The problem is the book doesn’t have all of the information. We have been
self signing our drivers for weeks now. It took me over a week and help
from some of the WinQual folks, but we finally got it to work consistently.
Now, we haven’t tried this on 64-bit platforms yet (our build server isn’t
generating 64-bit everything yet), but here is what we did on 32-bit Vista.
I hope this helps some folks:
1.) Create a test sign certificate using makecert:
MakeCert -r -pe -ss “Trusted Root Certification Authorities” -n “CN=MyTest”
MyTest.cer
2.) Install MyTest.cer into the “Trusted Root Certification Authorities”
and “Trusted Publishers” certificate stores. I just typed MyTest.cer from
the command-line and the Certificate Wizard launched and I was able to
select the store to install the certificate into. I had to do this twice to
install the certificate in the two aforementioned certificate stores. You
can use IE for this as well.
**** IMPORTANT - the certificate must be installed in the “Local Computer”
store, this is not default. From the certificate wizard check the “show
physical stores” or whatever it is to see the different store locations.
3.) Create a catalog file using makecat:
makecat -v mytest.cdf
Where mytest.cdf is a text file containing the following:
[CatalogHeader]
name=mytest.cat
[CatalogFiles]
mytest.sys=mytest.sys
mytest.inf=mytest.inf
4.) Sign the catalog file using signtool and the previously created and
imported certificate:
SignTool sign /s “Trusted Root Certification Authorities” /n “MyTest” /t
http://timestamp.verisign.com/scripts/timestamp.dll mytest.cat
5.) Verify the catalog signature via the same SignTool tool:
SignTool verify mytest.cat
It has been a while since I did this, and my brain dumps quickly, so we may
have modified the process slightly. It seems I had to play some more nasty
tricks with the cdf file to prevent the makecert UI from popping up, which
caused our build process a lot of grief. I am out of the office, so I can’t
see our scripts at the moment, but this is the general gist of it. None of
this is private to the best of my knowledge or I would not post it. This
has worked from WDK 5308 on up I believe.
BTW, I could not ever get the documented procedure to work, thus the cdf
file and slightly different approach. But as I say, this has been working
for us for a long time now. It is the only way we could get any QA or
installer work done.
Also, thanks to Jennifer Steppler who answered the winqual emails I sent.
Without her help we would have never gotten this working, well until
tomorrow ![:slight_smile: :slight_smile:](/images/emoji/twitter/slight_smile.png?v=12)
Bill M.
“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Monday, May 22, 2006 8:33 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Vista driver signing
>
> As mentioned in the last issue of The NT Insider, stay tuned for
> announcements at WinHEC (that is, this week).
>
> We’ll have the articles for access on OSR Online, also.
>
Great, I’m looking forward for it. Hopefully you’d test it before
publishing, unlike MS ![:wink: :wink:](/images/emoji/twitter/wink.png?v=12)
> (To answer Michal’s question: Cross-certs are not required for test
> signatures. The test signature can be a makecert cert. I’m sorry, but I
> can’t say more until tomorrow at 9AM Pacific time… the first day of
> WinHEC).
>
Yep Peter, you’re rigth but test signatures simply don’t work. I did
everything according the article and they still don’t work with 5365 WDK
tools. I already filed the Vista beta bug.
Well, my problem is solved for now. I turned off signature checking and can
test my driver, use System Internals tools etc. I’ll wait with signing until
things have settled.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]