西红门黑老大:Signing a device driver package
来源:百度文库 编辑:偶看新闻 时间:2024/06/02 23:15:53
Applies To: Windows 7,Windows Server 2008 R2
To sign a device driver package, you must have a code signing certificate. For more details about the various types of certificates that are available and how to acquire one, see the Additional Resources section at the end of this guide. This guide shows you how to create a certificate that you can use for testing purposes.
Steps outline: Signing a device driver package
The following steps illustrate the basic process for signing a device driver package.
- Create a digital certificate for signing
- Add the certificate to the Trusted Root Certification Authorities store
- Add the certificate to the Trusted Publishers store
- Sign the device driver package with the certificate
Step 1: Create a digital certificate for signing
In this step you create a certificate that can be used to sign the sample Toaster driver package.
First, open the Certificates MMC snap-in to see the current certificates.
To open the Certificates MMC snap-in
-
Click Start, click Run, and then in the Run box, type: mmc
-
In Console1 – [Console Root], click File, and then click Add/Remove Snap-in.
-
In Add or Remove Snap-ins, in the Available snap-ins list, select Certificates, and then click Add.
-
In Certificates snap-in, select Computer Account, and then click Next.
-
On the Select Computer dialog box, select Local computer: (the computer this console is running on), and then click Finish.
-
Click OK to close the Add or Remove Snap-ins page.
The Certificates snap-in appears in the console.
Now you can create the certificate.
To create a digital certificate by using the MakeCert tool
-
Open an x86 Free Build Environment command prompt with administrator permissions, by right-clicking x86 Free Build Environment on the Start menu, and then selecting Run as administrator.
-
At the x86 Free Build Environment command prompt, type the following command on a single line (it appears here on multiple lines for clarity and to fit space limitations):
makecert -r -n "CN=MyCompany - for test use only" -ss MyCompanyCertStore -sr LocalMachine
The meaning of each parameter is as follows:
- -r
Specifies that the certificate is to be "self-signed," rather than signed by a CA. Also called a "root" certificate. - -n "CN= MyCompany - for test use only "
Specifies the name associated with this new certificate. It is recommended that you use a certificate name that clearly identifies the certificate and its purpose. - -ss MyCompanyCertStore
Specifies the name of certificate store in which the new certificate is placed. - -sr LocalMachine
Specifies that the certificate store created by the -ss option is in the per computer store, instead of the default per user store.
The command returns the message "Succeeded" when the store and certificate are created.
- -r
-
Verify that your new certificate was created correctly. In the Certificates MMC snap-in that you opened earlier, open the node Certificates (Local Computer), then MyCompanyCertStore, and then Certificates.
-
In the right-hand pane, double-click MyCompany - for test use only.
The certificate dialog appears showing your new certificate.
-
Click OK to close the Certificate page.
Step 2: Add the certificate to the Trusted Root Certification Authorities store
This step is required for locally created certificates, such as those created by using MakeCert, which are not directly traceable to a Trusted Root Certification Authority certificate.
By default, your new certificate is marked "Not trusted" because Windows cannot validate the certificate against any of the trusted certificates in the per computer Trusted Root Certification Authorities store. In Windows, all certificates must be traceable to a certificate in this store to be considered valid.
This step is not required for commercial certificates created for you by a third-party certification authority because the root certificate for the CA is already present in the per computer Trusted Root Certification Authorities store.
To add the test certificate to the Trusted Root CA certificate store
-
In the Certificates snap-in, right-click MyCompany - for test use only, and then click Copy.
-
Right-click Trusted Root Certification Authorities, and then click Paste.
-
Open Trusted Root Certification Authorities and Certificates, and then double-click your certificate.
-
Confirm that the "Not trusted" message no longer appears, and then click OK to close the certificate.
Step 3: Add the certificate to the per machine Trusted Publishers store
To use your new certificate to confirm the valid signing of device drivers, it must also be installed in the per computer Trusted Publishers store.
To add the test certificate to the Trusted Publishers certificate store
-
In the Certificates snap-in, right-click your certificate, and then click Copy.
-
Right-click Trusted Publishers, and then click Paste.
-
Open Trusted Publishers and Certificates, and then confirm that a copy of your certificate is in the folder.
-
Click OK to close the certificate.
Step 4: Sign the device driver package with the certificate
If you are using the sample Toaster device and driver -- or if your organization wants to implement a policy where all device drivers must be signed by your organization's own certificate -- then follow these steps to replace the existing signature with your own.
