server 2008-64 bit
> xxxxx@gmail.com wrote:
>> I’m developing a device driver for windows server 2008-64bit.
>>
>> The hardware is a customized PCIe card.
>>
>> I read the KMCS_Walkthrough document and also ran the
>> selfsign_example.cmd on the toaster example.
>>
>> According to this cmd: “IMPORTANT: If you are signing a driver for public
>> release you should be using a Software Publisher Certificate with a Cross
>> Certificate to the Microsoft
>> root. And you should TIMESTAMP your signature. The syntax for
>> production signing is …”
>>
>> My driver is for company internal use only. It is not for “public
>> release”.
>>
>> Is it possible to skip the “SPC” step and install the driver on windows
>> server 2008-64bit ?
>
> Not without using one of the override options. That even applies on
> your development and test machine.
>
>> I’m aware that I can press F8 to bypass the signature requirement but I
>> do not want to do it.
>
> There are three choices. (1) Hook up a kernel debugger. (2) Press F8
> to bypass. (3) Sign your driver.
>
> Really, the KMCS signing process is not that hard. Once you get the
> recipe down, it works forever. I’d advise you to spend the few hundred
> dollars to get your class 3 code signing certificate. Then you don’t
> have to worry about it any more.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> What is the added value of signing with the “Windows logo program” ?
Install without “Do you trust?” boxes.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
>> What is the added value of signing with the “Windows logo program” ?
Install without “Do you trust?” boxes.
Could they put the Logo on their er… production? 
The bad guys will drop dead of laugh.
– pa
>
> What is the added value of signing with the “Windows logo program” ?
Install without “Do you trust?” boxes.
Considering that if you put your own certificate in the store the user
never see’s any such message, is that really a drawback?
James
>Considering that if you put your own certificate in the store the user
never see’s any such message, is that really a drawback?
Yes, only if you put the cert to Trusted Publishers.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Zvi Vered wrote:
According to kmsigning.doc there are 4 options to sign a driver:
- Windows Logo Program
- KMCS by using an SPC
- WHQL Test Signature program
- KMCS test signing
I think KMCS_Walkthrough.doc and selfsign_example.cmd covers only the second
option. Am I right ?
Remember that there are two very different signing checks in the driver
world. There is the install time check for PnP drivers with an INF,
which is done exactly one, when your driver is installed. (OK, twice –
once for pre-install and once when a device is actually detected).
Then, there is the KMCS check that gets done every time your driver
loads, but only on 64-bit systems.
Signing with your valid SPC will satisfy the KMCS check. However,
you’ll still see the “do you trust this publisher” warnings at install time.
What is the added value of signing with the “Windows logo program” ?
If I understand correctly, this is much more complicated process than “KMCS
by using an SPC”.
That allows for a silent install – it eliminates the “do you trust this
publisher” warning. Further, if you are in a defined device class, the
WHQL tests allow you to use the Made for Windows logo in your
advertising materials. That’s important for some companies, but not for
others.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
> which is done exactly one, when your driver is installed. (OK, twice –
once for pre-install and once when a device is actually detected).
Once. For pre-install only, at least in Vista+.
All driver packages in Driver Store are considered trusted.
In pre-Vista, there is IIRC no Driver Store, and so the signature check is executed on each devnode setup.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com