Guide to signing unsigned drivers

Click here to associate this thread with a Package KB article.

Logged in as: Guest

Users viewing this topic: none

Tree Style

Printable Version

All Forums >> [AppDeploy Forums] >> Package Development >> Guide to signing unsigned drivers

Page: [1]

Message

<< Older Topic Newer Topic >>

Guide to signing unsigned drivers - 9/20/2010 9:50:24 AM

captain_planet
Super Member

Posts: 255
Score: 36
Joined: 5/23/2008
Status: offline

I thought I'd write this post to give something back to the community, as it took me ages to find out for myself and get working so hopefully it will assist others. Some of the info in this post was extracted from some great posts from AngelD, so kudos to him for that. It's only been tested in an XP environment, but here goes...

Tools you need: (most are from the Windows Driver Kit):
Inf2Cat.exe (To generate the unsigned catalog file from our INF)

In the same folder as Inf2Cat.exe I have the following DLLs:
Microsoft.Whos.Shared.IO.Cabinets.dll
Microsoft.Whos.Shared.IO.Catalogs.dll
Microsoft.Whos.Shared.Xml.InfReader.dll
Microsoft.Whos.Winqual.Submissions.SubmissionBuilder.dll
Microsoft.Whos.Xml.NonXmlDataReader.dll

Makecert.exe (Used to create our certificate)
Cert2spc.exe (Create Software Publisher's Certificate (SPC) from our certificate)
Signcode.Exe (Sign our catalog file with an Authenticode digital signature)
Certmgr.exe (Used to add and delete our certificate to the system root)
DifxApp.msm (Difx Merge Module to install the driver)

**********************************************
*****INTRODUCTION******************************
**********************************************

Now we have our toolset in place, let's package the unsigned Captain Planet printer driver. We're packaging this driver for a customer called 'Planeteers Ltd'.

Let's assume we've captured the Captain Planet printer driver using a snapshot tool. We can see from the resultant snapshot that there is a file in [WindowsFolder]\inf called 'captainplanet.inf'. There are also files called 'captainplanet.sys' and 'captainplanet.dll' in [SystemFolder]spool\drivers\w32x86.

All of these files make up the Captain Planet printer driver so let's create a folder anywhere on your work machine
(say, "c:\cpdriver") and copy the three files to it.

We should now have our unsigned driver in a temporary folder called "C:\cpdriver" which contains:
captainplanet.inf
captainplanet.sys
captainplanet.dll

Now let's generate a customer certificate, so we can sign this (and many more) driver(s).

**********************************************
*****SIGNING THE DRIVER*************************
**********************************************

1. Create .cat (catalog) file for driver.

We notice that the Captain Planet driver doesn't contain a cat file, so we'll need to generate one.
Open the .INF file in a text editor. Ensure that under the [version] section that you have an entry specifying a .cat file. If it's not there, add the line
at the end of the section. For example:

[version]Signature=xxxxxxProvider=xxxxxxCatalogFile.NTx86=captainplanet.cat

"captainplanet.cat" is the name of the cat file that we want to generate. Not having a line specifying this will result in an "error 22.9.4 - Missing 32-bit catalog file entry" when we run Inf2Cat.exe. "NTx86" represents the Windows 2000 x86-based platforms.

Command line:

Inf2Cat.exe /driver:"<Path to folder containing driver files>" /os:XP_X86

Example:

Inf2Cat.exe /driver:"C:\cpdriver" /os:XP_X86

Running this successfully will generate captainplanet.cat in the 'C:\cpdriver' folder.

2. Create authenticode certificate and set private key

Create another folder called 'c:\PlaneteersLtd_certificate'. It is here where we'll create our customer-specific certificate and private key. Remember that this certificate can be reused multiple times for the customer (Planeteers Ltd) to sign different drivers, so keep naming conventions generic to your customer.

Command line:

MakeCert.Exe -r -pe <path to .cer file you want to generate> -n CN=<certificate name> -sv <path to .pvk file you want to generate> -len 2048

Example:

makecert.exe -r -pe "c:\PlaneteersLtd_certificate\PlaneteersLtd.cer" -n CN="Planeteers Ltd" -sv "c:\PlaneteersLtd_certificate\PlaneteersLtd.pvk" -len 2048

Running this will ask you to set a private key. Make a note of this key! Running this command will generate:
c:\PlaneteersLtd_certificate\PlaneteersLtd.cer and c:\PlaneteersLtd_certificate\PlaneteersLtd.pvk

(I think certificates of this kind are actually supposed to be used for development/testing as opposed to a live environment. It's probably advisable to purchase a certificate from Verisign/Comodo/whoever if you have the budget.)

3. Create Software Publisher's Certificate (SPC) from our certificate
Command Line:

Cert2Spc.Exe <path to .cer file> <path to .spc file>

Example:

cert2spc.exe "c:\PlaneteersLtd_certificate\PlaneteersLtd.cer" "c:\PlaneteersLtd_certificate\PlaneteersLtd.spc"

This will generate c:\PlaneteersLtd_certificate\PlaneteersLtd.spc

4. Sign the catalog file
Command line:

signcode.exe -spc <path to .spc file> -v <path to .pvk file> -t http://timestamp.verisign.com/scripts/timstamp.dll <Path to catalogfile>

(Yes....I know it says 'timstamp.dll' but that is correct) This will prompt you for the private key you set earlier. Enter it when prompted.

