none
Sign a WDF (KMDF) device driver RRS feed

  • Question

  • Hello,

    My Internet  Explorer contains a code certification purchased from ComSign (local distributer of VeriSign).

    With this I.E I created a pfx file and copied it to a the development PC that has no internet.

    On the development PC I  ran:

    signtool.exe sign  ./mypfx.pfx /p 123456 ./pci9x5x.sys

    A new sys file was  created .

    Then I copied the sys  file to the target PC (that has no internet).

    The installation failed  because the driver was not certified.

    What am I doing wrong  ?

    Thanks,

    Zvika

    Wednesday, September 10, 2014 8:34 PM

Answers

  • first, you not only have to sign the INF you must also sign the INF and create a catalog which has a hash of all files referenced by the INF. inf2cat will do this for you. second, you need to install your cert on the machine where the driver is being installed if you want it to be considered signed. Or let the OS do that when you add the driver package (devcon dp_add)

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, September 11, 2014 3:39 AM

All replies

  • first, you not only have to sign the INF you must also sign the INF and create a catalog which has a hash of all files referenced by the INF. inf2cat will do this for you. second, you need to install your cert on the machine where the driver is being installed if you want it to be considered signed. Or let the OS do that when you add the driver package (devcon dp_add)

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, September 11, 2014 3:39 AM
  • Hi Doron,

    When I got sys+inf files from vendors (e.g Intel), I never got cert files with them.

    I always installed the sys using device manger and never was asked for certification (under Win7-64)

    Why it is necessary in my case ?

    Thanks,

    Zvika

    Monday, September 15, 2014 2:50 AM
  • Intel signed them with the HCK, so the signing goes back to the installed chain of trust

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, September 15, 2014 7:29 AM
  • Sorry guys, I do not understand.

    The stages I used are:

    1. inf2cat /driver:./pci9x5x.inf /os:7_X64

    This step created the file: kmdfsamples.cat

    2. signtool sign /v /f mycert.pfx /p 123456 /t http://timestamp.VeriSign.com/scripts/timestamp.dll  pci9x5x.sys

    This step created a new "signed" pci9x5x.sys

    Then I used the following files to install the driver on the target PC:

    pci9x5x.inf, pci9x5x.sys, kmdfsamples.cat,  WdfCoInstaller01009.dll

    Should I sign any other file besides pci9x5x.sys ?

    Should I import mypfx.pfx on the target machine ?

    Thank you for your help,

    Z.V

    Monday, September 15, 2014 8:12 PM
  • you should sign the sys file first AND then create the catalog. the catalog needs to be signed as well IIRC

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, September 15, 2014 8:42 PM
  • Hello,

    Following Doron's reply I did the following:

    1. sign sys file: signtool sign /v /f ./FIO/elta.pfx /p 123456 /t http://timestamp.VeriSign.com/scripts/timestamp.dll ./FIO/pci9x5x.sys

    2. create cat with the signed sys: inf2cat inf2cat /driver:./FIO /os:7_X64

    3. sign cat file: signtool sign /v /f ./FIO/elta.pfx /p 123456 /t http://timestamp.VeriSign.com/scripts/timestamp.dll ./FIO/kmdfsamples.cat

    Then I installed the sys+cat+inf on the target PC (running Server2008-64).

    This time I got better results. First I got this snapshot (did not get it till now):

    Then I got this snapshot:

    I looked at c:\Windows\inf\setupapi.app.log and found this:

    >>>  [DIF_DESTROYPRIVATEDATA]

    >>>  Section start 2014/09/17 07:41:27.614

          cmd: "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc

    <<<  Section end 2014/09/17 07:41:27.630

    <<<  [Exit status: SUCCESS (DI_DO_DEFAULT)]

    >>>  [DIF_ADDPROPERTYPAGE_ADVANCED - PCI\VEN_1556&DEV_5555&SUBSYS_00000000&REV_00\5&12EE1EC5&0&200028]

    >>>  Section start 2014/09/17 07:41:38.191

          cmd: "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc

    <<<  Section end 2014/09/17 07:41:38.191

    <<<  [Exit status: SUCCESS (DI_DO_DEFAULT)]

    >>>  [DIF_DESTROYPRIVATEDATA]

    >>>  Section start 2014/09/17 07:41:39.876

          cmd: "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc

    <<<  Section end 2014/09/17 07:41:39.876

    <<<  [Exit status: SUCCESS (DI_DO_DEFAULT)]

    >>>  [Build Driver List - PCI\VEN_1556&DEV_5555&SUBSYS_00000000&REV_00\5&12EE1EC5&0&200028]

    >>>  Section start 2014/09/17 07:41:45.336

          cmd: "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc

         cpy: Policy is set to make all digital signatures equal.

    !    sig: Verifying file against specific (valid) catalog failed! (0x00000057)

    !    sig: Error 87: The parameter is incorrect.

    !    sig: Verifying file against specific Authenticode(tm) catalog failed! (0x800b0100)

    !    sig: Error 0x800b0100: No signature was present in the subject.

    <<<  Section end 2014/09/17 07:41:45.351

    <<<  [Exit status: SUCCESS]

    >>>  [Build Driver List - PCI\VEN_1556&DEV_5555&SUBSYS_00000000&REV_00\5&12EE1EC5&0&200028]

    >>>  Section start 2014/09/17 07:41:45.351

          cmd: "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc

         cpy: Policy is set to make all digital signatures equal.

    !    sig: Verifying file against specific (valid) catalog failed! (0x800b0109)

    !    sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

    <<<  Section end 2014/09/17 07:41:45.445

    <<<  [Exit status: SUCCESS]

    >>>  [DIF_SELECTBESTCOMPATDRV - PCI\VEN_1556&DEV_5555&SUBSYS_00000000&REV_00\5&12EE1EC5&0&200028]

    >>>  Section start 2014/09/17 07:41:45.445

          cmd: "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc

    <<<  Section end 2014/09/17 07:41:45.445

    <<<  [Exit status: SUCCESS]

    >>>  [DIF_DESTROYPRIVATEDATA]

    >>>  Section start 2014/09/17 07:44:15.174

          cmd: "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc

    <<<  Section end 2014/09/17 07:44:15.174

    <<<  [Exit status: SUCCESS (DI_DO_DEFAULT)]

    What am I doing wrong ?

    Thanks,

    Z.V

    Wednesday, September 17, 2014 10:00 AM
  • Hello,

    When I did:

    signtool sign /v /ac "After_10-10-10_MSCV-VSClass3.cer" /f elta.pfx /p 123456 /t http://timestamp.verisign.com/scripts/timstamp.dll "pci9x5x.sys"

    ..\inf2cat /driver:./ /os:7_X64

    signtool sign /v /ac "After_10-10-10_MSCV-VSClass3.cer" /f elta.pfx /p 123456 /t http://timestamp.verisign.com/scripts/timstamp.dll "kmdfsamples.cat"

    The installation was OK.

    Thanks,

    Z.V

    • Proposed as answer by Pavel A Thursday, September 18, 2014 1:23 PM
    Thursday, September 18, 2014 6:53 AM