Vista driver signing

Finally, MS released some (partially) useful info: http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx

Some observations:

• Authenticode signatures didn’t work because cross certificates are necessary. Cross certificates aren’t available, yet (http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx claims “This information will be available soon.”). In addition, updated signtool.exe which isn’t available in 5365 WDK is necessary.

• test signatures have to be enabled using boot option. However, even when enabled, it doesn’t work for me. Maybe cross certificate is necessary, too, it is unclear.

• signature checking can be disabled using boot option. Finally, something works (5381). This is probably the best way because it 3rd party tools containing unsigned driver (DebugView etc.) work, too. It is also possible to disable signature checking as F8 choice during boot (impractical) or when WinDbg is attached (annoying).

Conclusion: a lot of wasted time because of incomplete and misleading info :-#

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

That’s interesting. Just last week they closed a bug I submitted about
not being able to load drivers for testing without F8 or a debugger.
They said it was by design. I replied that it was totally unacceptable.
They had stated previously that they would have a mechanism avaiable for
developers to test their drivers without requiring F8 or an attached
debugger (BTW, I even encountered a problem with a boot start driver not
only not loading but preventing the system from booting just by its
presence. Vista complained about not finding it in the catalog hash or
something like that. It even happended when the debugger was attached.
Yes, I bugged it.)

I’m glad they finally made some info availabole about this. I wish they
had all the pieces in place before they shut off the BCD option to allow
unsigned drivers.

Beverly

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Saturday, May 20, 2006 1:44 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Vista driver signing

Finally, MS released some (partially) useful info:
http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx

Some observations:

• Authenticode signatures didn’t work because cross certificates are
  necessary. Cross certificates aren’t available, yet
  (http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx claims
  “This information will be available soon.”). In addition, updated
  signtool.exe which isn’t available in 5365 WDK is necessary.

• test signatures have to be enabled using boot option. However, even
  when enabled, it doesn’t work for me. Maybe cross certificate is
  necessary, too, it is unclear.

• signature checking can be disabled using boot option. Finally,
  something works (5381). This is probably the best way because it 3rd
  party tools containing unsigned driver (DebugView etc.) work, too. It is
  also possible to disable signature checking as F8 choice during boot
  (impractical) or when WinDbg is attached (annoying).

Conclusion: a lot of wasted time because of incomplete and misleading
info :-#

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

I just saw this little tidbit in that article:

“Create an INF file in your driver package directory and edit it for
Windows Vista. Specifically, change the build date to 4/1/2006 or
greater and the version to 6. For example: DriverVer=04/01/2006,
6.0.1.0”.

Huh? I have to say that my driver version is version 6 just because the
OS version is 6? I would like to have my driver version make sense for
my driver. The version number should reflect an accurate version number
for my driver, not the OS version.

Is that really a requirement or just an example? The verbiage makes it
sound like a requirement.

Beverly

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Brown, Beverly
Sent: Saturday, May 20, 2006 1:50 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Vista driver signing

That’s interesting. Just last week they closed a bug I submitted about
not being able to load drivers for testing without F8 or a debugger.
They said it was by design. I replied that it was totally unacceptable.
They had stated previously that they would have a mechanism avaiable for
developers to test their drivers without requiring F8 or an attached
debugger (BTW, I even encountered a problem with a boot start driver not
only not loading but preventing the system from booting just by its
presence. Vista complained about not finding it in the catalog hash or
something like that. It even happended when the debugger was attached.
Yes, I bugged it.)

I’m glad they finally made some info availabole about this. I wish they
had all the pieces in place before they shut off the BCD option to allow
unsigned drivers.

Beverly

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Saturday, May 20, 2006 1:44 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Vista driver signing

Finally, MS released some (partially) useful info:
http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx

Some observations:

• Authenticode signatures didn’t work because cross certificates are
  necessary. Cross certificates aren’t available, yet
  (http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx claims
  “This information will be available soon.”). In addition, updated
  signtool.exe which isn’t available in 5365 WDK is necessary.

• test signatures have to be enabled using boot option. However, even
  when enabled, it doesn’t work for me. Maybe cross certificate is
  necessary, too, it is unclear.

• signature checking can be disabled using boot option. Finally,
  something works (5381). This is probably the best way because it 3rd
  party tools containing unsigned driver (DebugView etc.) work, too. It is
  also possible to disable signature checking as F8 choice during boot
  (impractical) or when WinDbg is attached (annoying).

Conclusion: a lot of wasted time because of incomplete and misleading
info :-#

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

>"Create an INF file in your driver package directory and edit it for

Windows Vista. Specifically, change the build date to 4/1/2006 or
greater and the version to 6. For example: DriverVer=04/01/2006,
6.0.1.0".

The most annoying thing in Vista’s driver signing is device class-based
limitations. Must I lie to the OS (using INFs) that my driver is a Disk filter
driver, if in a reality it is a combination of pre-FltMgr FSF and the Volume
filter driver?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

As mentioned in the last issue of The NT Insider, stay tuned for announcements at WinHEC (that is, this week).

We’ll have the articles for access on OSR Online, also.

(To answer Michal’s question: Cross-certs are not required for test signatures. The test signature can be a makecert cert. I’m sorry, but I can’t say more until tomorrow at 9AM Pacific time… the first day of WinHEC).

Peter
OSR

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
Reply To: Windows System Software Devs Interest List
Sent: Monday, May 22, 2006 8:33 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Vista driver signing

As mentioned in the last issue of The NT Insider, stay tuned for announcements at WinHEC (that is, this week).

We’ll have the articles for access on OSR Online, also.

Great, I’m looking forward for it. Hopefully you’d test it before publishing, unlike MS

(To answer Michal’s question: Cross-certs are not required for test signatures. The test signature can be a makecert cert. I’m sorry, but I can’t say more until tomorrow at 9AM Pacific time… the first day of WinHEC).

Yep Peter, you’re rigth but test signatures simply don’t work. I did everything according the article and they still don’t work with 5365 WDK tools. I already filed the Vista beta bug.

Well, my problem is solved for now. I turned off signature checking and can test my driver, use System Internals tools etc. I’ll wait with signing until things have settled.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

I noticed it, too. I just hope it applies only to MS drivers and got into the article by mistake. I’d be really stupid requirement for 3rd party drivers. I have one binary + INF for XP, w2k3 and Vista so the version can’t mirror OS version.

BTW, my driver with different versioning scheme successfully installes at x64 Vista. However, with signature checking turned off.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Brown, Beverly[SMTP:bbrown@mc.com]
Reply To: Windows System Software Devs Interest List
Sent: Saturday, May 20, 2006 8:13 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Vista driver signing

I just saw this little tidbit in that article:

“Create an INF file in your driver package directory and edit it for
Windows Vista. Specifically, change the build date to 4/1/2006 or
greater and the version to 6. For example: DriverVer=04/01/2006,
6.0.1.0”.

Huh? I have to say that my driver version is version 6 just because the
OS version is 6? I would like to have my driver version make sense for
my driver. The version number should reflect an accurate version number
for my driver, not the OS version.

Is that really a requirement or just an example? The verbiage makes it
sound like a requirement.

Beverly

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Brown, Beverly
Sent: Saturday, May 20, 2006 1:50 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Vista driver signing

That’s interesting. Just last week they closed a bug I submitted about
not being able to load drivers for testing without F8 or a debugger.
They said it was by design. I replied that it was totally unacceptable.
They had stated previously that they would have a mechanism avaiable for
developers to test their drivers without requiring F8 or an attached
debugger (BTW, I even encountered a problem with a boot start driver not
only not loading but preventing the system from booting just by its
presence. Vista complained about not finding it in the catalog hash or
something like that. It even happended when the debugger was attached.
Yes, I bugged it.)

I’m glad they finally made some info availabole about this. I wish they
had all the pieces in place before they shut off the BCD option to allow
unsigned drivers.

Beverly

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Saturday, May 20, 2006 1:44 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Vista driver signing

Finally, MS released some (partially) useful info:
http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx

Some observations:

• Authenticode signatures didn’t work because cross certificates are
  necessary. Cross certificates aren’t available, yet
  (http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx claims
  “This information will be available soon.”). In addition, updated
  signtool.exe which isn’t available in 5365 WDK is necessary.

• test signatures have to be enabled using boot option. However, even
  when enabled, it doesn’t work for me. Maybe cross certificate is
  necessary, too, it is unclear.

• signature checking can be disabled using boot option. Finally,
  something works (5381). This is probably the best way because it 3rd
  party tools containing unsigned driver (DebugView etc.) work, too. It is
  also possible to disable signature checking as F8 choice during boot
  (impractical) or when WinDbg is attached (annoying).

Conclusion: a lot of wasted time because of incomplete and misleading>
info :-#

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

---

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

The problem is the book doesn’t have all of the information. We have been
self signing our drivers for weeks now. It took me over a week and help
from some of the WinQual folks, but we finally got it to work consistently.
Now, we haven’t tried this on 64-bit platforms yet (our build server isn’t
generating 64-bit everything yet), but here is what we did on 32-bit Vista.
I hope this helps some folks:

1.) Create a test sign certificate using makecert:

MakeCert -r -pe -ss “Trusted Root Certification Authorities” -n “CN=MyTest”
MyTest.cer

2.) Install MyTest.cer into the “Trusted Root Certification Authorities”
and “Trusted Publishers” certificate stores. I just typed MyTest.cer from
the command-line and the Certificate Wizard launched and I was able to
select the store to install the certificate into. I had to do this twice to
install the certificate in the two aforementioned certificate stores. You
can use IE for this as well.

