Signed INF driver works on the computer where it was signed, not others

筅森魡賤 提交于 2019-11-29 20:29:47

As of 9/27/2012, GoDaddy Driver Signing Certificate will not work with Windows Vista or Windows 7. It will only work with Windows 8. The GoDaddy certificate is only available with SHA256.

We ended up getting one from GlobalSign (MS Authenticode).

From http://msdn.microsoft.com/en-us/library/windows/hardware/hh967734%28v=vs.85%29.aspx :

Signing a driver package with two signatures

In some cases, you might want to sign a driver package with two different signatures. For example, suppose you want your driver to run on Windows 7 and Windows 8. Windows 8 supports signatures created with the SHA256 hashing algorithm, but Windows 7 does not. For Windows 7, you need a signature created with the SHA1 hashing algorithm.

2012-09-28 Update: The GlobalSign worked. I let Firefox 15 download the GlobalSign provided link (protected by a Pickup Password). Ended up with Firefox holding the signed certificate, and downloading 3 other GlobalSign certs. The signed certificate was exported from Firefox into a .p12 file. All four files were then double clicked to import them into the MS Certificate Store using automatic defaults. Driver and package were signed and tested in a Windows 7 Ultimate x64 without any driver signing errors. The driver BSoD'd but that's a different issue. ;)

GoDaddy will only give you website credit minus $15 and only if you revoke within 30 days of purchase.

2016-01-13 Update: https://technet.microsoft.com/en-us/library/security/3033929 Microsoft Security Advisory 3033929 Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2 Published: March 10, 2015 ... Basically, you need to install the security update in the links provided by Microsoft which is usually done automatically by Windows Update.

We are now using EV Code Signing Certificates from GlobalSign. Warning: SafeSign does not work with Windows services (e.g., buildbot slave).

Due to lack of reputation I cannot up-vote rcpao's answer, but I wanted to post in agreement. I recently went thru a similar process attempting to sign a Windows 7 driver package with a driver signing certificate from GoDaddy. In short, Win7 x64 would not take the drivers--most certainly due to the SHA-2 hashing used in the GoDaddy certificate.

While there are articles stating that Windows 7 is compatible with SHA-2 signing I don't think that applies to driver signatures. Definitely there are some ambiguous texts available that makes the issue less clear.

My company ended up purchasing a DigiCert code signing certificate that includes kernel-mode signing for drivers. It worked as expected, and the cost was comparable to GoDaddy.

David Grayson

Answering my own question:

I ended up getting a Code Signing Certificate from Go Daddy and keying it to be SHA-2 (the other option is SHA-1), because I wanted the possibility of some day signing driver packages that contain .sys files and GoDaddy's SHA-2 option lets you do that. Now I sign our .cat files using that certificate along with the Go Daddy G1 to G2 Cross Certificate (gdroot-g2_cross.crt), so the chain of trust looks like:

  1. Go Daddy Class 2 Certification Authority ( 27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4 ) (will be a trusted root CA on your user's computer)
  2. Go Daddy Root Certificate Authority - G2 ( 84 1d 4a 9f c9 d3 b2 f0 ca 5f ab 95 52 5a b2 06 6a cf 83 22 ) (supposed to be a trusted root CA, but it depends on Windows Update working reliably)
  3. Go Daddy Secure Certificate Authority - G2 ( 27 ac 93 69 fa f2 52 07 bb 26 27 ce fa cc be 4e f9 c3 19 b8 )
  4. Our company

This has been working great for our needs, but unfortunately, that plan does not allow us to sign driver packages that contain Kernel-Mode .sys files, because the chain of trust is not rooted in the Microsoft Code Verification Root. Based on my reading of kmsigning.doc, the correct way to sign your .cat file if you have kernel-mode driver files is to use the Microsoft to Go Daddy G2 Cross Certificate (mscvr-cross-gdroot-g2.crt). I haven't actually gotten that to work yet, but that will be another discussion.

SHA 2

I have to respectfully disagree with rcpao and kris. As far as I can tell, there is problem with SHA256 on Windows Vista or Windows 7, at least for the purpose of driver package installation. For loading a .sys file into the kernel, there might be a different story, and especially because I'm having trouble with .sys signing now I will have to look into that.

DefaultInstall

The MSDN documentation of the INF DefaultInstall Section is just wrong. There seems to be no incompatibility between DefaultInstall and driver signing and I see now reason why there should be.

Sounds like you need to get your driver certified and signed by Microsoft, which can be achieved by using the Hardware Certification Kit (HCK). But for Windows 10 and up they are using Hardware Lab Kit (HLK). This is how I've signed kernel-mode drivers, which is done after passing the testing and having Microsoft certify and sign the .sys files and .cat files.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!