Signing and cross signing files

From Komodia
Jump to: navigation, search

Signature

  • You need to sign the x64 drivers (WFP/TDI/WD) with a special cross certificate (and x32 if you want to support tablets that have Windows Secure Mode on on Windows 8 and above), here is List of Microsoft supported cross certificates.
  • We have seen that sometimes cross sign fails on Windows 7/8 because of missing chain information, this does not occur with Windows XP (excluding SHA1/SHA2 double cert).

VeriSign

Every vendor has a different public cert and timestamp DLL, this is the syntax we use with our VeriSign cert (batch file):


signtool.exe sign /v /ac "C:\AuthSSL\MSCV-VSClass3.cer" /f "C:\AuthSSL\cert.pfx" /t http://timestamp.verisign.com/scripts/timstamp.dll /p %1 %2

  • MSCV-VSClass3.cer - This is VeriSign public cross cert, each vendor has its own.
  • cert.pfx - It's a pfx created out of your public and private key.
  • http://timestamp.verisign.com/scripts/timstamp.dll - VeriSign timestamp DLL, each vendor has its own.
  •  %1 - Your certificate password.
  •  %2 - File to sign.

Comodo


sign /v /ac "C:\AuthSSL\addtrustexternalcaroot_kmod.crt" /f "C:\AuthSSL\pcs.pfx" /tr http://timestamp.comodoca.com/rfc3161 /p %1 %2

  • addtrustexternalcaroot_kmod.crt - This is Comodo public cross cert, each vendor has its own.
  • cert.pfx - It's a pfx created out of your public and private key.
  • http://timestamp.comodoca.com/rfc3161 - Comodo timestamp DLL, each vendor has its own.
  •  %1 - Your certificate password.
  •  %2 - File to sign.

SHA1/SHA2

It's possible that the certificate vendor has two certificates, one SHA1, and one SHA2 which can be harder to sign, here's a guide from Microsoft on how it's done (goto: Signing a driver package with two signatures): Microsoft signing guide.

Verification

To verify your signature run:


signtool.exe verify /pa %2

  •  %2 - File to sign.