Vista driver signing

Hi,

Just out of my curiosity, is there *anyone* here who actually succeeded in
signing a driver with a real Verisign cert and the MS cross-cert?

For the last couple of days, I’ve been struggling with this, and I have to
admit that I haven’t been successful (yet).

I tried a zillion of combinations, read all the docs available, followed all
the instructions - but still, I can’t have my drivers properly signed (I’m
trying to sign directly the .sys files, not the .cat’s).

This is what I though should be working:

I tried running Signtool in both interactive (“signwizard”) and
non-interactive (“sign”) modes. It’s quite interesting that
the program behaves sort of differently in those two situations (e.g. the
“sign” variant seems to expect the cross-cert (/ac
switch) in the “cer” format, whereas the wizard wants a .p7b or .spc).

In fact, what I found out is that the “sign” (command-line) variant, at the
end of the day, seems to be completely *ignoring* the /ac switch. Well, not
“completely” - it’s doing some validation on it (i.e. if I pass something
like /ac “non-existent-file” - it fails) BUT if I give it a valid path to
the MS cross cert, the resulting signature is exactly the same as if I
don’t specify the /ac switch at all (i.e. the resulting file size is
identical, and when I look inside, there are no traces of the cross cert in
there). Confusing…

If I use the wizard version, it’s a bit better - I can see that the cross
cert is actually added to the signed file, but still, it doesn’t seem to be
working.

That is, if I open the signed .sys file properties (in Vista beta 2
Explorer), the certificate path root is always shown as “Verisign”, not
“Microsoft” (as it’s supposed to be, according to page 13 of
http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx )

So, maybe I’m just missing something trivial?
Or the beta2 signtool just doesn’t work?

I’d be really grateful if you could help me figure this out, it’s been
driving me real crazy… :o)

Thanks,
-Ondrej

Roddy, Mark wrote:

Well I sat in on the driver signing lab at winhec and I think whatever
steps that they had me do resulted in a self signed and a test signed
driver.

I sat in on that lab as well, and I have to say it was the most valuable
session I had at WinHEC. There’s nothing like entering the command with
your own two fingers and watching them perform their magic.

I really wish I had been able to make the UMDF lab, but I did not find
out until too late that it was a teacher-directed lab that was only
offered in two fixed sessions. I expected to be able to drop in and
complete it self-paced.

I asked if the paper that went with the lab would be published
on WHDC and they said that it would.

I asked them the exact same question, and fortunately got the same answer.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

They said the signing lab was successful.

MY problem is that my *real* cert doesn’t quite match the format that the certs had for the lab. With this signing stuff, the devil is in the details. PVK files, for example, for the private key.

As one of the PMs I spoke to said “This stuff DOES work, people have been signing things for years. It’s just a matter of making the specific steps required for driver developers.”

Peter
OSR

As I said previously, it works for me. I also signed binaries only and both “signtool verify /kp” and system loader are satisfied with signed binaries. I used out Verisign class 3 signing certificate, related cross-certificate downloaded from MS and WDK 5384 tools. The steps from paper about signing were sufficient for this purpose. It took only 2.5 hours to make it working :-/

There are quirks, of course. As PeterGV said, the devil is in the details. Moreover, supplied utilities are weird, moody and provide useless error messages and diagnostics.

First, certification path starting with Verisign is OK. Use “signtool verify /kp” to verify your driver is correctly signed. If it succeeds, system loader will be happy, too. Second, “signtool signwizard” doesn’t seem to support cross-certificates. Yes, it can add them but evidently some other way than expected and the result doesn’t work. Only “sign /ac” works. That’s one of the weird things; “signwizard” supports .SPC and .PVK but doesn’t support cross-cerfiticates correctly (or at all). “sign” supports cross-certificates but I haven’t found any way how to give it .SPC and .PVK. Instead, certificate has to be imported to the store which may not be as easy as it seems. Also, for automated building it’d be better to provide .SPC and .PVK files as parameters and instead of importing certificate (if you also dislike this signtool behaviour, you can vote for my Vista beta feedback 80419 but I have to idea if it influences anything).

There can be a problem with selecting the correct certificate from the store. After a lot of experiments no only with drivers we found the only reliable thing is -sha sign parameter. Otherwise signtool can select wrong certificate and produce totally misleading error messages or worse, sign driver with something else and pretend everyting is OK. Reading your report, I’d also try to copy cross certificate to the current directory to avoid any issues. Yes, it should work with the arbitrary path but I wouldn’t trust such a piece of software at all.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]


From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Ondrej Vlcek[SMTP:xxxxx@asw.cz]
Reply To: Windows System Software Devs Interest List
Sent: Tuesday, May 30, 2006 4:21 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Vista driver signing

Hi,

Just out of my curiosity, is there *anyone* here who actually succeeded in
signing a driver with a real Verisign cert and the MS cross-cert?

For the last couple of days, I’ve been struggling with this, and I have to
admit that I haven’t been successful (yet).

I tried a zillion of combinations, read all the docs available, followed all
the instructions - but still, I can’t have my drivers properly signed (I’m
trying to sign directly the .sys files, not the .cat’s).

