Steps for Signing a Device Driver Package

Applies To: Windows 7, Windows Server 2008 R2

To sign a device driver package, you must have a code signing certificate. For more details about the various types of certificates that are available and how to acquire one, see the Additional Resources section at the end of this guide. This guide shows you how to create a certificate that you can use for testing purposes.

Important

The certificate created and used in this section can be used only with 32-bit drivers on 32-bit versions of Windows. For more information about using device drivers for 64-bit versions of Windows, see the “Important Note” at the beginning of the section Requirements for Device Driver Signing and Staging, earlier in this guide.

Steps outline: Signing a device driver package

The following steps illustrate the basic process for signing a device driver package.

  1. Step 1: Create a digital certificate for signing

  2. Step 2: Add the certificate to the Trusted Root Certification Authorities store

  3. Step 3: Add the certificate to the per machine Trusted Publishers store

  4. Step 4: Sign the device driver package with the certificate

Step 1: Create a digital certificate for signing

In this step you create a certificate that can be used to sign the sample Toaster driver package.

First, open the Certificates MMC snap-in to see the current certificates.

Important

Do not run certmgr.msc to open the snap-in. By default, that opens the Current User version of the certificate stores. This procedure requires the certificates to be placed in the stores for the Computer Account instead.

To open the Certificates MMC snap-in

  1. Click Start, click Run, and then in the Run box, type: mmc

  2. In Console1 – [Console Root], click File, and then click Add/Remove Snap-in.

  3. In Add or Remove Snap-ins, in the Available snap-ins list, select Certificates, and then click Add.

  4. In Certificates snap-in, select Computer Account, and then click Next.

  5. On the Select Computer dialog box, select Local computer: (the computer this console is running on), and then click Finish.

  6. Click OK to close the Add or Remove Snap-ins page.

    The Certificates snap-in appears in the console.

Now you can create the certificate.

Note

You cannot use the previous x86 Free Build Environment command prompt window, because it was not running with the administrator permissions required by the MakeCert tool. If you attempt to run MakeCert without administrator permissions, it will fail with error code 0x5 (Access Denied).

To create a digital certificate by using the MakeCert tool

  1. Open an x86 Free Build Environment command prompt with administrator permissions, by right-clicking x86 Free Build Environment on the Start menu, and then selecting Run as administrator.

  2. At the x86 Free Build Environment command prompt, type the following command on a single line (it appears here on multiple lines for clarity and to fit space limitations):

    makecert -r -n "CN=MyCompany - for test use only"
             -ss MyCompanyCertStore 
             -sr LocalMachine
    

    The meaning of each parameter is as follows:

    • -r

      Specifies that the certificate is to be "self-signed," rather than signed by a CA. Also called a "root" certificate.

    • -n "CN=MyCompany - for test use only"

      Specifies the name associated with this new certificate. It is recommended that you use a certificate name that clearly identifies the certificate and its purpose.

    • -ss MyCompanyCertStore

      Specifies the name of certificate store in which the new certificate is placed.

    • -sr LocalMachine

      Specifies that the certificate store created by the -ss option is in the per computer store, instead of the default per user store.

    The command returns the message "Succeeded" when the store and certificate are created.

  3. Verify that your new certificate was created correctly. In the Certificates MMC snap-in that you opened earlier, open the node Certificates (Local Computer), then MyCompanyCertStore, and then Certificates.

  4. In the right-hand pane, double-click MyCompany - for test use only.

    The certificate dialog appears showing your new certificate.

  5. Click OK to close the Certificate page.

Step 2: Add the certificate to the Trusted Root Certification Authorities store

This step is required for locally created certificates, such as those created by using MakeCert, which are not directly traceable to a Trusted Root Certification Authority certificate.

By default, your new certificate is marked "Not trusted" because Windows cannot validate the certificate against any of the trusted certificates in the per computer Trusted Root Certification Authorities store. In Windows, all certificates must be traceable to a certificate in this store to be considered valid.

