How to Release-Sign a Kernel Module
in [Device Drivers]
|
From: Alex F on 15 Jun 2010 07:37 Following the "Kernel-Mode Code Signing Walkthrough" document (http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrough.mspx), I managed to test-sign my driver. Now I want to make release-sign. From the document: Step 2: Obtain an SPC Release-signing requires a code-signing certificate, also referred to as a Software Publisher Certificate (SPC) from a commercial CA. Follow the CA's instructions for how to acquire the code-signing certificate and install the private key on the signing computer. For a list of SPC CAs, see "Resources" at the end of this paper. Here I am completely stuck. I also found this page: http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx but it doesn't help. Please, give me some explanations, what should I do now. Thanks.
From: Don Burn on 15 Jun 2010 08:31 You need to have your company get a code signing certificate from either GlobalSign or VeriSign (the others listed in that link are no longer offered). GlobalSign is cheaper, but Verisign has the advantage of providing access to WHQL if that is of interest to your firm. These are not cheap, the Verisign certificate costs $499 per year. Once you have the cert you can use it instead of the test cert to sign the driver. Don Burn (MVP, Windows DKD) Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr > -----Original Message----- > From: Alex F [mailto:AlexF(a)discussions.microsoft.com] > Posted At: Tuesday, June 15, 2010 7:37 AM > Posted To: microsoft.public.development.device.drivers > Conversation: How to Release-Sign a Kernel Module > Subject: How to Release-Sign a Kernel Module > > Following the "Kernel-Mode Code Signing Walkthrough" document > (http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrough.mspx), > I managed to test-sign my driver. Now I want to make release-sign. From > the > document: > > Step 2: Obtain an SPC > Release-signing requires a code-signing certificate, also referred to as > a > Software Publisher Certificate (SPC) from a commercial CA. Follow the > CA's > instructions for how to acquire the code-signing certificate and install > the > private key on the signing computer. For a list of SPC CAs, see > "Resources" > at the end of this paper. > > Here I am completely stuck. I also found this page: > http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx but > it > doesn't help. Please, give me some explanations, what should I do now. > Thanks. > > > __________ Information from ESET Smart Security, version of virus > signature > database 5197 (20100615) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com >
From: Alex F on 15 Jun 2010 10:30 Thank you! If it is possible, please give me some more details. Let's say my company decides to buy VeriSign certificate, I guess, this is possible from here: http://www.verisign.com/code-signing/content-signing-certificates/microsoft-authenticode/index.html. I understand that this gives me some .cer file, which I can use instead of home-made .cer file. My questions: 1) How it is related to Verisign MSCV-VSClass3.cer file that I can download from the "Microsoft Cross-Certificates" WEB page? 2) Does this mean, that having such certificate, I can sign my driver, and it can be installed in Win7 x64? Or some additional driver testing is required? 3) From yout reply: "Verisign has the advantage of providing access to WHQL if that is of interest to your firm". Actually, I have no idea, should I be interested in this? We have kernel-mode driver which is shipped with our product, and I need to ensure that it can be installed in Win7 x64. "Don Burn" wrote: > You need to have your company get a code signing certificate from either > GlobalSign or VeriSign (the others listed in that link are no longer > offered). GlobalSign is cheaper, but Verisign has the advantage of > providing access to WHQL if that is of interest to your firm. These are > not cheap, the Verisign certificate costs $499 per year. Once you have > the cert you can use it instead of the test cert to sign the driver. > > > Don Burn (MVP, Windows DKD) > Windows Filesystem and Driver Consulting > Website: http://www.windrvr.com > Blog: http://msmvps.com/blogs/WinDrvr > > > > > > -----Original Message----- > > From: Alex F [mailto:AlexF(a)discussions.microsoft.com] > > Posted At: Tuesday, June 15, 2010 7:37 AM > > Posted To: microsoft.public.development.device.drivers > > Conversation: How to Release-Sign a Kernel Module > > Subject: How to Release-Sign a Kernel Module > > > > Following the "Kernel-Mode Code Signing Walkthrough" document > > (http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrough.mspx), > > I managed to test-sign my driver. Now I want to make release-sign. From > > the > > document: > > > > Step 2: Obtain an SPC > > Release-signing requires a code-signing certificate, also referred to as > > a > > Software Publisher Certificate (SPC) from a commercial CA. Follow the > > CA's > > instructions for how to acquire the code-signing certificate and install > > the > > private key on the signing computer. For a list of SPC CAs, see > > "Resources" > > at the end of this paper. > > > > Here I am completely stuck. I also found this page: > > http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx but > > it > > doesn't help. Please, give me some explanations, what should I do now. > > Thanks. > > > > > > __________ Information from ESET Smart Security, version of virus > > signature > > database 5197 (20100615) __________ > > > > The message was checked by ESET Smart Security. > > > > http://www.eset.com > > > > . >
From: Don Burn on 15 Jun 2010 10:49 I am not the best signing expert, but for some of the answers. First once you sign your driver with the cert it will be loadable in a 64-bit environment, but it will still popup a question of whether you trust the vendor. If you go through WHQL which is an addition expense and requires passing the tests from the Windows Logo Kit (WLK), your driver will install without the popup. IIRC you use the cross certificate with the verisign or globalsign certificate to sign the driver so that Microsoft has the root authority. Don Burn (MVP, Windows DKD) Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr > -----Original Message----- > From: Alex F [mailto:AlexF(a)discussions.microsoft.com] > Posted At: Tuesday, June 15, 2010 10:31 AM > Posted To: microsoft.public.development.device.drivers > Conversation: How to Release-Sign a Kernel Module > Subject: RE: How to Release-Sign a Kernel Module > > Thank you! If it is possible, please give me some more details. > Let's say my company decides to buy VeriSign certificate, I guess, this > is > possible from here: > http://www.verisign.com/code-signing/content-signing-certificates/microsoft- > authenticode/index.html. > I understand that this gives me some .cer file, which I can use instead > of > home-made .cer file. My questions: > 1) How it is related to Verisign MSCV-VSClass3.cer file that I can > download > from the "Microsoft Cross-Certificates" WEB page? > 2) Does this mean, that having such certificate, I can sign my driver, > and it > can be installed in Win7 x64? Or some additional driver testing is > required? > 3) From yout reply: "Verisign has the advantage of providing access to > WHQL if > that is of interest to your firm". Actually, I have no idea, should I be > interested in this? We have kernel-mode driver which is shipped with our > product, and I need to ensure that it can be installed in Win7 x64. > > > > "Don Burn" wrote: > > > You need to have your company get a code signing certificate from > > either GlobalSign or VeriSign (the others listed in that link are no > > longer offered). GlobalSign is cheaper, but Verisign has the > > advantage of providing access to WHQL if that is of interest to your > > firm. These are not cheap, the Verisign certificate costs $499 per > > year. Once you have the cert you can use it instead of the test cert > > to > sign the driver. > > > > > > Don Burn (MVP, Windows DKD) > > Windows Filesystem and Driver Consulting > > Website: http://www.windrvr.com > > Blog: http://msmvps.com/blogs/WinDrvr > > > > > > > > > > > -----Original Message----- > > > From: Alex F [mailto:AlexF(a)discussions.microsoft.com] > > > Posted At: Tuesday, June 15, 2010 7:37 AM Posted To: > > > microsoft.public.development.device.drivers > > > Conversation: How to Release-Sign a Kernel Module > > > Subject: How to Release-Sign a Kernel Module > > > > > > Following the "Kernel-Mode Code Signing Walkthrough" document > > > (http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrou > > > gh.mspx), I managed to test-sign my driver. Now I want to make > > > release-sign. From the > > > document: > > > > > > Step 2: Obtain an SPC > > > Release-signing requires a code-signing certificate, also referred > > > to as a Software Publisher Certificate (SPC) from a commercial CA. > > > Follow the CA's instructions for how to acquire the code-signing > > > certificate and install the private key on the signing computer. For > > > a list of SPC CAs, see "Resources" > > > at the end of this paper. > > > > > > Here I am completely stuck. I also found this page: > > > http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx > > > but it doesn't help. Please, give me some explanations, what should > > > I do now. > > > Thanks. > > > > > > > > > __________ Information from ESET Smart Security, version of virus > > > signature database 5197 (20100615) __________ > > > > > > The message was checked by ESET Smart Security. > > > > > > http://www.eset.com > > > > > > > . > > > > > __________ Information from ESET Smart Security, version of virus > signature > database 5198 (20100615) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com >
