How to sign WinpkFilter drivers

Home Forums Discussions Support How to sign WinpkFilter drivers

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #5345
    Vadim Smirnov
    Keymaster

      How to sign WinpkFilter driver (standard build) using VerySign certificate:

      1. Convert cerificate into the pfx

      Pvk2Pfx -pvk myprivatekey.pvk -pi pkv_password -spc mycredentials.spc -pfx mypfx.pfx -po pfx_file_password -f

      2. Install pfx into the system you use for driver signing.

      Double-click on mypfx.pfx, follow the wizard

      3. Download VerySign cross-certificate from Microsoft web-site

      MSCV-VSClass3.cer

      4. Sign driver binary

      Signtool.exe sign /v /ac MSCV-VSClass3.cer /s my /n “Company Name” /t http://timestamp.verisign.com/scripts/timestamp.dll binary_name.sys

      5. Since WinpkFilter driver is installed using INF then you also need to create CAT files

      a. Add CAT references into the INF files

      CatalogFile.NTx86 = ndisrd86.cat

      CatalogFile.NTAMD64 = ndisrd64.cat

      b. Generate CAT files

      Inf2Cat /driver: path_to_directiry_with_driver_and_inf /os:XP_X86,Server2003_X86,Vista_X86,Server2008_X86,7_X86

      Inf2Cat /driver:path_to_directiry_with_driver_and_inf /os:XP_X64,Server2003_X64,Vista_X64,Server2008_X64,7_X64,Server2008R2_X64

      c. Sign CAT file

      Signtool.exe sign /v /ac MSCV-VSClass3.cer /s my /n “Company Name” /t http://timestamp.verisign.com/scripts/timestamp.dll cat_file_name.cat

      d. If you want to remove publisher warning, you have to pre-install (install before WinpkFilter driver installation) your public certificate (with public key only) on the client system.

      You can export this certificate from system storage where it was installed on step 2.

      – certmgr.msc

      – personal

      – double click on Company Name

      – select details

      – click “copy to file”

      – select “base-64 encoded X.509”

      For installing certificate you can use the following InnoSetup code

      //
      

      procedure InstallDriverCertificate();

      var

      fbResult : Boolean;

      hStore,hSysStore,hCert : Integer;

      strMessage : String;

      begin

      fbResult := False;

      hStore :=

      CertOpenStore(

      CERT_STORE_PROV_FILENAME_A,

      X509_ASN_ENCODING or PKCS_7_ASN_ENCODING,

      0,

      CERT_STORE_OPEN_EXISTING_FLAG or CERT_STORE_READONLY_FLAG,

      ExpandConstant('{app}')+'Setupmainline.cer'

      );

      if hStore <> 0 then begin

      hSysStore :=

      CertOpenStore(

      CERT_STORE_PROV_SYSTEM_A,

      X509_ASN_ENCODING or PKCS_7_ASN_ENCODING,

      0,

      CERT_SYSTEM_STORE_LOCAL_MACHINE,

      'TrustedPublisher');

      if hSysStore <> 0 then begin

      hCert := CertEnumCertificatesInStore(hStore,0);

      if hCert <> 0 then begin

      fbResult :=

      CertAddCertificateContextToStore(

      hSysStore,

      hCert,

      CERT_STORE_ADD_REPLACE_EXISTING,

      0

      );

      CertFreeCertificateContext (hCert);

      end;

      CertCloseStore(hSysStore,CERT_CLOSE_STORE_CHECK_FLAG);

      end;

      CertCloseStore(hStore,CERT_CLOSE_STORE_CHECK_FLAG);

      end;

      end;
    Viewing 1 post (of 1 total)
    • You must be logged in to reply to this topic.