Windows 7.0 64bit Driver Signing

Is it possible to digitally sign kernel mode boot drivers for free?

Regardless of any manual install.

Thanks.

This has been discussed on this list many times.
The answer is no except for test signing.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of xxxxx@hotmail.com
Sent: Saturday, October 17, 2009 3:07 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Windows 7.0 64bit Driver Signing

Is it possible to digitally sign kernel mode boot drivers for free?

Regardless of any manual install.

Thanks.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Then is it possible to enable driver testing on another computer?

This has also been answered. The simple answer is you can use windbg’s
‘.kdfiles’ or as I prefer, environment variables to indicate that a specific
file is to be used to control updating the driver on the SUT (target) from
the windbg (host) running computer. However, the driver will be disabled if
you try booting without windbg attached to the SUT at any successive boot.
If you want to have someone such as QA run DTM or other testing, the test
signing certificate is mandatory for 64-bit operating systems beginning with
Vista.

I thought I would add the following simple table for the roles in windbg:

  1. Host = runs windbg, has serial, 1394a, USB, or standard serial port
    connection to the target. Source code, PDB, and binary if ‘.kdfiles’ is to
    be used.
  2. Target = Test operating system. Driver installed that you want to
    test. If you need to change INF, you should update the driver on this
    system, but if just binary you can use ‘.kdfiles’, which updates the image
    in \Windows\System32\drivers. You might need to configure the target to be
    in test signing mode so 64-bit drivers can be loaded that are signed with a
    test certificate, however using ‘.kdfiles’ eliminates this requirement
    except for the initial install.

I am mostly referring to real hardware controlling drivers such as my
current specialty, NDIS miniports. Pure software drivers may have
variations and boot start drivers are another issue where the all must be
signed. If you have a code signing certificate and the Microsoft cross
signed certificate for that certificate authority, just use it during
testing on 64-bit operating systems. This will eliminate the test
certificate issues.

I happen to have people who do this for us and provide us with the files
needed to sign our drivers using test certificates for testing. Someone in
QA does the final signing before release. The utilities in the latest WDK
7.0.0 (build 7600.1635.0) work very well and a simple batch file can easily
sign the drivers and cat files. The methods for doing signing are a real
pain and it is nice to just have the stuff and instructions readily
available.

wrote in message news:xxxxx@ntdev…
> Then is it possible to enable driver testing on another computer?
>

Programitcally?

You cannot seriously consider releasing a product this way.

You can however create automated test installs that set boot options
via ncdedit.

On Saturday, October 17, 2009, wrote:
> Then is it possible to enable driver testing on another computer?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>


Mark Roddy