**** IMPORTANT - the certificate must be installed in the “Local Computer”
store, this is not default. From the certificate wizard check the “show
physical stores” or whatever it is to see the different store locations.

3.) Create a catalog file using makecat:

makecat -v mytest.cdf

Where mytest.cdf is a text file containing the following:

[CatalogHeader]
name=mytest.cat

[CatalogFiles]
mytest.sys=mytest.sys
mytest.inf=mytest.inf

4.) Sign the catalog file using signtool and the previously created and
imported certificate:

SignTool sign /s “Trusted Root Certification Authorities” /n “MyTest” /t
http://timestamp.verisign.com/scripts/timestamp.dll mytest.cat

5.) Verify the catalog signature via the same SignTool tool:

SignTool verify mytest.cat

It has been a while since I did this, and my brain dumps quickly, so we may
have modified the process slightly. It seems I had to play some more nasty
tricks with the cdf file to prevent the makecert UI from popping up, which
caused our build process a lot of grief. I am out of the office, so I can’t
see our scripts at the moment, but this is the general gist of it. None of
this is private to the best of my knowledge or I would not post it. This
has worked from WDK 5308 on up I believe.

BTW, I could not ever get the documented procedure to work, thus the cdf
file and slightly different approach. But as I say, this has been working
for us for a long time now. It is the only way we could get any QA or
installer work done.

Also, thanks to Jennifer Steppler who answered the winqual emails I sent.
Without her help we would have never gotten this working, well until
tomorrow

Bill M.

“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Monday, May 22, 2006 8:33 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Vista driver signing
>
> As mentioned in the last issue of The NT Insider, stay tuned for
> announcements at WinHEC (that is, this week).
>
> We’ll have the articles for access on OSR Online, also.
>
Great, I’m looking forward for it. Hopefully you’d test it before
publishing, unlike MS

> (To answer Michal’s question: Cross-certs are not required for test
> signatures. The test signature can be a makecert cert. I’m sorry, but I
> can’t say more until tomorrow at 9AM Pacific time… the first day of
> WinHEC).
>
Yep Peter, you’re rigth but test signatures simply don’t work. I did
everything according the article and they still don’t work with 5365 WDK
tools. I already filed the Vista beta bug.

Well, my problem is solved for now. I turned off signature checking and can
test my driver, use System Internals tools etc. I’ll wait with signing until
things have settled.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

Thanks Bill, but it still doesn’t work for me at x64 Vista. Everything looks OK but the signed cat can’t be verified. Well, I’m just downloading Vista beta 2 WDK which should contain updated tools. Cross certificates are already available so hopefully it’ll work better.

BTW, the only difference between procedure from the latest docs (not WDK) and yours is CAT file creation. Is using makecat necessary to be successful? However, it can be better than ugly GUI signability tool which needs some component registration to work.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
Reply To: Windows System Software Devs Interest List
Sent: Tuesday, May 23, 2006 7:36 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Vista driver signing

The problem is the book doesn’t have all of the information. We have been
self signing our drivers for weeks now. It took me over a week and help
from some of the WinQual folks, but we finally got it to work consistently.
Now, we haven’t tried this on 64-bit platforms yet (our build server isn’t
generating 64-bit everything yet), but here is what we did on 32-bit Vista.
I hope this helps some folks:

1.) Create a test sign certificate using makecert:

MakeCert -r -pe -ss “Trusted Root Certification Authorities” -n “CN=MyTest”
MyTest.cer

2.) Install MyTest.cer into the “Trusted Root Certification Authorities”
and “Trusted Publishers” certificate stores. I just typed MyTest.cer from
the command-line and the Certificate Wizard launched and I was able to
select the store to install the certificate into. I had to do this twice to
install the certificate in the two aforementioned certificate stores. You
can use IE for this as well.

**** IMPORTANT - the certificate must be installed in the “Local Computer”
store, this is not default. From the certificate wizard check the “show
physical stores” or whatever it is to see the different store locations.

3.) Create a catalog file using makecat:

makecat -v mytest.cdf

Where mytest.cdf is a text file containing the following:

[CatalogHeader]
name=mytest.cat

[CatalogFiles]
mytest.sys=mytest.sys
mytest.inf=mytest.inf

4.) Sign the catalog file using signtool and the previously created and
imported certificate:

SignTool sign /s “Trusted Root Certification Authorities” /n “MyTest” /t
http://timestamp.verisign.com/scripts/timestamp.dll mytest.cat

5.) Verify the catalog signature via the same SignTool tool:

SignTool verify mytest.cat

It has been a while since I did this, and my brain dumps quickly, so we may
have modified the process slightly. It seems I had to play some more nasty
tricks with the cdf file to prevent the makecert UI from popping up, which
caused our build process a lot of grief. I am out of the office, so I can’t
see our scripts at the moment, but this is the general gist of it. None of
this is private to the best of my knowledge or I would not post it. This
has worked from WDK 5308 on up I believe.

BTW, I could not ever get the documented procedure to work, thus the cdf
file and slightly different approach. But as I say, this has been working
for us for a long time now. It is the only way we could get any QA or
installer work done.

Also, thanks to Jennifer Steppler who answered the winqual emails I sent.
Without her help we would have never gotten this working, well until
tomorrow

Bill M.

“Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] >
> > on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Monday, May 22, 2006 8:33 PM
> > To: Windows System Software Devs Interest List
> > Subject: RE:[ntdev] Vista driver signing
> >
> > As mentioned in the last issue of The NT Insider, stay tuned for
> > announcements at WinHEC (that is, this week).
> >
> > We’ll have the articles for access on OSR Online, also.
> >
> Great, I’m looking forward for it. Hopefully you’d test it before
> publishing, unlike MS
>
> > (To answer Michal’s question: Cross-certs are not required for test
> > signatures. The test signature can be a makecert cert. I’m sorry, but I
> > can’t say more until tomorrow at 9AM Pacific time… the first day of
> > WinHEC).
> >
> Yep Peter, you’re rigth but test signatures simply don’t work. I did
> everything according the article and they still don’t work with 5365 WDK
> tools. I already filed the Vista beta bug.
>
> Well, my problem is solved for now. I turned off signature checking and can
> test my driver, use System Internals tools etc. I’ll wait with signing until
> things have settled.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

I could not get the signability tool to work (conflicted with previous
version of signability that I had had installed at one point), and we needed
something UI-less for our build. The key is installing the certificate in
the correct location. I am at WinHEC, if no one answers your question
before I get back home, I will try this on x64 Vista on Friday. That
shouldn’t take long.

Bill M.

“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
Thanks Bill, but it still doesn’t work for me at x64 Vista. Everything looks
OK but the signed cat can’t be verified. Well, I’m just downloading Vista
beta 2 WDK which should contain updated tools. Cross certificates are
already available so hopefully it’ll work better.

