xxxxx@claessen.com xxxxx@lists.osr.com wrote:
We have quite an old driver for a pcie video capture board.
It is not signed, and we need to make it work on a Windows 8.1 64-bit platform (we checked that it worked by suppressing the signature check in Windows).
Hang on a minute. The 64-bit systems have ALWAYS required signed
drivers. Windows 8.1 is no different than XP64 in that respect. How
has this driver ever worked for you?
The only difference in the Windows 8 world is that driver packages now
require a CAT file. They didn’t before.
We don’t have sources and the manufacturer is not supporting the driver anymore.
So, … I need to sign this thing.
The more I read up on Windows driver signing procedures, the more confused I get.
As long as you don’t have to worry about Windows 10, the world is good.
Â
We figured that we couldn’t go the WHCL way, and let Microsoft sign it.
So, I suppose we need to ‘cross sign it’ … (?)
Correct.
Â
Does anyone know where I can find a clear, step by step, description of what to do to get this driver signed?
There used to be a white paper, but the process is not that
complicated. You do need to acquire a class 3 code-signing certificate
from one of the code-signing authorities supported by Microsoft. That’s
a fairly long list now:
  Â
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing
Note that, unless you need to play in Windows 10, you don’t need an EV
certificate yet.
The vendor will send you instructions on putting your certificate in the
certificate store. You will need to know the location and file name of
the cross certificate for your vendor.
So, you collect all the files for your project. You sign the sys file:
   signtool sign /v /ac MSVC-GlobalSign.cer /sha XXXXXXXX /t
http://timestamp.verisign.com/scripts/timestamp.dll xxxxx.sys
You build a CAT file:
   inf2cat /driver: /os:7_X86,7_X64,8_X86,8_X64
You sign the CAT file:
   signtool sign /v /ac MSVC-GlobalSign.cer /sha XXXXXXXX /t
http://timestamp.verisign.com/scripts/timestamp.dll xxxxx.cat
That’s it. Note that I use the SHA thumbprint to select the right
certificate. There are other ways to choose a certificate, by name for
example. You’ll need to look at the “signtool sign” help info to find that.
Â
> I suppose the first step is buying a certificate … I have seen price ranges from a few hundred to a few thousand. What’s the difference? Any suggestions?
I like GlobalSign and they are affordable, but as long as the cert
vendor mentions kernel signing and is on Microsoft’s list, it should be
good.
Â
> And what does it mean that those prices are ‘per year’? That has nothing to do with the expiration date of the certificate, does it?
No. You can sign new packages until the certificate expires. As long
as you embed a timestamp, the signed package itself remains valid forever.
Â
> Once I have such a certificate … can I use it for a bunch of different drivers (or even other executables?) as well, or are certificates tied to one product?
You can sign as many things as you want.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.