How to sign WinpkFilter drivers

Home Forums Discussions Support How to sign WinpkFilter drivers

Viewing 1 post (of 1 total)
  • Author
    Posts
  • November 10, 2010 at 9:22 am #5345
    Vadim Smirnov
    Keymaster

      How to sign WinpkFilter driver (standard build) using VerySign certificate:

      1. Convert cerificate into the pfx

      Pvk2Pfx -pvk myprivatekey.pvk -pi pkv_password -spc mycredentials.spc -pfx mypfx.pfx -po pfx_file_password -f

      2. Install pfx into the system you use for driver signing.

      Double-click on mypfx.pfx, follow the wizard

      3. Download VerySign cross-certificate from Microsoft web-site

      MSCV-VSClass3.cer

      4. Sign driver binary

      Signtool.exe sign /v /ac MSCV-VSClass3.cer /s my /n “Company Name” /t http://timestamp.verisign.com/scripts/timestamp.dll binary_name.sys

      5. Since WinpkFilter driver is installed using INF then you also need to create CAT files

      a. Add CAT references into the INF files

      CatalogFile.NTx86 = ndisrd86.cat

      CatalogFile.NTAMD64 = ndisrd64.cat

      b. Generate CAT files

      Inf2Cat /driver: path_to_directiry_with_driver_and_inf /os:XP_X86,Server2003_X86,Vista_X86,Server2008_X86,7_X86

      Inf2Cat /driver:path_to_directiry_with_driver_and_inf /os:XP_X64,Server2003_X64,Vista_X64,Server2008_X64,7_X64,Server2008R2_X64

      c. Sign CAT file

      Signtool.exe sign /v /ac MSCV-VSClass3.cer /s my /n “Company Name” /t http://timestamp.verisign.com/scripts/timestamp.dll cat_file_name.cat

      d. If you want to remove publisher warning, you have to pre-install (install before WinpkFilter driver installation) your public certificate (with public key only) on the client system.

      You can export this certificate from system storage where it was installed on step 2.

      – certmgr.msc

      – personal

      – double click on Company Name

      – select details

      – click “copy to file”

      – select “base-64 encoded X.509”

      For installing certificate you can use the following InnoSetup code

      //

      

      
procedure  InstallDriverCertificate();
      

      
var
      

      
fbResult : Boolean;
      

      
hStore,hSysStore,hCert : Integer;
      

      
strMessage : String;
      

      
begin
      

      
fbResult := False;
      

      
hStore :=
      

      
CertOpenStore(
      

      
CERT_STORE_PROV_FILENAME_A,
      

      
X509_ASN_ENCODING or PKCS_7_ASN_ENCODING,
      

      
0,
      

      
CERT_STORE_OPEN_EXISTING_FLAG or CERT_STORE_READONLY_FLAG,
      

      
ExpandConstant('{app}')+'Setupmainline.cer'
      

      
);
      

      
if hStore <> 0 then begin
      

      
hSysStore :=
      

      
CertOpenStore(
      

      
CERT_STORE_PROV_SYSTEM_A,
      

      
X509_ASN_ENCODING or PKCS_7_ASN_ENCODING,
      

      
0,
      

      
CERT_SYSTEM_STORE_LOCAL_MACHINE,
      

      
'TrustedPublisher');
      

      
if hSysStore <> 0 then begin
      

      
hCert := CertEnumCertificatesInStore(hStore,0);
      

      
if hCert <> 0 then begin
      

      
fbResult :=
      

      
CertAddCertificateContextToStore(
      

      
hSysStore,
      

      
hCert,
      

      
CERT_STORE_ADD_REPLACE_EXISTING,
      

      
0
      

      
);
      

      
CertFreeCertificateContext (hCert);
      

      
end;
      

      
CertCloseStore(hSysStore,CERT_CLOSE_STORE_CHECK_FLAG);
      

      
end;
      

      
CertCloseStore(hStore,CERT_CLOSE_STORE_CHECK_FLAG);
      

      
end;
      

      
end;
    • Author
      Posts
    Viewing 1 post (of 1 total)
    • You must be logged in to reply to this topic.