This step is not required for commercial certificates created for you by a third-party certification authority because the root certificate for the CA is already present in the per computer Trusted Root Certification Authorities store.

Note

Certificates that are placed in the per user Trusted Root Certification Authorities store will not validate signatures of device driver packages.

To add the test certificate to the Trusted Root CA certificate store

  1. In the Certificates snap-in, right-click MyCompany - for test use only, and then click Copy.

  2. Right-click Trusted Root Certification Authorities, and then click Paste.

  3. Open Trusted Root Certification Authorities and Certificates, and then double-click your certificate.

  4. Confirm that the "Not trusted" message no longer appears, and then click OK to close the certificate.

Step 3: Add the certificate to the per machine Trusted Publishers store

To use your new certificate to confirm the valid signing of device drivers, it must also be installed in the per computer Trusted Publishers store.

Note

Certificates that are placed in the per user Trusted Publishers store cannot validate signatures of device driver packages.

To add the test certificate to the Trusted Publishers certificate store

  1. In the Certificates snap-in, right-click your certificate, and then click Copy.

  2. Right-click Trusted Publishers, and then click Paste.

  3. Open Trusted Publishers and Certificates, and then confirm that a copy of your certificate is in the folder.

  4. Click OK to close the certificate.

Step 4: Sign the device driver package with the certificate

If you are using the sample Toaster device and driver -- or if your organization wants to implement a policy where all device drivers must be signed by your organization's own certificate -- then follow these steps to replace the existing signature with your own.

Note

If you are using a driver package that has already been signed by the vendor, then your driver package already has a useful catalog file that is referenced by the .inf file. In this case, you can skip the first two steps below, and begin with Sign the catalog file by using SignTool.

To sign the device driver, you need to do the following:

  1. Prepare the driver package .inf file

  2. Create a catalog file for the driver package

  3. Sign the catalog file by using SignTool

Prepare the driver package .inf file

The .inf file controls the installation of the driver package. The digital signature for a device driver package resides in a catalog file, with a .cat file name extension. The .inf file used to install the driver package must include a reference to the .cat file.

In addition, for the sample Toaster device driver used in this guide, you must also change the timestamp and version number of the device driver.

A co-installer is code provided by the device driver manufacturer that can be invoked during the driver package installation process. It gives the installation program more flexibility in what can be done during the installation process. In the sample Toaster device driver, the co-installer displays optional programs that the user can install. You do not need the Toaster co-installer for these scenarios, so in this procedure you delete it from the .inf file.

Note

If your driver package has already been signed by the vendor, then the .inf file already has a reference to a valid catalog file, and you can skip this procedure.

To prepare the driver package .inf file

  1. At the x86 Free Build Environment command prompt with administrator permissions, change to the folder that contains your driver package. Type the following command:

    cd c:\toaster\device
    
  2. Then type the command:

    Notepad toastpkg.inf
    

    Notepad opens with the .inf file displayed.

  3. Find the [Version] section. The original file includes the lines:

    CatalogFile.NTx86 = tostx86.cat
    CatalogFile.NTIA64 = tostia64.cat
    CatalogFile.NTAMD64 = tstamd64.cat
    
  4. Delete those three lines, and replace them with following single line:

    CatalogFile=toaster.cat
    
  5. In the [Version] section, find the line that begins with DriverVer=. Replace the date and version number so that the line appears as follows:

    DriverVer=05/01/2009,9.9.9.9
    
  6. In the [Toaster_Device.NT.CoInstallers] section, find and delete these three lines:

    [Toaster_Device.NT.CoInstallers]
    AddReg=CoInstaller_AddReg
    CopyFiles=CoInstaller_CopyFiles
    
  7. Save your changes, and then close Notepad.

Create a catalog file for the driver package

Next, run the Inf2Cat tool to create an unsigned catalog file for the sample Toaster driver package. Inf2Cat parses the driver package .inf file, and then generates unique hashes for every file referenced in the .inf file. The recipient of the package uses the hashes to confirm that the files received are exactly the same as those that were signed.

