How to sign WinpkFilter drivers

Home Forums Discussions Support Portal How to sign WinpkFilter drivers

This topic contains 0 replies, has 1 voice, and was last updated by  Vadim Smirnov 6 years, 8 months ago.

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #5345

    Vadim Smirnov
    Moderator

    How to sign WinpkFilter driver (standard build) using VerySign certificate:

    1. Convert cerificate into the pfx

    Pvk2Pfx -pvk myprivatekey.pvk -pi pkv_password -spc mycredentials.spc -pfx mypfx.pfx -po pfx_file_password -f

    2. Install pfx into the system you use for driver signing.

    Double-click on mypfx.pfx, follow the wizard

    3. Download VerySign cross-certificate from Microsoft web-site

    MSCV-VSClass3.cer

    4. Sign driver binary

    Signtool.exe sign /v /ac MSCV-VSClass3.cer /s my /n “Company Name” /t http://timestamp.verisign.com/scripts/timestamp.dll binary_name.sys

    5. Since WinpkFilter driver is installed using INF then you also need to create CAT files

    a. Add CAT references into the INF files

    CatalogFile.NTx86 = ndisrd86.cat

    CatalogFile.NTAMD64 = ndisrd64.cat

    b. Generate CAT files

    Inf2Cat /driver: path_to_directiry_with_driver_and_inf /os:XP_X86,Server2003_X86,Vista_X86,Server2008_X86,7_X86

    Inf2Cat /driver:path_to_directiry_with_driver_and_inf /os:XP_X64,Server2003_X64,Vista_X64,Server2008_X64,7_X64,Server2008R2_X64

    c. Sign CAT file

    Signtool.exe sign /v /ac MSCV-VSClass3.cer /s my /n “Company Name” /t http://timestamp.verisign.com/scripts/timestamp.dll cat_file_name.cat

    d. If you want to remove publisher warning, you have to pre-install (install before WinpkFilter driver installation) your public certificate (with public key only) on the client system.

    You can export this certificate from system storage where it was installed on step 2.

    – certmgr.msc

    – personal

    – double click on Company Name

    – select details

    – click “copy to file”

    – select “base-64 encoded X.509”

    For installing certificate you can use the following InnoSetup code

    //
    

    procedure InstallDriverCertificate();

    var

    fbResult : Boolean;

    hStore,hSysStore,hCert : Integer;

    strMessage : String;

    begin

    fbResult := False;

    hStore :=

    CertOpenStore(

    CERT_STORE_PROV_FILENAME_A,

    X509_ASN_ENCODING or PKCS_7_ASN_ENCODING,

    0,

    CERT_STORE_OPEN_EXISTING_FLAG or CERT_STORE_READONLY_FLAG,

    ExpandConstant('{app}')+'Setupmainline.cer'

    );

    if hStore <> 0 then begin

    hSysStore :=

    CertOpenStore(

    CERT_STORE_PROV_SYSTEM_A,

    X509_ASN_ENCODING or PKCS_7_ASN_ENCODING,

    0,

    CERT_SYSTEM_STORE_LOCAL_MACHINE,

    'TrustedPublisher');

    if hSysStore <> 0 then begin

    hCert := CertEnumCertificatesInStore(hStore,0);

    if hCert <> 0 then begin

    fbResult :=

    CertAddCertificateContextToStore(

    hSysStore,

    hCert,

    CERT_STORE_ADD_REPLACE_EXISTING,

    0

    );

    CertFreeCertificateContext (hCert);

    end;

    CertCloseStore(hSysStore,CERT_CLOSE_STORE_CHECK_FLAG);

    end;

    CertCloseStore(hStore,CERT_CLOSE_STORE_CHECK_FLAG);

    end;

    end;
Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.