Oct. 2014: At this time kernel mode signing with a SHA-256 certificate is only compatible with Windows 8. Microsoft is working on backporting SHA-256 support for Windows 7 and Vista. For maximum ubiquity it is recommended to use a SHA1 certificate. A SHA1 equivalent certificate can be issued for free through your Symantec management portal.
64-bit versions of Microsoft Windows require Kernel Mode Signing.
To sign 64-bit kernel-mode software using Code Signing Certificate for Microsoft Authenticode or Code Signing Certificate for Microsoft Office and VBA, you will need to download and install the following:
- Windows Driver Kit WDK (Must be installed to acquire the following required tools)
- Microsoft cross certificate
Please download the attached file below at the bottom of this solution named: MSCV-VSClass3.cer
- PVK Import (This tool is not supported by Symantec)
If your certificate is not already in the certificate store, use PVK Import to import your certificate into the Personal Store.
Use signtool.exe (command line based) from the Command Line Interface to sign your code.
To successfully sign driver files, please ensure the following steps are followed:
- Ensure the Microsoft Authenticode Signing Certificate is installed in the user's personal certificate store. (This may require pvk2pfx.exe and/or pvkimport.exe)
- Use inf2cat.exe to validate the driver package INF file and create a valid catalog file. If successful a catalog file (*.cat) will be created.
Use signtool.exe to sign the catalog (*.cat) and all driver (*.sys) files as below.
NOTE: Replace "C:\CatFileName.cat" with the name of the specific file you are signing, this will need to be run against all of the drivers and the catalog)
Verify that the file was properly cross signed, use the following syntax and look for the "Microsoft Code Verification Root":signtool verify /v /kp "C:\driver.sys"
Replace CatFileName.cat with the file you want to sign.
This example uses several of the arguments that SignTool supports:
Sign: Configures the tool to sign the intended file
- Verify: Verifies the digital signature of files by determining whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy
/ac: Adds the cross-certificate from the CrossCertificateFile file to the digital signature
- /c: Specifies the catalog file by name
- /f: Specifies the signing certificate in a file. Only the Personal Information Exchange (PFX) file format is supported
/fd: Specifies the file digest algorithm to use for creating file signatures. For example, /fd SHA256, as the default is SHA1.
- /kp: Specifies that verification should be performed with the kernel-mode driver signing policy
- /n: Refers to the company name in your certificate as it appears in the "ISSUED TO" field of the certificate
- /p: Specifies the password to use when opening a PFX file. (Use the /f option to specify a PFX file.)
/s: Specifies a certificate store (If the certificate is imported into the Personal store, the SPCCertificateStore is My)
- /t: Specifies that the digital signature will be timestamped by the Authenticode Time-Stamp Authority (TSA) indicated by the URL
- /tr: Specifies that the digital signature will be timestamped by the RFC 3161 Time-Stamp Authority (TSA) indicated by the URL
/v: Specifies the verbose option for successful execution and warning messages
Note: The Authenticode timestamping URL for Symantec is http://timestamp.verisign.com/scripts/timstamp.dll (The timstamp.dll filename is required to conform to old MS-DOS naming convention).
The RFC 3161 timestamping URL for Symantec is: http://timestamp.geotrust.com/tsa
For more information, refer to the following documents from the Microsoft knowledge base:
Windows Driver Kit (WDK): http://www.microsoft.com/whdc/driver/64bitguide.mspx
Using SignTool to Sign a File: http://msdn.microsoft.com/en-us/library/aa388170
Cross-Certificates for Kernel Mode Code Signing: http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454(v=vs.85).aspx
Microsoft also supplies the following summarized version of the signing process:
Problem - Troubles signing driver using signtool and cross-certificates
Environment - Windows 64bit
Resolution - Install your certificate by double-clicking and allow it to install automatically based upon the certificate type. This way you do not have to worry about which certificate store it is placed in.
When cross-signing, use the following syntax:
Note: The Company Cert Name should be exactly as is shown in the certificate '"ISSUED TO" field of your own cert.
The following syntax signs the file using a certificate stored in your Personal certificate store
Without the timestamp:
With the timestamp:
The following syntax signs the file using a certificate stored in a password protected PFX file
Without the timestamp:
With the timestamp:
You should verify your signature for a driver file using the following command:signtool verify /v /kp "C:\driver.sys"
You should verify that a given driver is "signed" by a given catalog file using the following command:signtool verify /v /kp /c "C:\CatFileName.cat" "C:\driver.sys"
To significantly decrease boot time, sign all drivers and catalog files.:
0Bytes • < 1 minute @ 56k, < 1 minute @ broadband