BTW, the only difference between procedure from the latest docs (not WDK)
and yours is CAT file creation. Is using makecat necessary to be successful?
However, it can be better than ugly GUI signability tool which needs some
component registration to work.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> Reply To: Windows System Software Devs Interest List
> Sent: Tuesday, May 23, 2006 7:36 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Vista driver signing
>
> The problem is the book doesn’t have all of the information. We have been
> self signing our drivers for weeks now. It took me over a week and help
> from some of the WinQual folks, but we finally got it to work
> consistently.
> Now, we haven’t tried this on 64-bit platforms yet (our build server isn’t
> generating 64-bit everything yet), but here is what we did on 32-bit
> Vista.
> I hope this helps some folks:
>
> 1.) Create a test sign certificate using makecert:
>
> MakeCert -r -pe -ss “Trusted Root Certification Authorities” -n
> “CN=MyTest”
> MyTest.cer
>
> 2.) Install MyTest.cer into the “Trusted Root Certification
> Authorities”
> and “Trusted Publishers” certificate stores. I just typed MyTest.cer from
> the command-line and the Certificate Wizard launched and I was able to
> select the store to install the certificate into. I had to do this twice
> to
> install the certificate in the two aforementioned certificate stores. You
> can use IE for this as well.
>
> **** IMPORTANT - the certificate must be installed in the “Local Computer”
> store, this is not default. From the certificate wizard check the “show
> physical stores” or whatever it is to see the different store locations.
>
>
> 3.) Create a catalog file using makecat:
>
> makecat -v mytest.cdf
>
> Where mytest.cdf is a text file containing the following:
>
>
> [CatalogHeader]
> name=mytest.cat
>
> [CatalogFiles]
> mytest.sys=mytest.sys
> mytest.inf=mytest.inf
>
>
>
> 4.) Sign the catalog file using signtool and the previously created
> and
> imported certificate:
>
> SignTool sign /s “Trusted Root Certification Authorities” /n “MyTest” /t
> http://timestamp.verisign.com/scripts/timestamp.dll mytest.cat
>
>
> 5.) Verify the catalog signature via the same SignTool tool:
>
> SignTool verify mytest.cat
>
> It has been a while since I did this, and my brain dumps quickly, so we
> may
> have modified the process slightly. It seems I had to play some more
> nasty
> tricks with the cdf file to prevent the makecert UI from popping up, which
> caused our build process a lot of grief. I am out of the office, so I
> can’t
> see our scripts at the moment, but this is the general gist of it. None
> of
> this is private to the best of my knowledge or I would not post it. This
> has worked from WDK 5308 on up I believe.
>
> BTW, I could not ever get the documented procedure to work, thus the cdf
> file and slightly different approach. But as I say, this has been working
> for us for a long time now. It is the only way we could get any QA or
> installer work done.
>
> Also, thanks to Jennifer Steppler who answered the winqual emails I sent.
> Without her help we would have never gotten this working, well until
> tomorrow
>
> Bill M.
>
>
> “Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > >
> > on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Monday, May 22, 2006 8:33 PM
> > To: Windows System Software Devs Interest List
> > Subject: RE:[ntdev] Vista driver signing
> >
> > As mentioned in the last issue of The NT Insider, stay tuned for
> > announcements at WinHEC (that is, this week).
> >
> > We’ll have the articles for access on OSR Online, also.
> >
> Great, I’m looking forward for it. Hopefully you’d test it before
> publishing, unlike MS
>
> > (To answer Michal’s question: Cross-certs are not required for test
> > signatures. The test signature can be a makecert cert. I’m sorry, but
> > I
> > can’t say more until tomorrow at 9AM Pacific time… the first day of
> > WinHEC).
> >
> Yep Peter, you’re rigth but test signatures simply don’t work. I did
> everything according the article and they still don’t work with 5365 WDK
> tools. I already filed the Vista beta bug.
>
> Well, my problem is solved for now. I turned off signature checking and
> can
> test my driver, use System Internals tools etc. I’ll wait with signing
> until
> things have settled.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Signability works well for me once installed with the WDK. But I have the same problem with the GUI; it needs to be integrated to the automated build. Makecat refused to work (it claimed it can’t find INF) until I swapped the last two lines. Weird tools.

Thanks, I have no real problem with signing now; I just turned it off. Test signatures aren’t so important if I make Authenticode signature working. It is better possibility as test certificate doesn’t need to be installed and enabled at test machines. I have to wait until beta 2 WDK is downloaed (2.3 GB!), it is really slow now. Everybody probably downloads Vista beta 2 which is the next step to do. I’m sure our QA will enjoy next play with dual layer DVD :-/

BTW, I’m sure I have certificates installed in the correct location. Verified tens times.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, May 24, 2006 3:27 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Vista driver signing

I could not get the signability tool to work (conflicted with previous
version of signability that I had had installed at one point), and we needed
something UI-less for our build. The key is installing the certificate in
the correct location. I am at WinHEC, if no one answers your question
before I get back home, I will try this on x64 Vista on Friday. That
shouldn’t take long.

Bill M.

“Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> Thanks Bill, but it still doesn’t work for me at x64 Vista. Everything looks
> OK but the signed cat can’t be verified. Well, I’m just downloading Vista
> beta 2 WDK which should contain updated tools. Cross certificates are
> already available so hopefully it’ll work better.
>
> BTW, the only difference between procedure from the latest docs (not WDK)
> and yours is CAT file creation. Is using makecat necessary to be successful?
> However, it can be better than ugly GUI signability tool which needs some
> component registration to work.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Tuesday, May 23, 2006 7:36 AM
> > To: Windows System Software Devs Interest List
> > Subject: Re:[ntdev] Vista driver signing
> >
> > The problem is the book doesn’t have all of the information. We have been
> > self signing our drivers for weeks now. It took me over a week and help
> > from some of the WinQual folks, but we finally got it to work
> > consistently.
> > Now, we haven’t tried this on 64-bit platforms yet (our build server isn’t
> > generating 64-bit everything yet), but here is what we did on 32-bit
> > Vista.
> > I hope this helps some folks:
> >
> > 1.) Create a test sign certificate using makecert:
> >
> > MakeCert -r -pe -ss “Trusted Root Certification Authorities” -n
> > “CN=MyTest”
> > MyTest.cer
> >
> > 2.) Install MyTest.cer into the “Trusted Root Certification
> > Authorities”
> > and “Trusted Publishers” certificate stores. I just typed MyTest.cer from
> > the command-line and the Certificate Wizard launched and I was able to
> > select the store to install the certificate into. I had to do this twice
> > to
> > install the certificate in the two aforementioned certificate stores. You
> > can use IE for this as well.
> >
> > **** IMPORTANT - the certificate must be installed in the “Local Computer”>
> > store, this is not default. From the certificate wizard check the “show
> > physical stores” or whatever it is to see the different store locations.
> >
> >
> > 3.) Create a catalog file using makecat:
> >
> > makecat -v mytest.cdf
> >
> > Where mytest.cdf is a text file containing the following:
> >
> >
> > [CatalogHeader]
> > name=mytest.cat
> >
> > [CatalogFiles]
> > mytest.sys=mytest.sys
> > mytest.inf=mytest.inf
> >
> >
> >
> > 4.) Sign the catalog file using signtool and the previously created
> > and
> > imported certificate:
> >
> > SignTool sign /s “Trusted Root Certification Authorities” /n “MyTest” /t
> > http://timestamp.verisign.com/scripts/timestamp.dll mytest.cat
> >
> >
> > 5.) Verify the catalog signature via the same SignTool tool:
> >
> > SignTool verify mytest.cat
> >
> > It has been a while since I did this, and my brain dumps quickly, so we
> > may
> > have modified the process slightly. It seems I had to play some more
> > nasty
> > tricks with the cdf file to prevent the makecert UI from popping up, which
> > caused our build process a lot of grief. I am out of the office, so I
> > can’t
> > see our scripts at the moment, but this is the general gist of it. None
> > of
> > this is private to the best of my knowledge or I would not post it. This
> > has worked from WDK 5308 on up I believe.
> >
> > BTW, I could not ever get the documented procedure to work, thus the cdf
> > file and slightly different approach. But as I say, this has been working
> > for us for a long time now. It is the only way we could get any QA or
> > installer work done.
> >
> > Also, thanks to Jennifer Steppler who answered the winqual emails I sent.
> > Without her help we would have never gotten this working, well until
> > tomorrow
> >
> > Bill M.
> >
> >
> > “Michal Vodicka” wrote in message
> > news:xxxxx@ntdev…
> > > ----------
> > > From:
> > > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > > >
> > > on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
> > > Reply To: Windows System Software Devs Interest List
> > > Sent: Monday, May 22, 2006 8:33 PM
> > > To: Windows System Software Devs Interest List
> > > Subject: RE:[ntdev] Vista driver signing
> > >
> > > As mentioned in the last issue of The NT Insider, stay tuned for
> > > announcements at WinHEC (that is, this week).
> > >
> > > We’ll have the articles for access on OSR Online, also.
> > >
> > Great, I’m looking forward for it. Hopefully you’d test it before
> > publishing, unlike MS
> >
> > > (To answer Michal’s question: Cross-certs are not required for test
> > > signatures. The test signature can be a makecert cert. I’m sorry, but
> > > I
> > > can’t say more until tomorrow at 9AM Pacific time… the first day of
> > > WinHEC).
> > >
> > Yep Peter, you’re rigth but test signatures simply don’t work. I did
> > everything according the article and they still don’t work with 5365 WDK
> > tools. I already filed the Vista beta bug.
> >
> > Well, my problem is solved for now. I turned off signature checking and
> > can
> > test my driver, use System Internals tools etc. I’ll wait with signing
> > until
> > things have settled.
> >
> > Best regards,
> >
> > Michal Vodicka
> > UPEK, Inc.
> > [xxxxx@upek.com, http://www.upek.com]
> >
> >
> >
> >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

Well, sorry I couldn’t help. Good luck.

Bill M.

“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
Signability works well for me once installed with the WDK. But I have the
same problem with the GUI; it needs to be integrated to the automated build.
Makecat refused to work (it claimed it can’t find INF) until I swapped the
last two lines. Weird tools.

