Signing
Unsigned drivers:
When we install the unsigned drivers on any
machine, the target operating system (Vista) may popup with a warning message
as shown below.
To avoid such pop-ups it is advisable to
sign an unsigned driver with the below steps:
Tools
used:
Below tools will be used to driver signing,
Install WinqualSubmissionTool.msi. This
will install INF2CAT.exe to the below location. Also copy the remaining tools (Singtool.exe,
makecert.exe, CertMgr.exe) to the same location as shown below.
Summary:
1.
Create a Catalog File(CAT) from
INF file using INF2CAT.exe
2.
Then sign the CAT file with a
certificate(.cer) using signtool.exe
3.
If the certificate file(.cer)
is not available then create one using makecert.exe
4.
Before you install the driver
package, you must add your test certificates into the certificate store on the
target test machine using the tool Certmgr.exe
Process for the driver signing using a new certificate
is explained in the following steps:-
A typical PnP
driver contains INF file, SYS file and other supporting files (DLL etc) to
install it on the target machine. If the CAT file is not present we need to
first create a CAT file which can be signed using some certificate file.
For example,
below are the driver files which we will use for signing.
- Look
for the INF file. Make sure that what all .sys and .dll or any other files
which are mentioned in the INF file are available along with the INF file.
In the
below example GTwinUSB.inf -> section [SourceDisksFiles]
Files
listed are GTwinUSB.sys and GTwinUSB.inf
2. Make an entry in the INF file as CatalogFile and give a name by which catalog file (.cat) needs to
be created. Normally it can be given as the same name as the INF file name or
as installing driver name. If there is no entry for CatalogFile then we will
get error while creating the .cat file.
- Make
sure that DriverVer entry in
.INF file as a proper format. Date should be in mm/dd/yyyy format and version should be in x.x.x.x format. If the format is
not correct we will get error while creating the .cat file.
For example: (Always
give current date)
DriverVer=05/19/2010, 6.0.1.0
DriverVer=05/19/2010, 6.0.1.0
- Once
the entries have been made into INF file, save and close the INF file.
Copy the modified INF file and only the required files mentioned in the
INF file to a new location. For example in this case the INF file has
entries for 1 .sys file, then copy these files along with the new modifies
INF file to a newly created directory (for example to C:\For_Signing\Driver_GemPCUSB).
- Use the
following command line to create the .cat file.
Inf2Cat.exe
/driver:"<Path to driver files>" /os:Vista_X86 /verbose
The arguments to Inf2Cat
are the following:
/driver:PackagePath
Indicates the path to the folder that contains the driver package files.
Indicates the path to the folder that contains the driver package files.
/os:OSValue
Indicates the operating systems targeted by the driver package. OSValue is a comma-separated list that contains one or more of the following values: 2000 XP_X86, Server2003_X86, Vista_X86, XP_X64, Server2003_X64, Vista_X64, or Server2003_IA64.
Indicates the operating systems targeted by the driver package. OSValue is a comma-separated list that contains one or more of the following values: 2000 XP_X86, Server2003_X86, Vista_X86, XP_X64, Server2003_X64, Vista_X64, or Server2003_IA64.
/verbose : This is for logging
For Example:
C:\>"C:\Program Files\Microsoft
Winqual Submission Tool 2\Inf2Cat.exe"
/driver:"C:\For_Signing\Driver_GemPCUSB" /os:Vista_X86 /verbose
It will start processing the .INF file and
will create the .CAT file at the same location.
In case there are any errors or warnings
during creating the .CAT file, the verbose mode will show the error and on the
basis of the error or warning the issue can be resolved.
In the above snapshot, please note the
status message ‘Signability test complete’ and ‘Catalog generation complete’
Below snapshot shows the CAT file
generated.
6. Once we have the .CAT file ready we need to create a certificate
file (.cer) and then by using that certificate file we need to digitally sign
the .CAT file.
To create a
certificate file we need to have makecer.exe.
Makecert.exe will also create a .pvk file along with .cer file.
.pvk file is for
private key which will contain the encrypted password for the certificate and
the same .pvk file will be used whenever we need to sign some catalog using the
.cer file.
Command line to use
the makecert.exe is as below:-
MakeCert.Exe -r -pe <path to .cer file>
-n CN=<certificate name> -sv <path to .pvk file> -len 2048
-r Create a self signed
certificate
-n Certificate subject \ name
\issued to name (e.g.: CN=DrvSign)
-pe Location to create the
certificate file
-sv Location to create the private
key file
-len Generated Key Length (Bits)
For
example if we give the below command line to create a certificate file:-
C:\>"C:\Program
Files\Microsoft Winqual Submission Tool 2\makecert.exe" -r -pe
"C:\For_Signing\Driver_GemPCUSB\SOEasy.cer" -n CN=SOEasyCert -sv
"C:\For_Signing\
Driver_GemPCUSB\SOEasyPvk.pvk"
-len 2048
Once
the above command line is executed it prompts for a password for the private
key file.
Type
any password and confirm the same password to create a .pvk file.
Make sure to remember the password provided to create the
.pvk file as the same password will be used to certify the .CAT files created
by the method above
It will then ask again to enter the Private
Key password. Enter the same password which was typed in the last screen.
