How do I digitally sign a 64-bit kernel mode driver?

4

2

I have a kernel mode driver and I have to install it on 64 bit win 7. It needs to be digitally signed. I digitally signed it using the dseo13b.exe. But when I load the driver I get error in the system event log saying

The driver failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

I don't want to use the test signing mode. How do I resolve this? Do I need to get certificate from Microsoft?

I have developed the driver and now making it work on the 64 bit machine.

My company might purchase the certificate from verisign but What do I do after I acquire a certificate. How do I link the driver file with the certificate I get? And Also how do I link the cross certificate downloaded from internet with the certificate I get from verisign? I read the doc KMSC_WalkThru (How to Release-Sign a Kernel Module) but these things were not clear from it. Can you please help.

Also How do I get the following: 

mySPCfile.spc   Your public key certificate file. 
myPVKfile.pvk   Your private key certificate file. 
myPVKpassword

The password for the private key certificate file. Mentioned in here

Neha

Posted 2011-08-26T06:30:05.373

Reputation: 41

Answers

7

Yes, you need to purchase a certificate from a Trusted Certificate Authority. If anyone could make a certificate, there'd be countless certificates claiming to be "Microsoft Corporation" and it would be virus heaven.

That document you mention is what I used to learn how to sign drivers. I highly recommend you set aside a few days and run through it start to finish. I spent a good part of the week going through it.

All I can offer on top of that is the following batch file which I execute from VS2010 in post-build. It uses a certificate from the computer's certificate store, not a file. The reason it's so complex is I use it in many different circcumstances for many different projects.

Sign.bat

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Signs the project output.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Usage
:: 
:: Post-build event command line:
:: Call "$(ProjectDir)..\..\Sign.bat" "$(ConfigurationName)" "$(TargetPath)"
:: 
:: Run the post-build event:
:: When the build updates the project output

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Input Parameters
:: 
:: %~1   $(ConfigurationName)    The file's configuration.  This function will
::                               use a different certificate for "Debug"
::                               configurations.
:: %~2   $(TargetPath)           The full path of the first file to sign.
:: %~3+  FileName                The names of the remaining files to sign.
::                               These files must reside in the same directory
::                               as %2.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Validate the parameters.
If "%~1"=="Debug" Exit /B 0
If "%~1"=="" Goto Error
If "%~2"=="" Goto Error
Goto Valid

:Error
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Report that the syntax is incorrect.
Echo One or more parameters are missing.
Echo.
Echo %~nx0 configuration filename1 [filename2 ...]
Echo.
Echo configuration      The project configuration.  Usually "Debug" or "Release".
Echo filename1          The full path of the first file to sign.
Echo filename2          The names of addition files to sign.  These files must
Echo                    reside in the same folder as "filename1".
Echo.
Exit /B 1

:Valid
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Change to the assembly's folder.
%~d2
CD %~dp2

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Prepare the list of files to sign.
Set FileList=
:CreateFileList
Set FileList=%FileList% %~snx2
Shift /2
If Not "%~2"=="" Goto CreateFileList

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Sign the assembly files.
Set Store=my
Set Certificate=type the name of your certificate here
Set TimeStampUrl=http://timestamp.verisign.com/scripts/timestamp.dll
C:\WinDDK\7600.16385.1\bin\x86\SignTool.exe Sign /s "%Store%" /n "%Certificate%" /t "%TimeStampUrl%" %FileList%
If %ErrorLevel%==1 Exit /B 1

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Verify the digital signature is valid.
C:\WinDDK\7600.16385.1\bin\x86\SignTool.exe Verify /pa %FileList%

Hand-E-Food

Posted 2011-08-26T06:30:05.373

Reputation: 4 711

2Best method here. Self sign ftw. – surfasb – 2011-08-26T17:24:05.770

Asked: 2011-08-26T06:30:05.373

Viewed: 1 635 times

Active: 2011-08-26T07:08:59.820