Thanks, I have no real problem with signing now; I just turned it off. Test
signatures aren’t so important if I make Authenticode signature working. It
is better possibility as test certificate doesn’t need to be installed and
enabled at test machines. I have to wait until beta 2 WDK is downloaed (2.3
GB!), it is really slow now. Everybody probably downloads Vista beta 2 which
is the next step to do. I’m sure our QA will enjoy next play with dual layer
DVD :-/

BTW, I’m sure I have certificates installed in the correct location.
Verified tens times.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> Reply To: Windows System Software Devs Interest List
> Sent: Wednesday, May 24, 2006 3:27 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Vista driver signing
>
> I could not get the signability tool to work (conflicted with previous
> version of signability that I had had installed at one point), and we
> needed
> something UI-less for our build. The key is installing the certificate in
> the correct location. I am at WinHEC, if no one answers your question
> before I get back home, I will try this on x64 Vista on Friday. That
> shouldn’t take long.
>
> Bill M.
>
>
> “Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> Thanks Bill, but it still doesn’t work for me at x64 Vista. Everything
> looks
> OK but the signed cat can’t be verified. Well, I’m just downloading Vista
> beta 2 WDK which should contain updated tools. Cross certificates are
> already available so hopefully it’ll work better.
>
> BTW, the only difference between procedure from the latest docs (not WDK)
> and yours is CAT file creation. Is using makecat necessary to be
> successful?
> However, it can be better than ugly GUI signability tool which needs some
> component registration to work.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Tuesday, May 23, 2006 7:36 AM
> > To: Windows System Software Devs Interest List
> > Subject: Re:[ntdev] Vista driver signing
> >
> > The problem is the book doesn’t have all of the information. We have
> > been
> > self signing our drivers for weeks now. It took me over a week and help
> > from some of the WinQual folks, but we finally got it to work
> > consistently.
> > Now, we haven’t tried this on 64-bit platforms yet (our build server
> > isn’t
> > generating 64-bit everything yet), but here is what we did on 32-bit
> > Vista.
> > I hope this helps some folks:
> >
> > 1.) Create a test sign certificate using makecert:
> >
> > MakeCert -r -pe -ss “Trusted Root Certification Authorities” -n
> > “CN=MyTest”
> > MyTest.cer
> >
> > 2.) Install MyTest.cer into the “Trusted Root Certification
> > Authorities”
> > and “Trusted Publishers” certificate stores. I just typed MyTest.cer
> > from
> > the command-line and the Certificate Wizard launched and I was able to
> > select the store to install the certificate into. I had to do this
> > twice
> > to
> > install the certificate in the two aforementioned certificate stores.
> > You
> > can use IE for this as well.
> >
> > **** IMPORTANT - the certificate must be installed in the “Local
> > Computer”>
> > store, this is not default. From the certificate wizard check the
> > “show
> > physical stores” or whatever it is to see the different store locations.
> >
> >
> > 3.) Create a catalog file using makecat:
> >
> > makecat -v mytest.cdf
> >
> > Where mytest.cdf is a text file containing the following:
> >
> >
> > [CatalogHeader]
> > name=mytest.cat
> >
> > [CatalogFiles]
> > mytest.sys=mytest.sys
> > mytest.inf=mytest.inf
> >
> >
> >
> > 4.) Sign the catalog file using signtool and the previously created
> > and
> > imported certificate:
> >
> > SignTool sign /s “Trusted Root Certification Authorities” /n “MyTest” /t
> > http://timestamp.verisign.com/scripts/timestamp.dll mytest.cat
> >
> >
> > 5.) Verify the catalog signature via the same SignTool tool:
> >
> > SignTool verify mytest.cat
> >
> > It has been a while since I did this, and my brain dumps quickly, so we
> > may
> > have modified the process slightly. It seems I had to play some more
> > nasty
> > tricks with the cdf file to prevent the makecert UI from popping up,
> > which
> > caused our build process a lot of grief. I am out of the office, so I
> > can’t
> > see our scripts at the moment, but this is the general gist of it. None
> > of
> > this is private to the best of my knowledge or I would not post it.
> > This
> > has worked from WDK 5308 on up I believe.
> >
> > BTW, I could not ever get the documented procedure to work, thus the cdf
> > file and slightly different approach. But as I say, this has been
> > working
> > for us for a long time now. It is the only way we could get any QA or
> > installer work done.
> >
> > Also, thanks to Jennifer Steppler who answered the winqual emails I
> > sent.
> > Without her help we would have never gotten this working, well until
> > tomorrow
> >
> > Bill M.
> >
> >
> > “Michal Vodicka” wrote in message
> > news:xxxxx@ntdev…
> > > ----------
> > > From:
> > > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > > >
> > > on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
> > > Reply To: Windows System Software Devs Interest List
> > > Sent: Monday, May 22, 2006 8:33 PM
> > > To: Windows System Software Devs Interest List
> > > Subject: RE:[ntdev] Vista driver signing
> > >
> > > As mentioned in the last issue of The NT Insider, stay tuned for
> > > announcements at WinHEC (that is, this week).
> > >
> > > We’ll have the articles for access on OSR Online, also.
> > >
> > Great, I’m looking forward for it. Hopefully you’d test it before
> > publishing, unlike MS
> >
> > > (To answer Michal’s question: Cross-certs are not required for test
> > > signatures. The test signature can be a makecert cert. I’m sorry,
> > > but
> > > I
> > > can’t say more until tomorrow at 9AM Pacific time… the first day of
> > > WinHEC).
> > >
> > Yep Peter, you’re rigth but test signatures simply don’t work. I did
> > everything according the article and they still don’t work with 5365 WDK
> > tools. I already filed the Vista beta bug.
> >
> > Well, my problem is solved for now. I turned off signature checking and
> > can
> > test my driver, use System Internals tools etc. I’ll wait with signing
> > until
> > things have settled.
> >
> > Best regards,
> >
> > Michal Vodicka
> > UPEK, Inc.
> > [xxxxx@upek.com, http://www.upek.com]
> >
> >
> >
> >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

FYI, I just tried my aforementioned self signing procedure on a 64-bit build
of my drivers and installed these on x64 Vista Beta 2. My self-signed
drivers loaded just fine.

BTW, the tools are really picky about capitalization and such when you
create the .cat files and again placement of the certificate in Local
Computer stores is critical. AND you can only do that if you have modified
the local security policy to disable running all users as restricted users.

Bill M.

“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
Signability works well for me once installed with the WDK. But I have the
same problem with the GUI; it needs to be integrated to the automated build.
Makecat refused to work (it claimed it can’t find INF) until I swapped the
last two lines. Weird tools.

Thanks, I have no real problem with signing now; I just turned it off. Test
signatures aren’t so important if I make Authenticode signature working. It
is better possibility as test certificate doesn’t need to be installed and
enabled at test machines. I have to wait until beta 2 WDK is downloaed (2.3
GB!), it is really slow now. Everybody probably downloads Vista beta 2 which
is the next step to do. I’m sure our QA will enjoy next play with dual layer
DVD :-/

BTW, I’m sure I have certificates installed in the correct location.
Verified tens times.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> Reply To: Windows System Software Devs Interest List
> Sent: Wednesday, May 24, 2006 3:27 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Vista driver signing
>
> I could not get the signability tool to work (conflicted with previous
> version of signability that I had had installed at one point), and we
> needed
> something UI-less for our build. The key is installing the certificate in
> the correct location. I am at WinHEC, if no one answers your question
> before I get back home, I will try this on x64 Vista on Friday. That
> shouldn’t take long.
>
> Bill M.
>
>
> “Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> Thanks Bill, but it still doesn’t work for me at x64 Vista. Everything
> looks
> OK but the signed cat can’t be verified. Well, I’m just downloading Vista
> beta 2 WDK which should contain updated tools. Cross certificates are
> already available so hopefully it’ll work better.
>
> BTW, the only difference between procedure from the latest docs (not WDK)
> and yours is CAT file creation. Is using makecat necessary to be
> successful?
> However, it can be better than ugly GUI signability tool which needs some
> component registration to work.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Tuesday, May 23, 2006 7:36 AM
> > To: Windows System Software Devs Interest List
> > Subject: Re:[ntdev] Vista driver signing
> >
> > The problem is the book doesn’t have all of the information. We have
> > been
> > self signing our drivers for weeks now. It took me over a week and help
> > from some of the WinQual folks, but we finally got it to work
> > consistently.
> > Now, we haven’t tried this on 64-bit platforms yet (our build server
> > isn’t
> > generating 64-bit everything yet), but here is what we did on 32-bit
> > Vista.
> > I hope this helps some folks:
> >
> > 1.) Create a test sign certificate using makecert:
> >
> > MakeCert -r -pe -ss “Trusted Root Certification Authorities” -n
> > “CN=MyTest”
> > MyTest.cer
> >
> > 2.) Install MyTest.cer into the “Trusted Root Certification
> > Authorities”
> > and “Trusted Publishers” certificate stores. I just typed MyTest.cer
> > from
> > the command-line and the Certificate Wizard launched and I was able to
> > select the store to install the certificate into. I had to do this
> > twice
> > to
> > install the certificate in the two aforementioned certificate stores.
> > You
> > can use IE for this as well.
> >
> > **** IMPORTANT - the certificate must be installed in the “Local
> > Computer”>
> > store, this is not default. From the certificate wizard check the
> > “show
> > physical stores” or whatever it is to see the different store locations.
> >
> >
> > 3.) Create a catalog file using makecat:
> >
> > makecat -v mytest.cdf
> >
> > Where mytest.cdf is a text file containing the following:
> >
> >
> > [CatalogHeader]
> > name=mytest.cat
> >
> > [CatalogFiles]
> > mytest.sys=mytest.sys
> > mytest.inf=mytest.inf
> >
> >
> >
> > 4.) Sign the catalog file using signtool and the previously created
> > and
> > imported certificate:
> >
> > SignTool sign /s “Trusted Root Certification Authorities” /n “MyTest” /t
> > http://timestamp.verisign.com/scripts/timestamp.dll mytest.cat
> >
> >
> > 5.) Verify the catalog signature via the same SignTool tool:
> >
> > SignTool verify mytest.cat
> >
> > It has been a while since I did this, and my brain dumps quickly, so we
> > may
> > have modified the process slightly. It seems I had to play some more
> > nasty
> > tricks with the cdf file to prevent the makecert UI from popping up,
> > which
> > caused our build process a lot of grief. I am out of the office, so I
> > can’t
> > see our scripts at the moment, but this is the general gist of it. None
> > of
> > this is private to the best of my knowledge or I would not post it.
> > This
> > has worked from WDK 5308 on up I believe.
> >
> > BTW, I could not ever get the documented procedure to work, thus the cdf
> > file and slightly different approach. But as I say, this has been
> > working
> > for us for a long time now. It is the only way we could get any QA or
> > installer work done.
> >
> > Also, thanks to Jennifer Steppler who answered the winqual emails I
> > sent.
> > Without her help we would have never gotten this working, well until
> > tomorrow
> >
> > Bill M.
> >
> >
> > “Michal Vodicka” wrote in message
> > news:xxxxx@ntdev…
> > > ----------
> > > From:
> > > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > > >
> > > on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
> > > Reply To: Windows System Software Devs Interest List
> > > Sent: Monday, May 22, 2006 8:33 PM
> > > To: Windows System Software Devs Interest List
> > > Subject: RE:[ntdev] Vista driver signing
> > >
> > > As mentioned in the last issue of The NT Insider, stay tuned for
> > > announcements at WinHEC (that is, this week).
> > >
> > > We’ll have the articles for access on OSR Online, also.
> > >
> > Great, I’m looking forward for it. Hopefully you’d test it before
> > publishing, unlike MS
> >
> > > (To answer Michal’s question: Cross-certs are not required for test
> > > signatures. The test signature can be a makecert cert. I’m sorry,
> > > but
> > > I
> > > can’t say more until tomorrow at 9AM Pacific time… the first day of
> > > WinHEC).
> > >
> > Yep Peter, you’re rigth but test signatures simply don’t work. I did
> > everything according the article and they still don’t work with 5365 WDK
> > tools. I already filed the Vista beta bug.
> >
> > Well, my problem is solved for now. I turned off signature checking and
> > can
> > test my driver, use System Internals tools etc. I’ll wait with signing
> > until
> > things have settled.
> >
> > Best regards,
> >
> > Michal Vodicka
> > UPEK, Inc.
> > [xxxxx@upek.com, http://www.upek.com]
> >
> >
> >
> >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

