Microsoft Windows 64-bit kernel-mode signing using Code Signing Certificate for Microsoft Authenticode and Code Signing Certificate for Microsoft Office and VBA

Solution ID:    SO5820    Updated:    04/13/2016

Solution


64-bit versions of Microsoft Windows require Kernel Mode Signing.

To sign 64-bit kernel-mode software using Code Signing Certificate for Microsoft Authenticode or Code Signing Certificate for Microsoft Office and VBA, you will need to download and install the following:

  1. Windows Driver Kit WDK (Must be installed to acquire the following required tools)
    • pvk2pfx.exe
    • inf2cat.exe
    • signtool.exe
       
  2. Microsoft cross certificate
    Please download the attached file below at the bottom of this solution named: MSCV-VSClass3.cer
     
  3. PVK Import  (This tool is not supported by Symantec)
    If your certificate is not already in the certificate store, use PVK Import to import the certificate into the Personal Store.

    Use signtool.exe (command line based) from the Command Line Interface to sign your code.
     

To successfully sign driver files, please ensure the following steps are followed:

  1. Ensure the Microsoft Authenticode Signing Certificate is installed in the user's personal certificate store.  (This may require pvk2pfx.exe and/or pvkimport.exe)
     
  2. Use inf2cat.exe to validate the driver package INF file and create a valid catalog file.  If successful a catalog file (*.cat) will be created.
  1. Use signtool.exe to sign the catalog (*.cat) and all driver (*.sys) files as below.

    Note: Replace "C:\CatFileName.cat" with the name of the specific file you are signing, this will need to be run against all of the drivers  and the  catalog)

SHA-1 with Timestamp:

signtool sign /v /ac "C:\Authenticode\MSCV-VSClass3.cer" /s MY /n Symantec Corp /t http://timestamp.veriSign.com/scripts/timstamp.dll C:\CatFileName.cat

SHA-256 with RFC 3161 Timestamp:

signtool sign /v /ac C:\Authenticode\MSCV-VSClass3.cer /s MY /n Symantec Corp /fd sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp C:\CatFileName.cat
  1. Verify that the file was properly cross signed, use the following syntax and look for the "Microsoft Code Verification Root":

    signtool verify /v /kp "C:\driver.sys"


Replace CatFileName.cat with the file you want to sign.

This example uses several of the arguments that SignTool supports:

  • Sign: Configures the tool to sign the intended file.
  • Verify: Verifies the digital signature of files by determining whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.
  • /ac: Adds the cross-certificate from the CrossCertificateFile file to the digital signature.
  • /c: Specifies the catalog file by name.
  • /f: Specifies the signing certificate in a file. Only the Personal Information Exchange (PFX) file format is supported.
  • /fd: Specifies the file digest algorithm to use for creating file signatures. For example, /fd SHA256, as the default is SHA1.
  • /kp: Specifies that verification should be performed with the kernel-mode driver signing policy.
  • /n: Refers to the company name in your certificate as it appears in the "ISSUED TO" field of the certificate.
  • /p: Specifies the password to use when opening a PFX file. (Use the /f option to specify a PFX file).
  • /s: Specifies a certificate store (If the certificate is imported into the Personal store, the SPCCertificateStore is My).
  • /t: Specifies that the digital signature will be timestamped by the Authenticode Time-Stamp Authority (TSA) indicated by the URL.
  • /tr: Specifies that the digital signature will be timestamped by the RFC 3161 Time-Stamp Authority (TSA) indicated by the URL.
  • /v: Specifies the verbose option for successful execution and warning messages.

Note: The SHA-1 timestamping URL is http://timestamp.verisign.com/scripts/timstamp.dll
            (The timstamp.dll filename is required to conform to old MS-DOS naming convention).

The SHA-1 with RFC 3161 timestamping URL is http://timestamp.geotrust.com/tsa

The SHA-256 with RFC 3161 timestamping URL is http://sha256timestamp.ws.symantec.com/sha256/timestamp


For more information, refer to the following documents from the Microsoft knowledge base:
Windows Driver Kit (WDK):  http://www.microsoft.com/whdc/driver/64bitguide.mspx
Using SignTool to Sign a File:  http://msdn.microsoft.com/en-us/library/aa388170
Cross-Certificates for Kernel Mode Code Signing:  http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454(v=vs.85).aspx
 

 

Microsoft also supplies the following summarized version of the signing process:

Problem - Troubles signing driver using signtool and cross-certificates.
Environment - Windows 64bit.
Resolution - Install your certificate by double-clicking and allow it to install automatically based upon the certificate type. This way you do not have to worry about which certificate store it is placed in.

When cross-signing, use the following syntax:

Note: The Company Cert Name should be exactly as is shown in the certificate '"ISSUED TO" field of your own cert.

 
The following syntax signs the file using a certificate stored in your Personal certificate store

SHA-1 with Timestamp:

signtool sign /v /ac "C:\Authenticode\MSCV-VSClass3.cer" /f C:\Authenticode\YourCert.pfx /p Password /n "Symantec Corp" /t http://timestamp.verisign.com/scripts/timstamp.dll "C:\driver.sys"

SHA-256 with RFC 3161 Timestamp:

signtool sign /v /ac "C:\Authenticode\MSCV-VSClass3.cer" /f C:\Authenticode\YourCert.pfx /p Password /n "Symantec Corp" /fd sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp C:\driver.sys"

 

TIPS

  • You should verify the signature for a driver file using the following command:

     

    signtool verify /v /kp "C:\driver.sys"

     

  • You should verify that a given driver is "signed" by a given catalog file using the following command:

     

    signtool verify /v /kp /c "C:\CatFileName.cat" "C:\driver.sys"

     

  • To significantly decrease boot time, sign all drivers and catalog files:

 

Attachment

MSCV-VSClass3.cer
0Bytes • < 1 minute @ 56k, < 1 minute @ broadband


Legacy ID

vs41181

Disclaimer:

Terms of use for this information are found in Legal Notices

Contact Support

Knowledge Center