From: Alex F on 16 Jun 2010 00:52 Thank you for your help. "Don Burn" wrote: > I am not the best signing expert, but for some of the answers. First once > you sign your driver with the cert it will be loadable in a 64-bit > environment, but it will still popup a question of whether you trust the > vendor. If you go through WHQL which is an addition expense and requires > passing the tests from the Windows Logo Kit (WLK), your driver will > install without the popup. > > IIRC you use the cross certificate with the verisign or globalsign > certificate to sign the driver so that Microsoft has the root authority. > > > Don Burn (MVP, Windows DKD) > Windows Filesystem and Driver Consulting > Website: http://www.windrvr.com > Blog: http://msmvps.com/blogs/WinDrvr > > > > > > > -----Original Message----- > > From: Alex F [mailto:AlexF(a)discussions.microsoft.com] > > Posted At: Tuesday, June 15, 2010 10:31 AM > > Posted To: microsoft.public.development.device.drivers > > Conversation: How to Release-Sign a Kernel Module > > Subject: RE: How to Release-Sign a Kernel Module > > > > Thank you! If it is possible, please give me some more details. > > Let's say my company decides to buy VeriSign certificate, I guess, this > > is > > possible from here: > > http://www.verisign.com/code-signing/content-signing-certificates/microsoft- > > authenticode/index.html. > > I understand that this gives me some .cer file, which I can use instead > > of > > home-made .cer file. My questions: > > 1) How it is related to Verisign MSCV-VSClass3.cer file that I can > > download > > from the "Microsoft Cross-Certificates" WEB page? > > 2) Does this mean, that having such certificate, I can sign my driver, > > and it > > can be installed in Win7 x64? Or some additional driver testing is > > required? > > 3) From yout reply: "Verisign has the advantage of providing access to > > WHQL if > > that is of interest to your firm". Actually, I have no idea, should I be > > interested in this? We have kernel-mode driver which is shipped with our > > product, and I need to ensure that it can be installed in Win7 x64. > > > > > > > > "Don Burn" wrote: > > > > > You need to have your company get a code signing certificate from > > > either GlobalSign or VeriSign (the others listed in that link are no > > > longer offered). GlobalSign is cheaper, but Verisign has the > > > advantage of providing access to WHQL if that is of interest to your > > > firm. These are not cheap, the Verisign certificate costs $499 per > > > year. Once you have the cert you can use it instead of the test cert > > > to > > sign the driver. > > > > > > > > > Don Burn (MVP, Windows DKD) > > > Windows Filesystem and Driver Consulting > > > Website: http://www.windrvr.com > > > Blog: http://msmvps.com/blogs/WinDrvr > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: Alex F [mailto:AlexF(a)discussions.microsoft.com] > > > > Posted At: Tuesday, June 15, 2010 7:37 AM Posted To: > > > > microsoft.public.development.device.drivers > > > > Conversation: How to Release-Sign a Kernel Module > > > > Subject: How to Release-Sign a Kernel Module > > > > > > > > Following the "Kernel-Mode Code Signing Walkthrough" document > > > > (http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrou > > > > gh.mspx), I managed to test-sign my driver. Now I want to make > > > > release-sign. From the > > > > document: > > > > > > > > Step 2: Obtain an SPC > > > > Release-signing requires a code-signing certificate, also referred > > > > to as a Software Publisher Certificate (SPC) from a commercial CA. > > > > Follow the CA's instructions for how to acquire the code-signing > > > > certificate and install the private key on the signing computer. For > > > > a list of SPC CAs, see "Resources" > > > > at the end of this paper. > > > > > > > > Here I am completely stuck. I also found this page: > > > > http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx > > > > but it doesn't help. Please, give me some explanations, what should > > > > I do now. > > > > Thanks. > > > > > > > > > > > > __________ Information from ESET Smart Security, version of virus > > > > signature database 5197 (20100615) __________ > > > > > > > > The message was checked by ESET Smart Security. > > > > > > > > http://www.eset.com > > > > > > > > > > . > > > > > > > > > __________ Information from ESET Smart Security, version of virus > > signature > > database 5198 (20100615) __________ > > > > The message was checked by ESET Smart Security. > > > > http://www.eset.com > > > > . >
|
Pages: 1 Prev: Debugging in WinDbg Next: Reading USB descriptors w/o a driver installed? |