The certificates are where they should be and I installed them from console running as administrator. Later I disabled security policy you mention; it makes Vista almost unusable. Nothing helps. There is probably some detail I’m missing. If you participate in Vista beta testing, you can look at my feedback about this issue: https://connect.microsoft.com/feedback/Comment.aspx?SiteID=4&FeedbackID=77592. My last comment contains complete signing session (if you read comments there, start from the end).

BTW, don’t you have a batch which signes your drivers? I could try to run it as-is on my system to see if the problem is with signing procedure or something else. The sample batch included in the WDK doesn’t work for me.

I successfully signed the driver using company certificate and related cross-certificate. If I omit problems with importing certificates to the store, the procedure described in the latest MS paper works.

I decided to sign driver binaries instead of catalogs for testing purposes. It makes things a bit easier; I have some issue with my INF and creating CAT for x64 Vista. It is funny, OS has no problem using INF to install driver but the weird signability tool claims .sys isn’t referenced in the INF. I have to investigate it when have time but for now signing binaries seems as a better way. It is also easier to integrate to the automated build process.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
Reply To: Windows System Software Devs Interest List
Sent: Saturday, May 27, 2006 2:29 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Vista driver signing

FYI, I just tried my aforementioned self signing procedure on a 64-bit build
of my drivers and installed these on x64 Vista Beta 2. My self-signed
drivers loaded just fine.

BTW, the tools are really picky about capitalization and such when you
create the .cat files and again placement of the certificate in Local
Computer stores is critical. AND you can only do that if you have modified
the local security policy to disable running all users as restricted users.

Bill M.

“Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> Signability works well for me once installed with the WDK. But I have the
> same problem with the GUI; it needs to be integrated to the automated build.
> Makecat refused to work (it claimed it can’t find INF) until I swapped the
> last two lines. Weird tools.
>
> Thanks, I have no real problem with signing now; I just turned it off. Test
> signatures aren’t so important if I make Authenticode signature working. It
> is better possibility as test certificate doesn’t need to be installed and
> enabled at test machines. I have to wait until beta 2 WDK is downloaed (2.3
> GB!), it is really slow now. Everybody probably downloads Vista beta 2 which
> is the next step to do. I’m sure our QA will enjoy next play with dual layer
> DVD :-/
>
> BTW, I’m sure I have certificates installed in the correct location.
> Verified tens times.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Wednesday, May 24, 2006 3:27 AM
> > To: Windows System Software Devs Interest List
> > Subject: Re:[ntdev] Vista driver signing
> >
> > I could not get the signability tool to work (conflicted with previous
> > version of signability that I had had installed at one point), and we >
> > needed
> > something UI-less for our build. The key is installing the certificate in
> > the correct location. I am at WinHEC, if no one answers your question
> > before I get back home, I will try this on x64 Vista on Friday. That
> > shouldn’t take long.
> >
> > Bill M.
> >
> >
> > “Michal Vodicka” wrote in message
> > news:xxxxx@ntdev…
> > Thanks Bill, but it still doesn’t work for me at x64 Vista. Everything
> > looks
> > OK but the signed cat can’t be verified. Well, I’m just downloading Vista
> > beta 2 WDK which should contain updated tools. Cross certificates are
> > already available so hopefully it’ll work better.
> >
> > BTW, the only difference between procedure from the latest docs (not WDK)
> > and yours is CAT file creation. Is using makecat necessary to be
> > successful?
> > However, it can be better than ugly GUI signability tool which needs some
> > component registration to work.
> >
> > Best regards,
> >
> > Michal Vodicka
> > UPEK, Inc.
> > [xxxxx@upek.com, http://www.upek.com]
> >
> >
> > > ----------
> > > From:
> > > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > > on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> > > Reply To: Windows System Software Devs Interest List
> > > Sent: Tuesday, May 23, 2006 7:36 AM
> > > To: Windows System Software Devs Interest List
> > > Subject: Re:[ntdev] Vista driver signing
> > >
> > > The problem is the book doesn’t have all of the information. We have
> > > been
> > > self signing our drivers for weeks now. It took me over a week and help
> > > from some of the WinQual folks, but we finally got it to work
> > > consistently.
> > > Now, we haven’t tried this on 64-bit platforms yet (our build server
> > > isn’t
> > > generating 64-bit everything yet), but here is what we did on 32-bit
> > > Vista.
> > > I hope this helps some folks:
> > >
> > > 1.) Create a test sign certificate using makecert:
> > >
> > > MakeCert -r -pe -ss “Trusted Root Certification Authorities” -n
> > > “CN=MyTest”
> > > MyTest.cer
> > >
> > > 2.) Install MyTest.cer into the “Trusted Root Certification
> > > Authorities”
> > > and “Trusted Publishers” certificate stores. I just typed MyTest.cer
> > > from
> > > the command-line and the Certificate Wizard launched and I was able to
> > > select the store to install the certificate into. I had to do this
> > > twice
> > > to
> > > install the certificate in the two aforementioned certificate stores.
> > > You
> > > can use IE for this as well.
> > >
> > > **** IMPORTANT - the certificate must be installed in the “Local
> > > Computer”>
> > > store, this is not default. From the certificate wizard check the
> > > “show
> > > physical stores” or whatever it is to see the different store locations.
> > >
> > >
> > > 3.) Create a catalog file using makecat:
> > >
> > > makecat -v mytest.cdf
> > >
> > > Where mytest.cdf is a text file containing the following:
> > >
> > >
> > > [CatalogHeader]
> > > name=mytest.cat
> > >
> > > [CatalogFiles]
> > > mytest.sys=mytest.sys
> > > mytest.inf=mytest.inf
> > >
> > >
> > >
> > > 4.) Sign the catalog file using signtool and the previously created
> > > and
> > > imported certificate:
> > >
> > > SignTool sign /s “Trusted Root Certification Authorities” /n “MyTest” /t
> > > http://timestamp.verisign.com/scripts/timestamp.dll mytest.cat
> > >
> > >
> > > 5.) Verify the catalog signature via the same SignTool tool:
> > >
> > > SignTool verify mytest.cat
> > >
> > > It has been a while since I did this, and my brain dumps quickly, so we
> > > may
> > > have modified the process slightly. It seems I had to play some more
> > > nasty
> > > tricks with the cdf file to prevent the makecert UI from popping up,
> > > which
> > > caused our build process a lot of grief. I am out of the office, so I
> > > can’t
> > > see our scripts at the moment, but this is the general gist of it. None>
> > > of
> > > this is private to the best of my knowledge or I would not post it.
> > > This
> > > has worked from WDK 5308 on up I believe.
> > >
> > > BTW, I could not ever get the documented procedure to work, thus the cdf
> > > file and slightly different approach. But as I say, this has been
> > > working
> > > for us for a long time now. It is the only way we could get any QA or
> > > installer work done.
> > >
> > > Also, thanks to Jennifer Steppler who answered the winqual emails I
> > > sent.
> > > Without her help we would have never gotten this working, well until
> > > tomorrow
> > >
> > > Bill M.
> > >
> > >
> > > “Michal Vodicka” wrote in message
> > > news:xxxxx@ntdev…
> > > > ----------
> > > > From:
> > > > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > > > >
> > > > on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
> > > > Reply To: Windows System Software Devs Interest List
> > > > Sent: Monday, May 22, 2006 8:33 PM
> > > > To: Windows System Software Devs Interest List
> > > > Subject: RE:[ntdev] Vista driver signing
> > > >
> > > > As mentioned in the last issue of The NT Insider, stay tuned for
> > > > announcements at WinHEC (that is, this week).
> > > >
> > > > We’ll have the articles for access on OSR Online, also.
> > > >
> > > Great, I’m looking forward for it. Hopefully you’d test it before
> > > publishing, unlike MS
> > >
> > > > (To answer Michal’s question: Cross-certs are not required for test
> > > > signatures. The test signature can be a makecert cert. I’m sorry,
> > > > but
> > > > I
> > > > can’t say more until tomorrow at 9AM Pacific time… the first day of
> > > > WinHEC).
> > > >
> > > Yep Peter, you’re rigth but test signatures simply don’t work. I did
> > > everything according the article and they still don’t work with 5365 WDK
> > > tools. I already filed the Vista beta bug.
> > >
> > > Well, my problem is solved for now. I turned off signature checking and
> > > can
> > > test my driver, use System Internals tools etc. I’ll wait with signing
> > > until
> > > things have settled.
> > >
> > > Best regards,
> > >
> > > Michal Vodicka
> > > UPEK, Inc.
> > > [xxxxx@upek.com, http://www.upek.com]
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > To unsubscribe, visit the List Server section of OSR Online at
> > > http://www.osronline.com/page.cfm?name=ListServer
> > >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

