Yes, the first one is the output of inf2cat, the second one of signtool.
I’m very sorry but, please, can you explain briefly how to create/obtain a certificate and how to use it?
I guess I should use makecert and maybe use the /n option in signtool…
xxxxx@eos.pr.it wrote:
Yes, the first one is the output of inf2cat, the second one of signtool.
I’m very sorry but, please, can you explain briefly how to create/obtain a certificate and how to use it?
If this is for a package that you plan to release to the general public,
then you must go out and BUY a certificate. The type of certificate you
need depends on which operating systems you plan to target. This is the
discussion that has been going on here for the last month.
I guess I should use makecert and maybe use the /n option in signtool…
For your internal testing, yes, this will work. You use /f or /n or
/sha1 to identify the certificate to use. The Windows 8/8.1/10 WDKs can
do this for you, using a Package project.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
> If this is for a package that you plan to release to the general public,
then you must go out and BUY a certificate. The type of certificate you
need depends on which operating systems you plan to target. This is the
discussion that has been going on here for the last month.
Thanks Tim,
as I stated on the first request: I need to sign the INF file to allow to final users with Win8.1 (Win10 seems to not have installation problems if the device is a Class02_SubClass02 USB device) to install a virtual serial port.
With this requirement, which kind of certificate I need?
Can you get me some names/addresses from where I can buy certificates?
xxxxx@eos.pr.it wrote:
> If this is for a package that you plan to release to the general public,
> then you must go out and BUY a certificate. The type of certificate you
> need depends on which operating systems you plan to target. This is the
> discussion that has been going on here for the last month.
as I stated on the first request: I need to sign the INF file to allow to final users with Win8.1 (Win10 seems to not have installation problems if the device is a Class02_SubClass02 USB device) to install a virtual serial port.
With this requirement, which kind of certificate I need?
Can you get me some names/addresses from where I can buy certificates?
If you will never need to worry about Windows 10, then you can get a
Class 3 Code-Signing Certificate from any of the certificate authorities
listed on the KMCS cross-certificate page:
https://msdn.microsoft.com/en-us/library/windows/hardware/dn170454.aspx
VeriSign is the gold standard, but I have used both GlobalSign and Digicert.
If you will need to worry about Windows 10 before your certificate
expires, then you might want to consider getting an EV (Extended
Validation) certificate instead. That requires either VeriSign or
DigiCert. An EV cert can also be used for Windows 7 and 8.
If you plan to submit to WHQL, you will need a VeriSign or DigiCert
certificate. However, you can’t submit a subclass-matching INF to WHQL,
so that’s probably not an issue.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thanks again Tim, very kind of you.
So, I decided to never need to worry about Win10.
I downloaded the GlobalSign cross-certificate and I follow the procedure on the MS page.
My problem starts on point 2. when I need to locate the SPC in the store: I have no items under ‘Personal’ item, neither in local computer, neither in Current User item.
Did I miss something?
xxxxx@eos.pr.it wrote:
So, I decided to never need to worry about Win10.
I downloaded the GlobalSign cross-certificate and I follow the procedure on the MS page.
Do you actually own a GlobalSign certificate? It takes several days for
the corporate vetting process, so unless you already had one in your
hands, I know there hasn’t been time for you to buy one since yesterday.
The process is that you buy a Class 3 Code-Signing Certificate from one
of the certificate authorities on Microsoft’s list. That takes several
days, while the authority verifies your identity. After you have your
certificate in hand, you use certmgr to install it in your personal
store. You can use either certmgr.exe or certmgr.sys. “Why are there
two different tools” is a question for future anthropologists to tackle.
Then, you need to get the cross-certificate that validates the
certificate authority you chose. Once you have all of those pieces,
then you can identify your certificate and your cross-certificate on the
“signtool sign” command line to sign your CAB.
My problem starts on point 2. when I need to locate the SPC in the store: I have no items under ‘Personal’ item, neither in local computer, neither in Current User item.
Did I miss something?
If you don’t actually have a certificate, then it’s not going to be found.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Ok, i downloaded only the cross-certificate.
Now I’m on the GlobalSign site and I selected the Code Sign Certificate.
In particular I’m selecting the Standard Code Signing Certificate for ?175/year.
Hope It is correct for my use …
By this kind of certificate I will sign both INF and the Windows executables, is it?
xxxxx@eos.pr.it wrote:
Ok, i downloaded only the cross-certificate.
Now I’m on the GlobalSign site and I selected the Code Sign Certificate.
In particular I’m selecting the Standard Code Signing Certificate for ?175/year.
Hope It is correct for my use …
That’s the one I’ve used for the last 9 years.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
xxxxx@eos.pr.it wrote:
By this kind of certificate I will sign both INF and the Windows executables, is it?
Yes. Well, you don’t actually sign an INF. You use the INF to create a
CAB, and you sign the CAB.
But yes, the user-mode app signing requirements are less strict than the
KMCS requirements. This will work there.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Don’t you said that i need to sign the CAT files ? (See Message 18)
Remember I need to support only Win8.1 …
Sorry but should I buy the SHA-256 or SHA-1 hash type?
xxxxx@eos.pr.it wrote:
Don’t you said that i need to sign the CAT files ? (See Message 18)
Remember I need to support only Win8.1 …
Yes, I meant CAT, not CAB.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
xxxxx@eos.pr.it wrote:
Sorry but should I buy the SHA-256 or SHA-1 hash type?
It doesn’t matter. Some people are concerned that SHA-1 certificates
are not secure, although the chances that you would actually be bitten
by that are infinitesimally small. If you will ever need to support
Vista or XP, then you will need SHA-1. Otherwise, you can get SHA-256
and feel more secure.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.