Test signing on Server 2003

I remember the topic on this forum around ~20 days ago about “non-WHQL test signing impossible on Server 2003”.

Just discovered the method to do this, want to share it with the public.

OS version: Server 2003 x64 R2 SP2 with latest patches, I think Enterprise SKU.

  1. Create a self-signed cert using MAKECERT, with the name like (referenced below) “My Code Signing”.
  2. Open it (let it be Code.cer with private key in Code.pvk) using Windows shell.
  3. Go to Certificate Chain.
  4. The chain will be of 2 items - your cert as a child, and “Root Agency” as a parent
  5. Set the focus to “Root Agency” and say “Copy To File”
  6. Name the file like Root.cer
  7. Double-click on Root.cer, say Install, to Trusted Root Certification Authorities
  8. Start mmc.exe, Add Snap-In 2 times, Certificates/Current User and Certificates/Local Computer
  9. In MMC, move (by mouse) “Root Agency” from Current User\Trusted Root Certification Authorities to Local Computer\Trusted Root Certification Authorities. Say Yes to large message box about DELETE. After this: Root Agency is both in Current User and in Local Computer (I think Current User view is Local Computer view + some possible extras).
  10. Double-click on Code.cer, say Install, to Trusted Publishers
  11. In the same MMC, refresh and move (by mouse) “My Code Signing” from Current User\Trusted Publishers to Local Computer\Trusted Publishers.
  12. Run INF2CAT for /os:2000 (worked for me). You can run INF2CAT on another machine, since INF2CAT from WDK 6001.18002 cannot run on 2003 (at least without full WDK install, other signing tools from BIN\SELFSIGN run fine being just copied, do not forget to copy CAPICOM.DLL too).
  13. Sign the CAT using SignTool and Code.pvk (or maybe Code.pfx), the cert you created on step 1.

After this, SetupCopyOEMInf call is silent, SetupDiCreateDeviceInfo too, SetupDiCallClassInstaller(DIF_REGISTERDEVICE) too, UpdateDriverForPlugAndPlayDevices too (this is my .EXE install app based on DEVCON logic).

More so. My INF is also a NULL INF for the child devnodes my bus driver creates. Creation of this devnode is triggered by some proprietary control IOCTL to the bus driver. In this case, the NULL INF is installed for these devnodes silently without any UI.

If I omit the Trusted Publishers step (but do the Trusted Root Certification Authorities step), then I see the warning dialog a) from my install EXE, probably in SetupCopyOEMInf b) on NULL INF installation when the child devnode is first created by the already installed driver, long after the install EXE was executed and machine rebooted.

The warning says something like “The digital signature is OK and the binary was not changed after, but there is no WHQL signature”.

Maxim S. Shatskih
Windows DDK MVP

More details on the issue:

  • I timestamp the signature from Verisign using SignTool command line
  • “My Code Signing” is displayed in Device Manager (not “Not Digitally Signed”)
  • the Control Panel/System/Hardware/Driver Signing option is set to Block

Maxim S. Shatskih
Windows DDK MVP