Trustzone

EV Code Signing Kernel Mode Driver Signing Windows 7 & 8

Code Signing issues or questions? Just call +45 88 33 10 00 or send an email to support@trustzone.com - we're here to help you!

EV Code Signing installation guide. Kernel Mode Driver Signing Windows 7 & 8

Note: Windows 7 has recently been patched by Microsoft to support SHA256 signatures. Also, this guide is for customers using the legacy Code Signing Certificates. For new customers, please check the new guide.
 

PREREQUISITES

March 31, 2014 & after. (The R1-R3 Cross Certificate will need to be installed on the signing computer but not specified as an additional certificate during the signing procedure)

IMPORTANT SIGNTOOL OPTIONS

/ac Specify an Additional Certificate.

/f  Specify the signing certificate in a file.

/p  Specify the password for the signing certificate.

/fd Specify the file digest algorithm used in creating file signatures.

E.g. /fd sha256 to place a SHA256 signature (SHA1 is default).

/t  Specify a Microsoft Authenticode compatible time stamp server.

/tr Specify an RFC 3161 compliant trusted time stamp server.

PROCEDURE

  • In order for your driver to install successfully, the following file types in your project must be signed

.sys

.cat
 

  • You can either sign these files out of a working directory, or you can place them in your Windows SDK\bin folder.
     
  • Acquire the Microsoft Code Signing Cross certificate for GlobalSign and place it into your working directory.
     
  • Use the following signtool command to sign the code:

signtool sign /ac MSCrossCert.crt /f CodeSign.pfx /p password1234 /tr http://timestamp.globalsign.com/scripts/timestamp.dll filter.sys

This code will place a signature including the cross certificate, that is timestamped in compliance with RFC 3161.
 

  • Next verify your signature using the following signtool command.

signtool verify /v /kp

-v is for a verbose output and -kp validates it according to kernel mode driver signing criteria.
 

The output should look like this

  • Repeat the same process with the .cat file.
     
  • Once the driver has been signed, you can install the properly signed driver.

If the driver is signed properly the install screen will look like this (Windows 7)

ADDITIONAL RESOURCES

Full list of SignTool commands
http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.110%29.aspx 

Kernel-Mode Code Signing Walkthrough
https://msdn.microsoft.com/en-us/library/windows/hardware/dn653569(v=vs.85).aspx

Digital Signatures for Kernel Modules on Windows
https://msdn.microsoft.com/en-us/library/windows/hardware/dn653559(v=vs.85).aspx

Last Updated March 03, 2017