Note

In previous versions of the WDK, you used a tool called Signability. This tool has been deprecated, and replaced with Inf2Cat.

If the driver package you are using was signed by the vendor, then a catalog file already exists, and you do not need to create a new one. Skip this procedure, and go to the next procedure Sign the catalog file by using SignTool to replace the vendor's signature with your own.

Note

The Inf2Cat tool must be run at a command prompt with administrator permissions.

To create a catalog file for the driver package

  1. At the x86 Free Build Environment command prompt with administrator permissions, type the following command:

    inf2cat /driver:c:\toaster\device /os:7_x86

    The meaning of each parameter is as follows:

    • **/driver:**c:\toaster\device

      Specifies the location of the .inf file for the driver package. You must specify the complete folder path. A '.' character does not work here to represent the current folder.

    • **/os:**7_x86

      Identifies the 32-bit version of Windows 7as the operating system. Run the command inf2cat /? for a complete list of supported operating systems and their codes.

  2. Review the output of the inf2cat tool.

    Signability test complete
    ......................
    Errors:
    None
    
    Warnings:
    None
    
    Catalog generation complete.
    C:\toaster\device\toaster.cat
    
  3. Review the completed .cat file. At the command prompt, type:

    start toaster.cat
    

    The Security Catalog dialog box appears, indicating that the catalog is not digitally signed. Because the .cat file is not signed, the View Signature button is disabled.

  4. Click the Security Catalog tab. There are three entries in the Catalog entries section, one each for the .inf file, the .sys file, and the .dll file of the driver package. Click each entry, and note in the Entry Details section that each file in the package has an entry, along with a "thumbprint" (the hash) that can be used to confirm the integrity of the file.

  5. Click OK to close the Security Catalog dialog box.

Sign the catalog file by using SignTool

Now that you have a catalog file, you can sign it by using the SignTool program.

Use this procedure whether you are using the sample Toaster device driver or not.

Important

When signing a driver package, you must include the option to timestamp the signature. This timestamp specifies when the signature was created. If a certificate expires or is revoked for security reasons, then only signatures created before the expiration or revocation are valid. If a timestamp is not included in the signature, then Windows cannot determine if the package was signed before or after the expiration or revocation, and will reject the signature.

To sign a catalog file using SignTool

  1. At the x86 Free Build Environment command prompt with administrator permissions, type the following command all on one line. It appears here on multiple lines for clarity and to fit space limitations:

    SignTool sign /s MyCompanyCertStore /n “MyCompany – for test use only”
             /t https://timestamp.verisign.com/scripts/timestamp.dll
             toaster.cat
    

    The meaning of each parameter is as follows:

    • /s MyCompanyCertStore

      Specifies the name of the certificate store in which SignTool searches for the certificate specified by the parameter /n.

    • /n “MyCompany – for test use only

      Specifies the name of the certificate to be used to sign the package. You must include enough of the name to allow SignTool to distinguish it from others in the store. If this name includes spaces, then you must surround the name with double quotes.

    • /t path to time stamping service

      Specifies the path to a time stamping service at an approved certification authority. If you purchase your certificate from a commercial vendor, they should provide you with the appropriate path to their service.

    • toaster.cat

      Specifies the path and file name of the catalog file to be signed.

    Signtool indicates completion with the following message:

    Successfully signed and timestamped: C:\toaster\device\toaster.cat 
    
  2. To view and verify your signed catalog file, at the command prompt, type:

    start toaster.cat
    
  3. Make sure that the header of the Security Catalog property page now states that the security catalog is "valid", and that the View Signature button is enabled.

  4. Click View Signature, and then confirm the details of the signature you added to the package. No other details of the catalog file have changed.