none
How to Sign a Driver without Timestamp server. RRS feed

  • Question

  • Hi All,

    Is there any way to sign a driver binaries without a timestamp server with test certificate?

    I'm trying to deploy it in a test machine for development testing. Every time signing with time stamp server is tedious task and should always connected to internet.  Please suggest, if any alternatives for signing.

    - Raj 


    Raj kumar Kamsani

    Friday, October 11, 2019 5:28 AM

Answers

  • Hello Eric,

    Please check the following command and  responses.

    >makecert.exe -r -pe -n CN=TestCert.com -eku 1.3.6.1.5.5.7.3.3 TestCert.cer

    Succeeded

    >signtool.exe sign /v /debug /csp TestCert.com /kc 1.3.6.1.5.5.7.3.3 /f TestCert.cer TestDriver.cat

    The following certificates were considered:
        Issued to: TestCert.com
        Issued by: TestCert.com
        Expires:   Sun Jan 01 05:29:59 2040
        SHA1 hash: 6DCBD2745F6CC36EDC28B1D56D660236057ABC27

    After EKU filter, 1 certs were left.
    After expiry filter, 1 certs were left.
    The following certificate was selected:
        Issued to: TestCert.com
        Issued by: TestCert.com
        Expires:   Sun Jan 01 05:29:59 2040
        SHA1 hash: 6DCBD2745F6CC36EDC28B1D56D660236057ABC27

    SignTool Error: No private key is available.

    No private key was the error. I just create a test certificate and tried to sign the driver with it.

    Raj.


    Raj kumar Kamsani

    Thursday, October 17, 2019 4:17 AM
  • I just reconstructed how we did this and this is an example script of how I generated the test cert:

            set TESTCERT_PASS=mypassword
            makecert -sv MyTestCert.pvk -r -pe -n "cn=My Test Certificate" MyTestCert.cer
            pvk2pfx -pvk MyTestCert.pvk -spc MyTestCert.cer -pfx MyTestCert.pfx -po %TESTCERT_PASS%

    When running the script you'll need to input a random password several times through some popup dialogs, but that does not need to match the TESTCERT_PASS above.

    With that signing appears to have worked using the PFX file:

            signtool sign /debug /f MyTestCert.pfx /p mypassword cat.exe

            The following certificates were considered:
                Issued to: My Test Certificate
                Issued by: My Test Certificate
                Expires:   Sat Dec 31 18:59:59 2039
                SHA1 hash: 43358BBDCCC2C409DBCDA80ED60FC5935AA972F0

            After EKU filter, 1 certs were left.
            After expiry filter, 1 certs were left.
            After Private Key filter, 1 certs were left.
            The following certificate was selected:
                Issued to: My Test Certificate
                Issued by: My Test Certificate
                Expires:   Sat Dec 31 18:59:59 2039
                SHA1 hash: 43358BBDCCC2C409DBCDA80ED60FC5935AA972F0


            The following additional certificates will be attached:
            Done Adding Additional Store
            Successfully signed: cat.exe

            Number of files successfully Signed: 1
            Number of warnings: 0
            Number of errors: 0

    Thursday, October 17, 2019 3:35 PM
  • Hi,

    I have tried all the above commands to create a .pfx file and tried to sign drivers with it on test PC. It's working.

    But When I copied the .pfx file to server and tried to sign driver with above create .pfx file, the following error is coming.

    >signtool.exe sign /debug /f TestCert.pfx /p abcd1234 test.cat

    The following certificates were considered:
        Issued to: Test Certificate
        Issued by: Test Certificate
        Expires:   Sun Jan 01 05:29:59 2040
        SHA1 hash: A88A4334D5C5DE999778C9336C10ACFD19A24DDD

    After EKU filter, 1 certs were left.
    After expiry filter, 1 certs were left.
    After Private Key filter, 1 certs were left.
    The following certificate was selected:
        Issued to: Test Certificate
        Issued by: Test Certificate
        Expires:   Sun Jan 01 05:29:59 2040
        SHA1 hash: A88A4334D5C5DE999778C9336C10ACFD19A24DDD


    The following additional certificates will be attached:
    Done Adding Additional Store
    SignTool Error: The signer's certificate is not valid for signing.
    SignTool Error: An error occurred while attempting to sign: test.cat

    Number of files successfully Signed: 0
    Number of warnings: 0
    Number of errors: 1

    Here are my queries.

    1. Can this .pfx file is portable to sign in any PC? or we should create it every time on signing PC?

    2. Can we do a test signing in server OS/build environment.

    My requirement is to sign drivers with a .pfx file and password using a test certificate on Server PC.

    Please help me, If you have an solution for my requirement.



    Raj kumar Kamsani

    Friday, October 18, 2019 6:26 AM

All replies

  • I think you can just drop the /t option from signtool and sign with your test certificate

    Looking at our scripts our test signing invocation looks like (we use a certificate file for test signing):

            signtool sign /v /f certfile /p certpassword file-to-sign

    Whereas the release signing adds the /t option (we use the certificate store for release signing):

            signtool sign /v /ac cross-certificate-name /s certstore /n certname /t timestamp-url /a file-to-sign

    Eric

    Friday, October 11, 2019 5:26 PM
  • Hello Eric,

    Thanks for the reply.

    I'm able to do the same installed Test certificate. But I want do it with a portable certificate.

    I had tried with both .cer file .pfx file but couldn't succeed with that.

    Any suggestion please to signing with a portable test certificate. 