This is what I though should be working:

I tried running Signtool in both interactive (“signwizard”) and
non-interactive (“sign”) modes. It’s quite interesting that
the program behaves sort of differently in those two situations (e.g. the
“sign” variant seems to expect the cross-cert (/ac
switch) in the “cer” format, whereas the wizard wants a .p7b or .spc).

In fact, what I found out is that the “sign” (command-line) variant, at the
end of the day, seems to be completely *ignoring* the /ac switch. Well, not
“completely” - it’s doing some validation on it (i.e. if I pass something
like /ac “non-existent-file” - it fails) BUT if I give it a valid path to>
the MS cross cert, the resulting signature is exactly the same as if I
don’t specify the /ac switch at all (i.e. the resulting file size is
identical, and when I look inside, there are no traces of the cross cert in
there). Confusing…

If I use the wizard version, it’s a bit better - I can see that the cross
cert is actually added to the signed file, but still, it doesn’t seem to be
working.

That is, if I open the signed .sys file properties (in Vista beta 2
Explorer), the certificate path root is always shown as “Verisign”, not
“Microsoft” (as it’s supposed to be, according to page 13 of
http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx )

So, maybe I’m just missing something trivial?
Or the beta2 signtool just doesn’t work?

I’d be really grateful if you could help me figure this out, it’s been
driving me real crazy… :o)

Thanks,
-Ondrej


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
Reply To: Windows System Software Devs Interest List
Sent: Tuesday, May 30, 2006 8:14 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Vista driver signing

MY problem is that my *real* cert doesn’t quite match the format that the certs had for the lab. With this signing stuff, the devil is in the details. PVK files, for example, for the private key.

This is my problem, too. I have .SPC and .PVK files and I’m unable to import them to the store correcty. It seems it is necessary to convert it to the PFX format but the PVKIMPRT tool just produces a misleading error message. Fortunately, my coworkers managed it some time before and imported the certificate to our build machine. They don’t exactly remember how, just thet it involved w2k, two days of experiments and sedatives.

As one of the PMs I spoke to said “This stuff DOES work, people have been signing things for years. It’s just a matter of making the specific steps required for driver developers.”

…and the last time we saw him, he had a shotgun and mumbled something about Redmond.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

More issues with x64 kernel-mode code signing. I bet you’re surprised, huh??

I just received word that the version of SIGNTOOL that’s included in the WDK Beta2 release is broken, and does not sign x64 kernel mode modules correctly. There’s an updated version of signtool available from:

http://www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx

It seems that even THIS version doesn’t work correctly with PFX files. The work-around is to import the PFX into your Personal certificate store.

Also, in case anybody is not aware: Some of the originally issued cross-certificates were apparently broken. So, if you downloaded and stored the cross-cert for your CA early-on, you probably want to get the updated cross-cert from:

http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx

On another topic…

In terms of PVK versus PFX: I discovered a PVK2PFX utility that appears to be distributed with Visual Studio. I was able to convert my PVK to a PFX… but I still wasn’t able to make things work. I only mention it in hope that it’ll help others.

Like I said, once we get this all figured out, we’ll write a nice article for The NT Insider. We’re also trying to work with the folks in Redmond to get the procedures all smoothed out for driver devs/testers. But, you know, that can “take a while” :slight_smile:

Peter
OSR

>

I just received word that the version of SIGNTOOL that’s included in the WDK Beta2 release is broken, and does not sign x64 kernel
mode modules correctly. There’s an updated version of signtool available from:

http://www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx

Probably the update version is not broken , but the link http://winsecurity/sites/CI/Documents/KmodeSigningInfoUpdate052606.zip to
the update IS broken !

Shame …

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@osr.com[SMTP:xxxxx@osr.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, May 31, 2006 7:14 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Vista driver signing

I just received word that the version of SIGNTOOL that’s included in the WDK Beta2 release is broken, and does not sign x64 kernel mode modules correctly.

It seems that even THIS version doesn’t work correctly with PFX files.

Also, in case anybody is not aware: Some of the originally issued cross-certificates were apparently broken.

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Christiaan Ghijselinck[SMTP:xxxxx@CompaqNet.be]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, May 31, 2006 8:50 PM
To: Windows System Software Devs Interest List
Subject: Re: RE:[ntdev] Vista driver signing

Probably the update version is not broken , but the link http://winsecurity/sites/CI/Documents/KmodeSigningInfoUpdate052606.zip to
the update IS broken !

Etc, etc…

Too many issues. Bad sign. Sometimes things are so broken it is better to give up and return to the starting point and then ponder if kernel mode signing is really such a good idea.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Christiaan Ghijselinck[SMTP:xxxxx@CompaqNet.be]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, May 31, 2006 8:50 PM
To: Windows System Software Devs Interest List
Subject: Re: RE:[ntdev] Vista driver signing

Probably the update version is not broken , but the link http://winsecurity/sites/CI/Documents/KmodeSigningInfoUpdate052606.zip to
the update IS broken !

It is already fixed.

I was finally able to convert SPC and PVK files to PFX. It was necessary to run conversion tool at w2k. The same tool with the same parameters didn’t work at XP and produced only misleading error message. Aaaaaagr!

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]