>Later I disabled security policy you mention; it makes Vista almost

unusable.

Dude, something is wrong, this should have no affect on anything except you
won’t get those annoying pop-ups everytime you try to start a system utility
of some type like device manager. Everyone in our office turns this policy
off first thing, and no one has had problems. This is policy is only the
one local policy which says to run all users in admin approval mode. I have
messed with other policies that definitely have made the OS unstable.

It is funny, OS has no problem using INF to install driver but the weird
signability tool claims .sys isn’t referenced in the INF. I have to
investigate it when have time but for now signing binaries seems as a
better way

Maybe this is a clue as to a problem with your setup? I would solve this
first rather than later.

I don’t know what to tell you other than self-signing works and will likely
solve your problem now and in the future.

Bill M.

“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
The certificates are where they should be and I installed them from console
running as administrator. Later I disabled security policy you mention; it
makes Vista almost unusable. Nothing helps. There is probably some detail
I’m missing. If you participate in Vista beta testing, you can look at my
feedback about this issue:
https://connect.microsoft.com/feedback/Comment.aspx?SiteID=4&FeedbackID=77592.
My last comment contains complete signing session (if you read comments
there, start from the end).

BTW, don’t you have a batch which signes your drivers? I could try to run it
as-is on my system to see if the problem is with signing procedure or
something else. The sample batch included in the WDK doesn’t work for me.

I successfully signed the driver using company certificate and related
cross-certificate. If I omit problems with importing certificates to the
store, the procedure described in the latest MS paper works.

I decided to sign driver binaries instead of catalogs for testing purposes.
It makes things a bit easier; I have some issue with my INF and creating CAT
for x64 Vista. It is funny, OS has no problem using INF to install driver
but the weird signability tool claims .sys isn’t referenced in the INF. I
have to investigate it when have time but for now signing binaries seems as
a better way. It is also easier to integrate to the automated build process.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> Reply To: Windows System Software Devs Interest List
> Sent: Saturday, May 27, 2006 2:29 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Vista driver signing
>
> FYI, I just tried my aforementioned self signing procedure on a 64-bit
> build
> of my drivers and installed these on x64 Vista Beta 2. My self-signed
> drivers loaded just fine.
>
> BTW, the tools are really picky about capitalization and such when you
> create the .cat files and again placement of the certificate in Local
> Computer stores is critical. AND you can only do that if you have
> modified
> the local security policy to disable running all users as restricted
> users.
>
> Bill M.
>
> “Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> Signability works well for me once installed with the WDK. But I have the
> same problem with the GUI; it needs to be integrated to the automated
> build.
> Makecat refused to work (it claimed it can’t find INF) until I swapped the
> last two lines. Weird tools.
>
> Thanks, I have no real problem with signing now; I just turned it off.
> Test
> signatures aren’t so important if I make Authenticode signature working.
> It
> is better possibility as test certificate doesn’t need to be installed and
> enabled at test machines. I have to wait until beta 2 WDK is downloaed
> (2.3
> GB!), it is really slow now. Everybody probably downloads Vista beta 2
> which
> is the next step to do. I’m sure our QA will enjoy next play with dual
> layer
> DVD :-/
>
> BTW, I’m sure I have certificates installed in the correct location.
> Verified tens times.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Wednesday, May 24, 2006 3:27 AM
> > To: Windows System Software Devs Interest List
> > Subject: Re:[ntdev] Vista driver signing
> >
> > I could not get the signability tool to work (conflicted with previous
> > version of signability that I had had installed at one point), and we >
> > needed
> > something UI-less for our build. The key is installing the certificate
> > in
> > the correct location. I am at WinHEC, if no one answers your question
> > before I get back home, I will try this on x64 Vista on Friday. That
> > shouldn’t take long.
> >
> > Bill M.
> >
> >
> > “Michal Vodicka” wrote in message
> > news:xxxxx@ntdev…
> > Thanks Bill, but it still doesn’t work for me at x64 Vista. Everything
> > looks
> > OK but the signed cat can’t be verified. Well, I’m just downloading
> > Vista
> > beta 2 WDK which should contain updated tools. Cross certificates are
> > already available so hopefully it’ll work better.
> >
> > BTW, the only difference between procedure from the latest docs (not
> > WDK)
> > and yours is CAT file creation. Is using makecat necessary to be
> > successful?
> > However, it can be better than ugly GUI signability tool which needs
> > some
> > component registration to work.
> >
> > Best regards,
> >
> > Michal Vodicka
> > UPEK, Inc.
> > [xxxxx@upek.com, http://www.upek.com]
> >
> >
> > > ----------
> > > From:
> > > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > > on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> > > Reply To: Windows System Software Devs Interest List
> > > Sent: Tuesday, May 23, 2006 7:36 AM
> > > To: Windows System Software Devs Interest List
> > > Subject: Re:[ntdev] Vista driver signing
> > >
> > > The problem is the book doesn’t have all of the information. We have
> > > been
> > > self signing our drivers for weeks now. It took me over a week and
> > > help
> > > from some of the WinQual folks, but we finally got it to work
> > > consistently.
> > > Now, we haven’t tried this on 64-bit platforms yet (our build server
> > > isn’t
> > > generating 64-bit everything yet), but here is what we did on 32-bit
> > > Vista.
> > > I hope this helps some folks:
> > >
> > > 1.) Create a test sign certificate using makecert:
> > >
> > > MakeCert -r -pe -ss “Trusted Root Certification Authorities” -n
> > > “CN=MyTest”
> > > MyTest.cer
> > >
> > > 2.) Install MyTest.cer into the “Trusted Root Certification
> > > Authorities”
> > > and “Trusted Publishers” certificate stores. I just typed MyTest.cer
> > > from
> > > the command-line and the Certificate Wizard launched and I was able to
> > > select the store to install the certificate into. I had to do this
> > > twice
> > > to
> > > install the certificate in the two aforementioned certificate stores.
> > > You
> > > can use IE for this as well.
> > >
> > > **** IMPORTANT - the certificate must be installed in the “Local
> > > Computer”>
> > > store, this is not default. From the certificate wizard check the
> > > “show
> > > physical stores” or whatever it is to see the different store
> > > locations.
> > >
> > >
> > > 3.) Create a catalog file using makecat:
> > >
> > > makecat -v mytest.cdf
> > >
> > > Where mytest.cdf is a text file containing the following:
> > >
> > >
> > > [CatalogHeader]
> > > name=mytest.cat
> > >
> > > [CatalogFiles]
> > > mytest.sys=mytest.sys
> > > mytest.inf=mytest.inf
> > >
> > >
> > >
> > > 4.) Sign the catalog file using signtool and the previously
> > > created
> > > and
> > > imported certificate:
> > >
> > > SignTool sign /s “Trusted Root Certification Authorities” /n “MyTest”
> > > /t
> > > http://timestamp.verisign.com/scripts/timestamp.dll mytest.cat
> > >
> > >
> > > 5.) Verify the catalog signature via the same SignTool tool:
> > >
> > > SignTool verify mytest.cat
> > >
> > > It has been a while since I did this, and my brain dumps quickly, so
> > > we
> > > may
> > > have modified the process slightly. It seems I had to play some more
> > > nasty
> > > tricks with the cdf file to prevent the makecert UI from popping up,
> > > which
> > > caused our build process a lot of grief. I am out of the office, so I
> > > can’t
> > > see our scripts at the moment, but this is the general gist of it.
> > > None>
> > > of
> > > this is private to the best of my knowledge or I would not post it.
> > > This
> > > has worked from WDK 5308 on up I believe.
> > >
> > > BTW, I could not ever get the documented procedure to work, thus the
> > > cdf
> > > file and slightly different approach. But as I say, this has been
> > > working
> > > for us for a long time now. It is the only way we could get any QA or
> > > installer work done.
> > >
> > > Also, thanks to Jennifer Steppler who answered the winqual emails I
> > > sent.
> > > Without her help we would have never gotten this working, well until
> > > tomorrow
> > >
> > > Bill M.
> > >
> > >
> > > “Michal Vodicka” wrote in message
> > > news:xxxxx@ntdev…
> > > > ----------
> > > > From:
> > > > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > > > >
> > > > on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
> > > > Reply To: Windows System Software Devs Interest List
> > > > Sent: Monday, May 22, 2006 8:33 PM
> > > > To: Windows System Software Devs Interest List
> > > > Subject: RE:[ntdev] Vista driver signing
> > > >
> > > > As mentioned in the last issue of The NT Insider, stay tuned for
> > > > announcements at WinHEC (that is, this week).
> > > >
> > > > We’ll have the articles for access on OSR Online, also.
> > > >
> > > Great, I’m looking forward for it. Hopefully you’d test it before
> > > publishing, unlike MS
> > >
> > > > (To answer Michal’s question: Cross-certs are not required for test
> > > > signatures. The test signature can be a makecert cert. I’m sorry,
> > > > but
> > > > I
> > > > can’t say more until tomorrow at 9AM Pacific time… the first day
> > > > of
> > > > WinHEC).
> > > >
> > > Yep Peter, you’re rigth but test signatures simply don’t work. I did
> > > everything according the article and they still don’t work with 5365
> > > WDK
> > > tools. I already filed the Vista beta bug.
> > >
> > > Well, my problem is solved for now. I turned off signature checking
> > > and
> > > can
> > > test my driver, use System Internals tools etc. I’ll wait with signing
> > > until
> > > things have settled.
> > >
> > > Best regards,
> > >
> > > Michal Vodicka
> > > UPEK, Inc.
> > > [xxxxx@upek.com, http://www.upek.com]
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > To unsubscribe, visit the List Server section of OSR Online at
> > > http://www.osronline.com/page.cfm?name=ListServer
> > >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
Reply To: Windows System Software Devs Interest List
Sent: Monday, May 29, 2006 10:43 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Vista driver signing