    Raj.


    Raj kumar Kamsani

    Wednesday, October 16, 2019 2:32 PM
  • What sort of failure did you get - was it during signing or when you tried to install/run your driver?

    If during signing, what was the error reported by signtool?

    Eric

    Wednesday, October 16, 2019 9:38 PM
  • Hello Eric,

    Please check the following command and  responses.

    >makecert.exe -r -pe -n CN=TestCert.com -eku 1.3.6.1.5.5.7.3.3 TestCert.cer

    Succeeded

    >signtool.exe sign /v /debug /csp TestCert.com /kc 1.3.6.1.5.5.7.3.3 /f TestCert.cer TestDriver.cat

    The following certificates were considered:
        Issued to: TestCert.com
        Issued by: TestCert.com
        Expires:   Sun Jan 01 05:29:59 2040
        SHA1 hash: 6DCBD2745F6CC36EDC28B1D56D660236057ABC27

    After EKU filter, 1 certs were left.
    After expiry filter, 1 certs were left.
    The following certificate was selected:
        Issued to: TestCert.com
        Issued by: TestCert.com
        Expires:   Sun Jan 01 05:29:59 2040
        SHA1 hash: 6DCBD2745F6CC36EDC28B1D56D660236057ABC27

    SignTool Error: No private key is available.

    No private key was the error. I just create a test certificate and tried to sign the driver with it.

    Raj.


    Raj kumar Kamsani

    Thursday, October 17, 2019 4:17 AM
  • I just reconstructed how we did this and this is an example script of how I generated the test cert:

            set TESTCERT_PASS=mypassword
            makecert -sv MyTestCert.pvk -r -pe -n "cn=My Test Certificate" MyTestCert.cer
            pvk2pfx -pvk MyTestCert.pvk -spc MyTestCert.cer -pfx MyTestCert.pfx -po %TESTCERT_PASS%

    When running the script you'll need to input a random password several times through some popup dialogs, but that does not need to match the TESTCERT_PASS above.

    With that signing appears to have worked using the PFX file:

            signtool sign /debug /f MyTestCert.pfx /p mypassword cat.exe

            The following certificates were considered:
                Issued to: My Test Certificate
                Issued by: My Test Certificate
                Expires:   Sat Dec 31 18:59:59 2039
                SHA1 hash: 43358BBDCCC2C409DBCDA80ED60FC5935AA972F0

            After EKU filter, 1 certs were left.
            After expiry filter, 1 certs were left.
            After Private Key filter, 1 certs were left.
            The following certificate was selected:
                Issued to: My Test Certificate
                Issued by: My Test Certificate
                Expires:   Sat Dec 31 18:59:59 2039
                SHA1 hash: 43358BBDCCC2C409DBCDA80ED60FC5935AA972F0


            The following additional certificates will be attached:
            Done Adding Additional Store
            Successfully signed: cat.exe

            Number of files successfully Signed: 1
            Number of warnings: 0
            Number of errors: 0

    Thursday, October 17, 2019 3:35 PM
  • Hi,

    I have tried all the above commands to create a .pfx file and tried to sign drivers with it on test PC. It's working.

    But When I copied the .pfx file to server and tried to sign driver with above create .pfx file, the following error is coming.

    >signtool.exe sign /debug /f TestCert.pfx /p abcd1234 test.cat

    The following certificates were considered:
        Issued to: Test Certificate
        Issued by: Test Certificate
        Expires:   Sun Jan 01 05:29:59 2040
        SHA1 hash: A88A4334D5C5DE999778C9336C10ACFD19A24DDD

    After EKU filter, 1 certs were left.
    After expiry filter, 1 certs were left.
    After Private Key filter, 1 certs were left.
    The following certificate was selected:
        Issued to: Test Certificate
        Issued by: Test Certificate
        Expires:   Sun Jan 01 05:29:59 2040
        SHA1 hash: A88A4334D5C5DE999778C9336C10ACFD19A24DDD


    The following additional certificates will be attached:
    Done Adding Additional Store
    SignTool Error: The signer's certificate is not valid for signing.
    SignTool Error: An error occurred while attempting to sign: test.cat

    Number of files successfully Signed: 0
    Number of warnings: 0
    Number of errors: 1

    Here are my queries.

    1. Can this .pfx file is portable to sign in any PC? or we should create it every time on signing PC?

    2. Can we do a test signing in server OS/build environment.

    My requirement is to sign drivers with a .pfx file and password using a test certificate on Server PC.

    Please help me, If you have an solution for my requirement.



    Raj kumar Kamsani

    Friday, October 18, 2019 6:26 AM
  • I just ran a test where I generated the pfx file as a described on a Windows 10 box and then copied the pfx file to another Window 10 box and I was able to sign in the same manner, so I'm at least the pfx file is portable here.

    I was using an .exe file but since you were using a .cat file I tried that too and it also seemed to work.

    Also I was running as a unprivileged user so I don't think this is an administrator privilege issue.

    Any other differences that might be relevant in your environment that you can think of?

    Eric

    Monday, October 21, 2019 5:38 PM
  • just specify signtool parameters in command line secondary tab in VS 2019 project settings for driver signing:

    it seems МЫ 2019 doesn't rely on settings in this dialog all the time, even if you provided correct timestamp URL or cross-cert filename as parameters:

    in my case correct additional parameters are:

     

    /ac "GlobalSign Root CA.crt" /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 

    Sunday, March 22, 2020 1:10 PM