Once this is done the command prompt will
display a message as “Succeeded” and the required Certificate file will get
created along with the private key file.
Below highlighted is the .cer and .pvk file
created,
7. Now we have the certificate ready using which we need to sign the
.cat file created previously.
To sign the .cat
file we need to use the signtool.exe
Run the
signtool.exe with parameter as “signwizard” which will open up a wizard for
digitally signing of the files.
Running the
command “signtool.exe" signwizard
will open a wizard screen as below:-
1.
Click ‘Next’
2. Browse to the cat file.
2.
Select ‘custom’-(All advanced
options will be there )
4 . Select the .cer file by
clicking the button ‘Select from File...’
as shown below
Choose ‘SOEasy.cer’ file and click ‘open’.
Certificate details are displayed below
Click ‘Next’
In the below wizard, Select for the ‘Private
Key file on disk’ in the screen below and browse for the .pvk file which was
created earlier.
It will prompt for the .pvk file password.
Enter the same password which was given at the time of the .pvk file
creation.
Click ‘ok’
Select the default algorithm (sha1) which will
be used for the .cat file signing.
Select “Only the signature certificate” and
click next. This way it will only use the certificate file created to for
signing of the .cat file.
Give the description and click ‘Next.’
Leave “Web location” screen as it is and
click next.
Next screen will show up the details about
the certificate before actually signing it
Once ‘Finish’ is clicked it will again ask
for private key password. Enter the same password as used earlier.
If you go the .cat
file which got signed now. Right Click the cat file and go to ‘Properties->Digital Signatures’ it
will show the name of signer as ‘SOEasy’
But if you go the
.cat file which got signed now and double click on this, it will show up as
invalid security catalog as shown in below screenshot.
8.
Now the last step will be to
add the certificate file to the Trusted Root (certificate store) to the target local
machine where we are going to install the driver.
Even if the drivers we are installing are getting installed with
signed catalog file they won’t be recognized as singed until and unless the
certificate is added in the trusted root of the local machine or is present in
the domain.
To add the certificate
created to the Trusted Root of the local machine we need to execute the below
command before we actually initiate the driver installation. This can be
handled by using a custom action which will copy the necessary files to the
local machine and then execute the exe to add the certificate to Trusted Root
of local machine. The only important point here is that the custom action must
be executed before the drivers are getting installed.
CertMgr.Exe -add <path to
certificate file with name.cer" -s -r localMachine ROOT
&
CertMgr.Exe -add <path to
certificate file with name.cer" -s -r localMachine trustedpublisher
The arguments to the Certificate Manager Tool (CertMgr):
-add
Adds the certificate in the certificate file to a certificate store.
-s
Indicates the certificate store is a system store.
-r
Indicates that the registry location of the system store is under the
HKEY_LOCAL_MACHINE key.
Root or
trustedpublisher
Indicates the name of the system certificate
store
For
example:
C:\> C:\>"C:\Program Files\Microsoft
Winqual Submission Tool 2\CertMgr.Exe" -add " C:\For_Signing\Driver_GemPCUSB
\SOEEasyCert.cer" -s -r localMachine ROOT
After executing the above command a successful message will be shown as ‘CertMgr Succeeded’
C:\> C:\>"C:\Program Files\Microsoft
Winqual Submission Tool 2\CertMgr.Exe" -add "
C:\For_Signing\Driver_GemPCUSB \SOEEasyCert.cer" -s -r localMachine
trustedpublisher
After executing the above command a successful message will be shown as ‘CertMgr Succeeded’
9. Now go to cat file and double click to see the Catalog file is valid
10. Now you can follow any method to install the signed driver.
Below
example shows the installation of signed driver (the one which we just signed )
using dpinst.exe
Note: Silent options are available for
dpinst.exe to install the driver with no dialogs.
Copy ‘dpinst.exe’ to the location where the
driver files are present as shown below.
Run ‘dpinst.exe’. Go through the following
dialogs.
Click ‘Next’
As
you can see the drivers are successfully installed with no popup messages.
Verify
the installed drivers in
C:\Windows\inf\oemXX.inf
C:\Windows\inf\Setupapi.dev.log
Driverstore
Reference:
More commands for reference:
windows adk: https://docs.microsoft.com/en-in/windows-hardware/get-started/adk-install
signtool.exe /f <certificatefile> /d <description> /fd SHA1
Microsoft Strong Cryptographic Provider
SignTool verify /v /pa CatalogFileName.cat
SignTool verify /v /pa /c CatalogFileName.cat DriverFileName
usbser
pvk2pfx /pvk
pvkfilename.pvk [/pi pvkpassword] /spc spcfilename.ext [/pfx pfxfilename.pfx
CertMgr.Exe -add <path to certificate file with name.cer" -s -r localMachine ROOT
To convert pvk to pfx:
pvk2pfx.exe /pvk pvkfilename.pvk [/pi pvkpassword] /spc certificate.cer [/pfx pfxfilename.pfx]
To sign a .cat file by pfx file :
Signtool.exe sign /f <pfx file> /p <pfx password> <cat file>
No comments:
Post a Comment