>Later I disabled security policy you mention; it makes Vista almost
>unusable.

Dude, something is wrong, this should have no affect on anything except you
won’t get those annoying pop-ups everytime you try to start a system utility
of some type like device manager.

This is what I meant It is unusable from user’s point of view and forces you to turn it off. It has nothing to do with signatures problem; sorry for beeing unclear.

Everyone in our office turns this policy
off first thing, and no one has had problems.

It may not be a problem for kernel developers but it is a problem for application developers. They have to bother with these annoying pop-ups or develop their apps in different environment than end users. Hopefully MS will change this policy somewhat until release. But I digress.

>It is funny, OS has no problem using INF to install driver but the weird
>signability tool claims .sys isn’t referenced in the INF. I have to
>investigate it when have time but for now signing binaries seems as a
>better way

Maybe this is a clue as to a problem with your setup? I would solve this
first rather than later.

It isn’t. There can be a problem with the INF and that’s why I started to sign binaries. Yes, it has to be fixed, at least before WHQL signing for Vista.

I don’t know what to tell you other than self-signing works and will likely
solve your problem now and in the future.

Well, I don’t have real problem now. Signing with company SPC and related cross certificate works and it is better possibility than using test certificates. I’m only curious why test certifcates don’t work for me. BTW, what OS do you use for signing? x64 Vista itself or something else?

Does anybody have a batch file which makes all steps from test cerfiticate creation, import and driver signing and works? The WDK selfsign_example.cmd doesn’t work for me. It does all steps and signed driver can’t be verified.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

If I don’t change the local security policy, I cannot see the local computer
store for Trusted Root Certification Authorities. How do you?

If signtool verification fails that is almost certainly an indication that
your test certificate is not installed correctly.

Bill M.

“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> Reply To: Windows System Software Devs Interest List
> Sent: Monday, May 29, 2006 10:43 PM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Vista driver signing
>
> >Later I disabled security policy you mention; it makes Vista almost
> >unusable.
>
> Dude, something is wrong, this should have no affect on anything except
> you
> won’t get those annoying pop-ups everytime you try to start a system
> utility
> of some type like device manager.
>
This is what I meant It is unusable from user’s point of view and forces
you to turn it off. It has nothing to do with signatures problem; sorry for
beeing unclear.

> Everyone in our office turns this policy
> off first thing, and no one has had problems.
>
It may not be a problem for kernel developers but it is a problem for
application developers. They have to bother with these annoying pop-ups or
develop their apps in different environment than end users. Hopefully MS
will change this policy somewhat until release. But I digress.

> >It is funny, OS has no problem using INF to install driver but the weird
> >signability tool claims .sys isn’t referenced in the INF. I have to
> >investigate it when have time but for now signing binaries seems as a
> >better way
>
> Maybe this is a clue as to a problem with your setup? I would solve this
> first rather than later.
>
It isn’t. There can be a problem with the INF and that’s why I started to
sign binaries. Yes, it has to be fixed, at least before WHQL signing for
Vista.

> I don’t know what to tell you other than self-signing works and will
> likely
> solve your problem now and in the future.
>
Well, I don’t have real problem now. Signing with company SPC and related
cross certificate works and it is better possibility than using test
certificates. I’m only curious why test certifcates don’t work for me. BTW,
what OS do you use for signing? x64 Vista itself or something else?

Does anybody have a batch file which makes all steps from test cerfiticate
creation, import and driver signing and works? The WDK selfsign_example.cmd
doesn’t work for me. It does all steps and signed driver can’t be verified.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

I execute everything from command prompt running as administrator (right click, Run as Administrator).

What is incorrect on following except the last result? The strange this is signtool /pa verifies it but it isn’t enough for kernel. Importing certificate manually has the same effect. And yes, I do see it in the local computer store.

e:\winddk\5384\bin\selfsign\toaster>makecert.exe -r -pe -ss “Trusted Root Certification Authorities” -n “CN=WdkCert” WdkCert.cer
Succeeded

e:\winddk\5384\bin\selfsign\toaster>certmgr.exe -add WdkCert.cer -s -r localMachine root
CertMgr Succeeded

e:\winddk\5384\bin\selfsign\toaster>certmgr.exe -add WdkCert.cer -s -r localMachine trustedpublisher
CertMgr Succeeded

e:\winddk\5384\bin\selfsign\toaster>signtool.exe sign /s “Trusted Root Certification Authorities” /n “WdkCert” /t http://timestamp.verisign.com/scripts/timestamp.dll toastmon.sys
Done Adding Additional Store
Successfully signed and timestamped: toastmon.sys

e:\winddk\5384\bin\selfsign\toaster>signtool verify /kp toastmon.sys
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
SignTool Error: File not valid: toastmon.sys

Number of errors: 1

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
Reply To: Windows System Software Devs Interest List
Sent: Tuesday, May 30, 2006 3:32 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Vista driver signing

If I don’t change the local security policy, I cannot see the local computer
store for Trusted Root Certification Authorities. How do you?

If signtool verification fails that is almost certainly an indication that
your test certificate is not installed correctly.

Bill M.

“Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Monday, May 29, 2006 10:43 PM
> > To: Windows System Software Devs Interest List
> > Subject: Re:[ntdev] Vista driver signing
> >
> > >Later I disabled security policy you mention; it makes Vista almost
> > >unusable.
> >
> > Dude, something is wrong, this should have no affect on anything except
> > you
> > won’t get those annoying pop-ups everytime you try to start a system
> > utility
> > of some type like device manager.
> >
> This is what I meant It is unusable from user’s point of view and forces
> you to turn it off. It has nothing to do with signatures problem; sorry for
> beeing unclear.
>
> > Everyone in our office turns this policy
> > off first thing, and no one has had problems.
> >
> It may not be a problem for kernel developers but it is a problem for
> application developers. They have to bother with these annoying pop-ups or
> develop their apps in different environment than end users. Hopefully MS
> will change this policy somewhat until release. But I digress.
>
> > >It is funny, OS has no problem using INF to install driver but the weird
> > >signability tool claims .sys isn’t referenced in the INF. I have to
> > >investigate it when have time but for now signing binaries seems as a
> > >better way
> >
> > Maybe this is a clue as to a problem with your setup? I would solve this
> > first rather than later.
> >
> It isn’t. There can be a problem with the INF and that’s why I started to
> sign binaries. Yes, it has to be fixed, at least before WHQL signing for
> Vista.
>
> > I don’t know what to tell you other than self-signing works and will >
> > likely
> > solve your problem now and in the future.
> >
> Well, I don’t have real problem now. Signing with company SPC and related
> cross certificate works and it is better possibility than using test
> certificates. I’m only curious why test certifcates don’t work for me. BTW,
> what OS do you use for signing? x64 Vista itself or something else?
>
> Does anybody have a batch file which makes all steps from test cerfiticate
> creation, import and driver signing and works? The WDK selfsign_example.cmd
> doesn’t work for me. It does all steps and signed driver can’t be verified.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

Are all of the certs valid?