Example:

SignCode.Exe -spc "c:\PlaneteersLtd_certificate\PlaneteersLtd.spc" -v "c:\PlaneteersLtd_certificate\PlaneteersLtd.pvk" -t [link=http://timestamp.verisign.com/scripts/timstamp.dll]http://timestamp.verisign.com/scripts/timstamp.dll[/link] "C:\cpdriver\captainplanet.cat"

**********************************************
*****ADDING THE CUSTOMER CERTIFICATE**********
**********************************************

The catalog for our driver is now signed. Every time we install this driver using DifxApp, we need to ensure the customer certificate is installed on the machine before DifxApp installs the driver. To do this, we use CertMgr.exe in two Custom Actions (CA) - one to add the certificate on install, and one to remove it on uninstall. We can do this in two ways:

a) Create the two CAs in every single driver package you do
b) Create a merge module which can easily be incorporated in every driver package you do

In my opinion option b) would provide less hassle for me because after all, we want our certificate to be easily re-usable for multiple driver packages. So for now, we'll do option b).

1. Create a new merge module and add captainplanet.cer to the SystemFolder of the MSM (or wherever you deem appropriate)

2. Go to the Custom Action (CA) table and create 2 CAs, both are an 'Exe stored in binary table' and 'Deferred in a System Context'.
If you use the CA wizard, you should stream 'certmgr.exe' into your binary table. Here's what (roughly) your CustomAction table should look like after you've made them:

Name: addCertificate
Type: 3074
Source: certmgr
Target: -add "[SystemFolder]PlaneteersLtd.cer" -s -r localMachine ROOT

Name: removeCertificate
Type: 3074
Source: certmgr
Target: -del "[SystemFolder]PlaneteersLtd.cer" -s -r localMachine ROOT

And here is the Binary table:

Name: certmgr
Data: <Binary Data of certmgr.exe>

Of course, using the wizard to do both CAs may result in two entries in your binary table containing the same exe (certmgr.exe). Obviously this is a waste, so remove one of them and set the 'Source' column in your CustomAction table appropriately.

3. Go to the ModuleInstallExecuteSequence table (Where <null> is obviously empty/nothing, and not the string literal "<null>") and add the following:

Action: addCertificate
Sequence: <null>
BaseAction: InstallFiles
After: 1
Condition: Not Installed

Action: removeCertificate
Sequence: <null>
BaseAction: InstallInitialize
After: 1
Condition: REMOVE~="ALL"

Action: InstallFiles
Sequence: 4000
BaseAction: <null>
After: <null>
Condition: <null>

Action: InstallInitialize
Sequence: 1500
BaseAction: <null>
After: <null>
Condition: <null>

The sequencing above is important as the addCertificate CA needs to run after the certificate is put down on the machine (after InstallFiles) and the removeCertificate CA needs to run before the certificate is removed from the machine. It also needs to run before DifxApp installs the driver.

**********************************************
*****CREATE DRIVER PACKAGE********************
**********************************************

Great. At this point we should now have a signed driver, and a merge module which installs our customer certificate. Now we can create the MSI package
which installs our signed driver:

1. Create a new ISM/WSI project and make a folder somewhere for your driver (one folder per driver remember).
Let's say:
"[ProgramFilesFolder]CaptainPlanetDriver" for this example. This folder will contain all the files in 'c:\cpdriver' on our work machine:
captainplanet.inf
captainplanet.sys
captainplanet.dll
captainplanet.cat (the one we've just generated!)

Remember that all these files should be in the SAME COMPONENT as well as the same folder (one .inf per folder), and the keypath of the component needs to be the .inf file!
Let's call the component: "CaptainPlanet_DRIVER"

2. Install the driver using DifxApp.
When we add the latest version of the DifxApp.msm merge module, it will create a table in the project called "MsiDriverPackages". Installshield and Wise have slightly
different wizards to install a driver, so I'll just show you roughly how the MsiDriverPackages table should be populated:

Component: CaptainPlanet_DRIVER
Flags: 7
Sequence: 1
ReferenceComponents: <null>

Once this is done, compile your .MSI. Ensure in your .MSI that your 'addCertificate' CA runs after 'installFiles' and before 'MsiProcessDrivers' in the installExecuteSequence.

At last, we're done!

Now I'd highly recommend testing your MSI install with verbose logging enabled, as the DifX merge module does write some half-decent logging which can assist you. For example, just recently DifxApp verbose logging warned me that some DLLs (part of the driver) were not being copied to the driver store. This was the reason why my driver wasn't working, and so I had to edit the .INF file [SourceDisksFiles] section (Add the relevant files which weren't being copied to the driver store), re-generate the cat file, re-sign it and then re-add these updated files to my MSI (Note there was obviously no need to go fiddling with my MSM as the certificate remains the same).

It's also always best to test your driver with the appropriate hardware.

Anyway. I hope this guide can be of some help to others. If you break your machine, or yourself, during implementing this guide then don't blame myself. It's only meant as a guide. Please feel free to comment/correct/bug fix.

Captain Planet.

本站仅提供存储服务，所有内容均由用户发布，如发现有害或侵权内容，请点击举报。