News
Knowledgebase
Signing Microsoft Windows 64-bit Kernel-Mode drivers

 

If your certificate uses SHA-2 or has SHA-2 certificates in its chain of trust and you are using it to sign kernel modules, then you should be aware of KB3033929, an update for Windows 7 distributed through Windows Update. On versions of Windows 7 without this update, the kernel will reject signatures made with certificates that use SHA-2, so they cannot be used to get a kernel module to load.

In order for your driver to install successfully, the following file types in your project must be signed:

.sys
.cat 

 

Prerequisites:

1. Download the Comodo cross-signed CA.

   [KMCS] AddTrust External CA Root

2. Open an elevated Windows command prompt (cmd) and run signtool.exe:


Signing:


The following syntax signs the file using a certificate stored in a password protected PFX file

Without the timestamp:

> signtool sign /v /ac "CROSS_SIGNED_COMODO_CA_HERE" /f YOUR_PFX_HERE /p Password /n "Company Name" "PATH_TO_FILE_TO_SIGN"
 
With the timestamp:

> signtool sign /v /ac "CROSS_SIGNED_COMODO_CA_HERE" /f YOUR_PFX_HERE /p Password /n "Company Name" /tr http://timestamp.comodoca.com/rfc3161 "PATH_TO_FILE_TO_SIGN"

This code will place a signature including the cross signed certificate, that is timestamped in compliance with RFC 3161.

 

Note: The Company Cert Name should be exactly as is shown in the certificate '"ISSUED TO" field of your own cert


TIPS:

1. You should verify your signature for a driver file using the following command:

> signtool verify /v /kp "PATH_TO_FILE_TO_SIGN"

2. You should verify that a given driver is "signed" by a given catalog file using the following command:

> signtool verify /v /kp /c "C:\CatFileName.cat" "PATH_TO_FILE_TO_SIGN"

-v is for a verbose output and -kp validates it according to kernel mode driver signing criteria.

 

3. To reduce boot time, sign all drivers and catalog files

 

Related Articles and Information:

 

 

(4 vote(s))
Helpful
Not helpful

Comments (0)