locked
Signing the driver for Vista x64 by commercial CA certificate RRS feed

  • Question

  • We purchased VeriSign Code Signing certificate (Microsoft Authenticode ID) to sign the driver for Vista x64, since Microsoft policy ( http://msdn2.microsoft.com/en-us/library/aa906341.aspx ) clearly requires that the driver must be either signed by Microsoft or by any commercial certificate authority that takes part in Microsoft Root Certification program ( http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/rootcertprog.asp ). But we are unable to use that certificate, thus we need technical assistance.

    The problem is that Vista x64 does not accept certificate when tries to load driver, while it is clearly stated at MSDN that commercial certificates accepted.

    We are using the latest build (6000) of WDK - the signtool.exe. Also we use Inf2Cat.exe tool from the latest version (1.3.0.0) of Winqual Submission Tool for creating the catalog file. As instructed on your web: http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx we downloaded cross-certificate for VeriSign Class 3 Public Primary Certification Authority. We sign the *.sys file with the following options:
    1) All certificates in the certification path, including the root certificate.
    2) Adding optional certificate from file - downloaded cross-certificate.
    3) Timestamp using VeriSign timestamping service.
    AFTER the signing *.sys file we create catalog with Inf2cat using the option tag that the catalog is created for Vista x64 and sign the catalog with the same options. After signing we look at the properties of files, both *.sys and *.cat and see that they are signed and timestamped.
    But the driver do not load by the OS. If we turn off code signing check at the OS boot stage, the driver works perfectly. Moreover, if we open device manager, look properties of our device, the tab "Driver" states that driver signed (but somewhy spells all characters in the signer name lowercase). But in the driver file details we see that our files are not signed.

    We tried the following:
    1) Not signing *.sys file.
    2) Not including OS version tag when creating catalog file.
    3) Including all OS versions when creating catalog.
    4) Simplifying the driver to as minimum as 3 files only - sys, inf and cat (and, of course, correcting inf for that minimal set).
    5) Trying to create catalog by MakeCat utility.
    All file names are lowercase 8+3 naming convention format.
    Nothing changes situation. Please, advise, what we do wrong?

    Friday, February 2, 2007 3:38 PM