Somewhat related: I downloaded the cross certificate from WHDC. On one
machine (XP development machine) I was blocked running the EXE saying that
the publisher was untrusted; the EXE sert was revoked. On another (actually
Vista), had no problem. Anyone else seen a quirk like this?

I think OSR or MS needs to write an article “Just Sign Something the First
Time”, which should preceed the OSR article “Just Sign Everything”.

Another article would be “I Have Authenticode ID and Customers. What Next in
Driver Signing?”

Thomas F. Divine

“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
I execute everything from command prompt running as administrator (right
click, Run as Administrator).

What is incorrect on following except the last result? The strange this is
signtool /pa verifies it but it isn’t enough for kernel. Importing
certificate manually has the same effect. And yes, I do see it in the local
computer store.

e:\winddk\5384\bin\selfsign\toaster>makecert.exe -r -pe -ss “Trusted Root
Certification Authorities” -n “CN=WdkCert” WdkCert.cer
Succeeded

e:\winddk\5384\bin\selfsign\toaster>certmgr.exe -add WdkCert.cer -s -r
localMachine root
CertMgr Succeeded

e:\winddk\5384\bin\selfsign\toaster>certmgr.exe -add WdkCert.cer -s -r
localMachine trustedpublisher
CertMgr Succeeded

e:\winddk\5384\bin\selfsign\toaster>signtool.exe sign /s “Trusted Root
Certification Authorities” /n “WdkCert” /t
http://timestamp.verisign.com/scripts/timestamp.dll toastmon.sys
Done Adding Additional Store
Successfully signed and timestamped: toastmon.sys

e:\winddk\5384\bin\selfsign\toaster>signtool verify /kp toastmon.sys
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
SignTool Error: File not valid: toastmon.sys

Number of errors: 1

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> Reply To: Windows System Software Devs Interest List
> Sent: Tuesday, May 30, 2006 3:32 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Vista driver signing
>
> If I don’t change the local security policy, I cannot see the local
> computer
> store for Trusted Root Certification Authorities. How do you?
>
> If signtool verification fails that is almost certainly an indication that
> your test certificate is not installed correctly.
>
> Bill M.
>
> “Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Monday, May 29, 2006 10:43 PM
> > To: Windows System Software Devs Interest List
> > Subject: Re:[ntdev] Vista driver signing
> >
> > >Later I disabled security policy you mention; it makes Vista almost
> > >unusable.
> >
> > Dude, something is wrong, this should have no affect on anything except
> > you
> > won’t get those annoying pop-ups everytime you try to start a system
> > utility
> > of some type like device manager.
> >
> This is what I meant It is unusable from user’s point of view and
> forces
> you to turn it off. It has nothing to do with signatures problem; sorry
> for
> beeing unclear.
>
> > Everyone in our office turns this policy
> > off first thing, and no one has had problems.
> >
> It may not be a problem for kernel developers but it is a problem for
> application developers. They have to bother with these annoying pop-ups or
> develop their apps in different environment than end users. Hopefully MS
> will change this policy somewhat until release. But I digress.
>
> > >It is funny, OS has no problem using INF to install driver but the
> > >weird
> > >signability tool claims .sys isn’t referenced in the INF. I have to
> > >investigate it when have time but for now signing binaries seems as a
> > >better way
> >
> > Maybe this is a clue as to a problem with your setup? I would solve
> > this
> > first rather than later.
> >
> It isn’t. There can be a problem with the INF and that’s why I started to
> sign binaries. Yes, it has to be fixed, at least before WHQL signing for
> Vista.
>
> > I don’t know what to tell you other than self-signing works and will >
> > likely
> > solve your problem now and in the future.
> >
> Well, I don’t have real problem now. Signing with company SPC and related
> cross certificate works and it is better possibility than using test
> certificates. I’m only curious why test certifcates don’t work for me.
> BTW,
> what OS do you use for signing? x64 Vista itself or something else?
>
> Does anybody have a batch file which makes all steps from test cerfiticate
> creation, import and driver signing and works? The WDK
> selfsign_example.cmd
> doesn’t work for me. It does all steps and signed driver can’t be
> verified.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Well I sat in on the driver signing lab at winhec and I think whatever
steps that they had me do resulted in a self signed and a test signed
driver. I asked if the paper that went with the lab would be published
on WHDC and they said that it would. My goal is to get this whole mess
into an automatic build step, and I think I went through procedures that
were amenable to that, so there is hope.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Thomas F. Divine
Sent: Tuesday, May 30, 2006 12:52 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Vista driver signing

Are all of the certs valid?

Somewhat related: I downloaded the cross certificate from WHDC. On one
machine (XP development machine) I was blocked running the EXE saying
that
the publisher was untrusted; the EXE sert was revoked. On another
(actually
Vista), had no problem. Anyone else seen a quirk like this?

I think OSR or MS needs to write an article “Just Sign Something the
First
Time”, which should preceed the OSR article “Just Sign Everything”.

Another article would be “I Have Authenticode ID and Customers. What
Next in
Driver Signing?”

Thomas F. Divine

“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
I execute everything from command prompt running as administrator (right

click, Run as Administrator).

What is incorrect on following except the last result? The strange this
is
signtool /pa verifies it but it isn’t enough for kernel. Importing
certificate manually has the same effect. And yes, I do see it in the
local
computer store.

e:\winddk\5384\bin\selfsign\toaster>makecert.exe -r -pe -ss “Trusted
Root
Certification Authorities” -n “CN=WdkCert” WdkCert.cer
Succeeded

e:\winddk\5384\bin\selfsign\toaster>certmgr.exe -add WdkCert.cer -s -r
localMachine root
CertMgr Succeeded

e:\winddk\5384\bin\selfsign\toaster>certmgr.exe -add WdkCert.cer -s -r
localMachine trustedpublisher
CertMgr Succeeded

e:\winddk\5384\bin\selfsign\toaster>signtool.exe sign /s “Trusted Root
Certification Authorities” /n “WdkCert” /t
http://timestamp.verisign.com/scripts/timestamp.dll toastmon.sys
Done Adding Additional Store
Successfully signed and timestamped: toastmon.sys

e:\winddk\5384\bin\selfsign\toaster>signtool verify /kp toastmon.sys
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
SignTool Error: File not valid: toastmon.sys

Number of errors: 1

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------
> From:
>
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com
]
> on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> Reply To: Windows System Software Devs Interest List
> Sent: Tuesday, May 30, 2006 3:32 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Vista driver signing
>
> If I don’t change the local security policy, I cannot see the local
> computer
> store for Trusted Root Certification Authorities. How do you?
>
> If signtool verification fails that is almost certainly an indication
that
> your test certificate is not installed correctly.
>
> Bill M.
>
> “Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> > ----------
> > From:
> >
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com
]
> > on behalf of Bill McKenzie[SMTP:xxxxx@sbcglobal.net]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Monday, May 29, 2006 10:43 PM
> > To: Windows System Software Devs Interest List
> > Subject: Re:[ntdev] Vista driver signing
> >
> > >Later I disabled security policy you mention; it makes Vista almost
> > >unusable.
> >
> > Dude, something is wrong, this should have no affect on anything
except
> > you
> > won’t get those annoying pop-ups everytime you try to start a system
> > utility
> > of some type like device manager.
> >
> This is what I meant It is unusable from user’s point of view and
> forces
> you to turn it off. It has nothing to do with signatures problem;
sorry
> for
> beeing unclear.
>
> > Everyone in our office turns this policy
> > off first thing, and no one has had problems.
> >
> It may not be a problem for kernel developers but it is a problem for
> application developers. They have to bother with these annoying
pop-ups or
> develop their apps in different environment than end users. Hopefully
MS
> will change this policy somewhat until release. But I digress.
>
> > >It is funny, OS has no problem using INF to install driver but the
> > >weird
> > >signability tool claims .sys isn’t referenced in the INF. I have to
> > >investigate it when have time but for now signing binaries seems as
a
> > >better way
> >
> > Maybe this is a clue as to a problem with your setup? I would solve

> > this
> > first rather than later.
> >
> It isn’t. There can be a problem with the INF and that’s why I started
to
> sign binaries. Yes, it has to be fixed, at least before WHQL signing
for
> Vista.
>
> > I don’t know what to tell you other than self-signing works and will
>
> > likely
> > solve your problem now and in the future.
> >
> Well, I don’t have real problem now. Signing with company SPC and
related
> cross certificate works and it is better possibility than using test
> certificates. I’m only curious why test certifcates don’t work for me.

> BTW,
> what OS do you use for signing? x64 Vista itself or something else?
>
> Does anybody have a batch file which makes all steps from test
cerfiticate
> creation, import and driver signing and works? The WDK
> selfsign_example.cmd
> doesn’t work for me. It does all steps and signed driver can’t be
> verified.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer