/build/static/layout/Breadcrumb_cap_w.png

Guide to signing unsigned drivers

***UPDATE***

An updated (and more readable!) PART 1 tutorial can be found here: http://www.alkanesolutions.co.uk/2013/10/23/a-guide-to-signing-un-signed-drivers/

An additional PART 2 tutorial (debugging a driver install) can be found here: http://www.alkanesolutions.co.uk/2016/04/29/guide-signing-un-signed-drivers-part-2/


I thought I'd write this post to give something back to the community, as it took me ages to find out for myself and get working so hopefully it will assist others. Some of the info in this post was extracted from some great posts from AngelD, so kudos to him for that. It's only been tested in an XP environment, but here goes...



Tools you need: (most are from the Windows Driver Kit):

Inf2Cat.exe (To generate the unsigned catalog file from our INF)



In the same folder as Inf2Cat.exe I have the following DLLs:

Microsoft.Whos.Shared.IO.Cabinets.dll

Microsoft.Whos.Shared.IO.Catalogs.dll

Microsoft.Whos.Shared.Xml.InfReader.dll

Microsoft.Whos.Winqual.Submissions.SubmissionBuilder.dll

Microsoft.Whos.Xml.NonXmlDataReader.dll



Makecert.exe (Used to create our certificate)

Cert2spc.exe (Create Software Publisher's Certificate (SPC) from our certificate)

Signcode.Exe (Sign our catalog file with an Authenticode digital signature)

Certmgr.exe (Used to add and delete our certificate to the system root)

DifxApp.msm (Difx Merge Module to install the driver)



**********************************************

*****INTRODUCTION******************************

**********************************************




Now we have our toolset in place, let's package the unsigned Captain Planet printer driver. We're packaging this driver for a customer called 'Planeteers Ltd'.



Let's assume we've captured the Captain Planet printer driver using a snapshot tool. We can see from the resultant snapshot that there is a file in [WindowsFolder]\inf called 'captainplanet.inf'. There are also files called 'captainplanet.sys' and 'captainplanet.dll' in [SystemFolder]spool\drivers\w32x86.



All of these files make up the Captain Planet printer driver so let's create a folder anywhere on your work machine

(say, "c:\cpdriver") and copy the three files to it.



We should now have our unsigned driver in a temporary folder called "C:\cpdriver" which contains:

captainplanet.inf

captainplanet.sys

captainplanet.dll



Now let's generate a customer certificate, so we can sign this (and many more) driver(s).



**********************************************

*****SIGNING THE DRIVER*************************

**********************************************




1. Create .cat (catalog) file for driver.



We notice that the Captain Planet driver doesn't contain a cat file, so we'll need to generate one.

Open the .INF file in a text editor. Ensure that under the [version] section that you have an entry specifying a .cat file. If it's not there, add the line

at the end of the section. For example:

[version]

Signature=xxxxxx

Provider=xxxxxx

CatalogFile.NTx86=captainplanet.cat
"captainplanet.cat" is the name of the cat file that we want to generate. Not having a line specifying this will result in an "error 22.9.4 - Missing 32-bit catalog file entry" when we run Inf2Cat.exe. "NTx86" represents the Windows 2000 x86-based platforms.



Command line:Inf2Cat.exe /driver:"" /os:XP_X86 Example: Inf2Cat.exe /driver:"C:\cpdriver" /os:XP_X86

Running this successfully will generate captainplanet.cat in the 'C:\cpdriver' folder.



2. Create authenticode certificate and set private key



Create another folder called 'c:\PlaneteersLtd_certificate'. It is here where we'll create our customer-specific certificate and private key. Remember that this certificate can be reused multiple times for the customer (Planeteers Ltd) to sign different drivers, so keep naming conventions generic to your customer.



Command line:MakeCert.Exe -r -pe -n CN= -sv -len 2048

Example: makecert.exe -r -pe "c:\PlaneteersLtd_certificate\PlaneteersLtd.cer" -n CN="Planeteers Ltd" -sv "c:\PlaneteersLtd_certificate\PlaneteersLtd.pvk" -len 2048



Running this will ask you to set a private key. Make a note of this key! Running this command will generate:

c:\PlaneteersLtd_certificate\PlaneteersLtd.cer and c:\PlaneteersLtd_certificate\PlaneteersLtd.pvk



(I think certificates of this kind are actually supposed to be used for development/testing as opposed to a live environment. It's probably advisable to purchase a certificate from Verisign/Comodo/whoever if you have the budget.)



3. Create Software Publisher's Certificate (SPC) from our certificate

Command Line:Cert2Spc.Exe Example: cert2spc.exe "c:\PlaneteersLtd_certificate\PlaneteersLtd.cer" "c:\PlaneteersLtd_certificate\PlaneteersLtd.spc"

This will generate c:\PlaneteersLtd_certificate\PlaneteersLtd.spc



4. Sign the catalog file

Command line:signcode.exe -spc -v -t http://timestamp.verisign.com/scripts/timstamp.dll

(Yes....I know it says 'timstamp.dll' but that is correct) This will prompt you for the private key you set earlier. Enter it when prompted.



Example:SignCode.Exe -spc "c:\PlaneteersLtd_certificate\PlaneteersLtd.spc" -v "c:\PlaneteersLtd_certificate\PlaneteersLtd.pvk" -t http://timestamp.verisign.com/scripts/timstamp.dll "C:\cpdriver\captainplanet.cat"

**********************************************

*****ADDING THE CUSTOMER CERTIFICATE**********

**********************************************




The catalog for our driver is now signed. Every time we install this driver using DifxApp, we need to ensure the customer certificate is installed on the machine before DifxApp installs the driver. To do this, we use CertMgr.exe in two Custom Actions (CA) - one to add the certificate on install, and one to remove it on uninstall. We can do this in two ways:



a) Create the two CAs in every single driver package you do

b) Create a merge module which can easily be incorporated in every driver package you do



In my opinion option b) would provide less hassle for me because after all, we want our certificate to be easily re-usable for multiple driver packages. So for now, we'll do option b).



1. Create a new merge module and add captainplanet.cer to the SystemFolder of the MSM (or wherever you deem appropriate)



2. Go to the Custom Action (CA) table and create 2 CAs, both are an 'Exe stored in binary table' and 'Deferred in a System Context'.

If you use the CA wizard, you should stream 'certmgr.exe' into your binary table. Here's what (roughly) your CustomAction table should look like after you've made them:



Name: addCertificate

Type: 3074

Source: certmgr

Target: -add "[SystemFolder]PlaneteersLtd.cer" -s -r localMachine ROOT



Name: removeCertificate

Type: 3074

Source: certmgr

Target: -del "[SystemFolder]PlaneteersLtd.cer" -s -r localMachine ROOT



And here is the Binary table:



Name: certmgr

Data:



Of course, using the wizard to do both CAs may result in two entries in your binary table containing the same exe (certmgr.exe). Obviously this is a waste, so remove one of them and set the 'Source' column in your CustomAction table appropriately.



3. Go to the ModuleInstallExecuteSequence table (Where is obviously empty/nothing, and not the string literal "") and add the following:



Action: addCertificate

Sequence:

BaseAction: InstallFiles

After: 1

Condition: Not Installed



Action: removeCertificate

Sequence:

BaseAction: InstallInitialize

After: 1

Condition: REMOVE~="ALL"



Action: InstallFiles

Sequence: 4000

BaseAction:

After:

Condition:



Action: InstallInitialize

Sequence: 1500

BaseAction:

After:

Condition:



The sequencing above is important as the addCertificate CA needs to run after the certificate is put down on the machine (after InstallFiles) and the removeCertificate CA needs to run before the certificate is removed from the machine. It also needs to run before DifxApp installs the driver.



**********************************************

*****CREATE DRIVER PACKAGE********************

**********************************************




Great. At this point we should now have a signed driver, and a merge module which installs our customer certificate. Now we can create the MSI package

which installs our signed driver:



1. Create a new ISM/WSI project and make a folder somewhere for your driver (one folder per driver remember).

Let's say:

"[ProgramFilesFolder]CaptainPlanetDriver" for this example. This folder will contain all the files in 'c:\cpdriver' on our work machine:

captainplanet.inf

captainplanet.sys

captainplanet.dll

captainplanet.cat (the one we've just generated!)



Remember that all these files should be in the SAME COMPONENT as well as the same folder (one .inf per folder), and the keypath of the component needs to be the .inf file!

Let's call the component: "CaptainPlanet_DRIVER"



2. Install the driver using DifxApp.

When we add the latest version of the DifxApp.msm merge module, it will create a table in the project called "MsiDriverPackages". Installshield and Wise have slightly

different wizards to install a driver, so I'll just show you roughly how the MsiDriverPackages table should be populated:



Component: CaptainPlanet_DRIVER

Flags: 7

Sequence: 1

ReferenceComponents:



Once this is done, compile your .MSI. Ensure in your .MSI that your 'addCertificate' CA runs after 'installFiles' and before 'MsiProcessDrivers' in the installExecuteSequence.



At last, we're done!



Now I'd highly recommend testing your MSI install with verbose logging enabled, as the DifX merge module does write some half-decent logging which can assist you. For example, just recently DifxApp verbose logging warned me that some DLLs (part of the driver) were not being copied to the driver store. This was the reason why my driver wasn't working, and so I had to edit the .INF file [SourceDisksFiles] section (Add the relevant files which weren't being copied to the driver store), re-generate the cat file, re-sign it and then re-add these updated files to my MSI (Note there was obviously no need to go fiddling with my MSM as the certificate remains the same).



It's also always best to test your driver with the appropriate hardware.



Anyway. I hope this guide can be of some help to others. If you break your machine, or yourself, during implementing this guide then don't blame myself. It's only meant as a guide. Please feel free to comment/correct/bug fix.



Captain Planet.


0 Comments   [ + ] Show comments

Answers (33)

Answer Summary:
Posted by: Rheuvel 13 years ago
Brown Belt
4
Hi cap'n planet,



First of all, thanks for the guide. It has been really helpful, although some things have changed if you want to do this for Windows 7. For one part, I had to discover that some tools didn't exist anymore and got replaced. Anyways, here's my findings... :





- Inf2Cat.exe also needs the file WindowsProtectedFiles.xml which you didn't list above.





- As one might have guessed, use Inf2Cat.exe with the flag /os:7_X86

[EDIT]

Appears to be 7_X86 not W7_X86 --> http://msdn.microsoft.com/en-us/library/ff547089(VS.85).aspx

[/EDIT]





- signcode.exe is replaced by signtool.exe in the latest versions of both the WDK and Visual Studio. And because signtool expects a different input, an extra step is introduced:



A PFX file needs to be generated with the PVK and SPC files. This is done by a tool called pvk2pfx.exe (also in the WDK)



pvk2pfx.exe Usage:



pvk2pfx -pvk <pvk-file> [-pi <pvk-pswd>] -spc <spc-file> [-pfx <pfx-file> [-po <pfx-pswd>] [-f]]



-pvk <pvk-file> - input PVK file name.

-spc <spc-file> - input SPC file name.

-pfx <pfx-file> - output PFX file name.

-pi <pvk-pswd> - PVK password.

-po <pfx-pswd> - PFX password; same as -pi if not given.

-f - force overwrite existing PFX file.



if -pfx option is not given, an export wizard will pop up. in this case, options -po and -f are ignored.





So the command line should look similar to this:



pvk2pfx.exe -pvk "c:\PlaneteersLtd_certificate\PlaneteersLtd.pvk" -spc "c:\PlaneteersLtd_certificate\PlaneteersLtd.spc" -pi <private key password>





And now signtool.exe can be used to sign the catalog file:



signtool.exe sign /f "c:\PlaneteersLtd_certificate\PlaneteersLtd.pfx" /p <password> /t http://timestamp.verisign.com/scripts.timstamp.dll "C:\cpdriver\captainplanet.cat"

Posted by: MSIPackager 13 years ago
3rd Degree Black Belt
3
How incredibly useful - nice work cap [:)]
Posted by: timmsie 13 years ago
Fourth Degree Brown Belt
2
awesome work, thanks for posting!



What's the betting in the next couple of days someone posts a question about how to sign drivers [;)]
Posted by: anonymous_9363 13 years ago
Red Belt
2
Sticky, please, Bob. Perhaps this can replace the current sticky which has (mostly) broken links.
Posted by: sethuuraman 11 years ago
White Belt
1
Hi captain,

IS it legal to redistribute my self signed certificate. could you please reply to my email id???
sethuuraman@gmail.com
Posted by: shigbee 12 years ago
2nd Degree Black Belt
1
Good guide for unsigned drivers, I'm sure this will come in handy.

Comments:
Posted by: mac-duff 11 years ago
Second Degree Blue Belt
1

Thanks a lot Captain Planet, again.

And also to Rheuvel for the addional info

Great tut, just a bit tricky to get all the tools together. Dont understand why MS forces one to download all SDK just for a simple exe

Posted by: captain_planet 13 years ago
Black Belt
1
Thanks, Ram.



In response to shh.killer:



To test that the files in your driver package are all signed, first get yourself a copy of SignTool.exe. I think this is part of the .Net framework, the Windows Driver Kit (WDK) and also installed with Installshield (not sure about Wise).



Anyway, ensure you install your certificate to the 'Trusted Root Certification Authorities'. Easiest way to do this is to double click your certificate file, click 'Install Certificate', click 'Next', select 'Place all certificates in the following store', Click 'Browse', select 'Trusted Root Certification Authorities' and click 'Ok', click 'Next', click 'Finish'.



Verify that it has been installed to this location by:



Open Internet Explorer > Tools > Internet Options > 'Content' tab > 'Cetificates' button and check under the 'Trusted Root Certification Authorities' tab for your certificate. (or alternatively at the Certificates MMC Snap-in and do it that way...)



Once you see it's there, you can run the following command line from a DOS prompt (based on the example above):

signtool.exe verify /pa /v /c C:\cpdriver\captainplanet.cat C:\cpdriver\captainplanet.inf...and with any luck, you'll get a similar output to this:

Verifying: C:\cpdriver\captainplanet.inf

File is signed in catalog: C:\cpdriver\captainplanet.cat

Hash of file (sha1): 8AC92B48A213FC158FFAA8EE71B2E8FAE02BE63B



Signing Certificate Chain:

Issued to: Planeteers Ltd

Issued by: Planeteers Ltd

Expires: Sat Dec 31 23:59:59 2039

SHA1 hash: 6579183F3564D2E99B5EEFAE7433ADEE7A712188



The signature is timestamped: Thu Sep 16 14:42:57 2010

Timestamp Verified by:

Issued to: Thawte Timestamping CA

Issued by: Thawte Timestamping CA

Expires: Thu Dec 31 23:59:59 2020

SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656



Issued to: VeriSign Time Stamping Services CA

Issued by: Thawte Timestamping CA

Expires: Tue Dec 03 23:59:59 2013

SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D



Issued to: VeriSign Time Stamping Services Signer - G2

Issued by: VeriSign Time Stamping Services CA

Expires: Thu Jun 14 23:59:59 2012

SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE



Successfully verified: C:\cpdriver\captainplanet.inf



Number of files successfully Verified: 1

Number of warnings: 0

Number of errors: 0
Posted by: captain_planet 13 years ago
Black Belt
1
Looks good that, Rheuvel. I've been meaning to look into that at some point - just never get the time these days! [;)]
Posted by: Rheuvel 13 years ago
Brown Belt
1
Yeah, I know the problem... I actually worked out the above over a month ago, but didn't have the time to post it any sooner.
Posted by: MikeRae1980 13 years ago
Senior Yellow Belt
1
ORIGINAL: captain_planet



I'm sure I only ever received that error when using signcode.exe? Either your timestamp path may be incorrect (Remember it's 'http://timestamp.verisign.com/scripts/timstamp.dll' and NOT 'http://timestamp.verisign.com/scripts/timestamp.dll') or your corporate proxy/firewall may be hindering the process.....





Found this was because i was using IE6! upgraded to IE7 and away it went. Still not got my package to install. Using wisepackage stud 7.



verbose log says something about the .inf file not being signed.



Does the .inf need signed also?
Posted by: captain_planet 13 years ago
Black Belt
1
Do I take it you've actually signed the catalog first using:

signtool.exe sign.....

as opposed to

signtool.exe verify....



which you mention above??
Posted by: Automan 12 years ago
Senior Yellow Belt
1
Great post Captain. I succesfully signed and installed my first device driver that was previously unsigned.



I have a quick question regarding the Authenticode Certificate. I rang Comodo and asked them about providing me with a live version of the certificate and they had never heard of such a thing. They only provide SSL Certs and Code Signing certificates. Any Idea how much one of these certs would cost?
Posted by: valens 12 years ago
Yellow Belt
1
To maintain and safeguard the stability of the operating system, only administrators can install unsigned device drivers. An organization's administrator can use the procedures in this guide to sign packages that are not previously signed by the vendor to make the packages usable in the organization. The administrator can also use this procedure to replace the vendor's signature with one created by the organization's certificate. If all packages are signed with the organization's certificate, then only that one certificate needs to be deployed. If a standard user attempts to install a device whose driver package is not yet in the store, Windows attempts to stage the driver package. Staging succeeds if the user can supply administrator credentials, or the package is for a device with a setup class identifier that is permitted via device installation policy on the computer. If the user cannot complete staging, then the user cannot install that device.
Posted by: kopuz 11 years ago
Orange Senior Belt
1

Thank you very much for this information, just yesterday in a meeting I discovered I would need to start doing this.

Posted by: dan@kace.com 12 years ago
Orange Belt
0
Nice Work
Posted by: WGM_Jeff 12 years ago
4th Degree Black Belt
0
Great information! Thanks!
Posted by: akki 12 years ago
4th Degree Black Belt
0
That was indeed very helpful....its gonna save me lot of trouble next time around :)
Posted by: AngelD 13 years ago
Red Belt
0
Nice guide Captain!



Ian,

I've made this thread a sticky



How about adding the tip to check the [SourceDisksFiles] section to find out the required files earlier in the guide as you did with the troubleshooting tip?
Posted by: captain_planet 13 years ago
Black Belt
0
Thanks everybody for your comments and rates....



AngelD - Good suggestion, thanks. I did think about adding a bit more detail re: [SourceDisksFiles] but I didn't want to dilute the guide too much and make it too long. Maybe when I get a second I can add another, separate post in this thread which explains a bit about INF files and how they work? In honesty, before I do that I'll have to brush up a bit on them myself.... [;)]

Comments:
  • Hi captain,

    IS it legal to redistribute my self signed certificate. could you please reply to my email id???
    sethuuraman@gmail.com - sethuuraman 11 years ago
Posted by: MikeRae1980 13 years ago
Senior Yellow Belt
0
First of all, really nice guide Captain planet. Must have taken up a fair bit of your time but im sure lots of poeple will appreciate it. Maybe someone can help with the issue i had when attempting this a few months ago.



I can't seen to get past the stage of signing the cat file :(



Error: Invalid timestamp http address

Error: TimeStamping Failed. Result = 80070001, (-2147024895)



when creating authenticode cert and running the bellow command with all my details



MakeCert.Exe -r -pe <path to .cer file you want to generate> -n CN=<certificate name> -sv <path to .pvk file you want to generate> -len 2048



The only way this comand would work for me was to remove -pe and -len 2048



My makecert didn't seem to recognise these commands. Have i got a old makecert.exe?



Im guessing me removing these commands is whats stopping the cert from getting the time stamp.
Posted by: captain_planet 13 years ago
Black Belt
0
I'm sure I only ever received that error when using signcode.exe? Either your timestamp path may be incorrect (Remember it's 'http://timestamp.verisign.com/scripts/timstamp.dll' and NOT 'http://timestamp.verisign.com/scripts/timestamp.dll') or your corporate proxy/firewall may be hindering the process.....
Posted by: shh.killer 13 years ago
Yellow Belt
0
Nice Tutorial/ Notes.



How can we find out whether our drivers are signed or not?
Posted by: Ram 13 years ago
Senior Purple Belt
0
Job well done.[:)]
Posted by: osman33 13 years ago
Yellow Belt
0
hi,

i have a problem about signing;

i created .cer, .pfx, .cat and .pvk. The last step of signing is use signtool.exe. I entered the parameters like ur writing but the result is;



C:\WinDDK\7600.16385.1\bin\amd64>signtool verify /pa /v /c C:\Users\nnn\Desktop
osss\apco25vpcc.cat C:\Users\nnn\Desktop\osss\apco25_vpcc_device_driver.inf



Verifying: C:\Users\nnn\Desktop\osss\apco25_vpcc_device_driver.inf

File is signed in catalog: C:\Users\nnn\Desktop\osss\apco25vpcc.cat

Hash of file (sha1): 0A7522B6BD7A3A2EC7635E920C23C22BA6070809

SignTool Error: No signature found.



Number of files successfully Verified: 0

Number of warnings: 0

Number of errors: 1



C:\WinDDK\7600.16385.1\bin\amd64>



Where did i wrong?
Posted by: hotboy18 12 years ago
Yellow Belt
0
Thanks for the useful information. I'm glad that you enjoy this forum.
Posted by: madieson.smith 12 years ago
Yellow Belt
0
Great blog! You have assembled a tremendous amount of useful information here. I will keenly look further to your future updates.
Posted by: TrinityHu 12 years ago
Senior Yellow Belt
0
Thanks for share
Posted by: AngelD 12 years ago
Red Belt
0
Could you really trust Comodo whom "lost" a bunch of SSL certificates during a hack on their site? [&:]



You only need a Code Signing certificate to sign a driver, but is not enuf if you want to create a certificate though.
Posted by: rickrherbert 12 years ago
Yellow Belt
0
We have to be more alert while signing into any account.
Posted by: gp24.aps 12 years ago
Yellow Belt
0
Hi,

let me know how to deploy the package to end user using SCCM server[&:]
Posted by: pratikpawar 12 years ago
Senior Yellow Belt
0
Where is my post of TRUSTED PUBLISHER[:(]
Posted by: bkelly 12 years ago
Red Belt
0
Looking into it Pratik [&:]
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