To sign the device driver, you need to do the following:
- Prepare the driver package .inf file
- Create a catalog file for the driver package
- Sign the catalog file by using Signtool
Prepare the driver package .inf file
The .inf file controls the installation of the driver package. The digital signature for a device driver package resides in a catalog file, with a .cat file name extension. The .inf file used to install the driver package must include a reference to the .cat file.
In addition, for the sample Toaster device driver used in this guide, you must also change the timestamp and version number of the device driver.
A co-installer is code provided by the device driver manufacturer that can be invoked during the driver package installation process. It gives the installation program more flexibility in what can be done during the installation process. In the sample Toaster device driver, the co-installer displays optional programs that the user can install. You do not need the Toaster co-installer for these scenarios, so in this procedure you delete it from the .inf file.
To prepare the driver package .inf file
-
At the x86 Free Build Environment command prompt with administrator permissions, change to the folder that contains your driver package. Type the following command:
cd c:\toaster\device
-
Then type the command:
Notepad toastpkg.inf
Notepad opens with the .inf file displayed.
-
Find the [Version] section. The original file includes the lines:
CatalogFile.NTx86 = tostx86.catCatalogFile.NTIA64 = tostia64.catCatalogFile.NTAMD64 = tstamd64.cat
-
Delete those three lines, and replace them with following single line:
CatalogFile=toaster.cat
-
In the [Version] section, find the line that begins with DriverVer=. Replace the date and version number so that the line appears as follows:
DriverVer=05/01/2009,9.9.9.9
-
In the [Toaster_Device.NT.CoInstallers] section, find and delete these three lines:
[Toaster_Device.NT.CoInstallers]AddReg=CoInstaller_AddRegCopyFiles=CoInstaller_CopyFiles
-
Save your changes, and then close Notepad.
Create a catalog file for the driver package
Next, run the Inf2Cat tool to create an unsigned catalog file for the sample Toaster driver package. Inf2Cat parses the driver package .inf file, and then generates unique hashes for every file referenced in the .inf file. The recipient of the package uses the hashes to confirm that the files received are exactly the same as those that were signed.
If the driver package you are using was signed by the vendor, then a catalog file already exists, and you do not need to create a new one. Skip this procedure, and go to the next procedure Sign the catalog by using SignTool to replace the vendor's signature with your own.
To create a catalog file for the driver package
-
At the x86 Free Build Environment command prompt with administrator permissions, type the following command:
inf2cat /driver:c:\toaster\device /os:7_x86
The meaning of each parameter is as follows:
- /driver: c:\toaster\device
Specifies the location of the .inf file for the driver package. You must specify the complete folder path. A '.' character does not work here to represent the current folder. - /os: 7_x86
Identifies the 32-bit version of Windows 7as the operating system. Run the command inf2cat /? for a complete list of supported operating systems and their codes.
- /driver: c:\toaster\device
-
Review the output of the inf2cat tool.
Signability test complete......................Errors:NoneWarnings:NoneCatalog generation complete.C:\toaster\device\toaster.cat
-
Review the completed .cat file. At the command prompt, type:
start toaster.cat
The Security Catalog dialog box appears, indicating that the catalog is not digitally signed. Because the .cat file is not signed, the View Signature button is disabled.
-
Click the Security Catalog tab. There are three entries in the Catalog entries section, one each for the .inf file, the .sys file, and the .dll file of the driver package. Click each entry, and note in the Entry Details section that each file in the package has an entry, along with a "thumbprint" (the hash) that can be used to confirm the integrity of the file.
-
Click OK to close the Security Catalog dialog box.
Sign the catalog file by using SignTool
Now that you have a catalog file, you can sign it by using the SignTool program.
Use this procedure whether you are using the sample Toaster device driver or not.
To sign a catalog file using SignTool
-
At the x86 Free Build Environment command prompt with administrator permissions, type the following command all on one line. It appears here on multiple lines for clarity and to fit space limitations:
SignTool sign /s MyCompanyCertStore /n “MyCompany – for test use only” /t http://timestamp.verisign.com/scripts/timestamp.dll toaster.cat
The meaning of each parameter is as follows:
- /s MyCompanyCertStore
Specifies the name of the certificate store in which SignTool searches for the certificate specified by the parameter /n. - /n “ MyCompany – for test use only ”
Specifies the name of the certificate to be used to sign the package. You must include enough of the name to allow SignTool to distinguish it from others in the store. If this name includes spaces, then you must surround the name with double quotes. - /t path to time stamping service
Specifies the path to a time stamping service at an approved certification authority. If you purchase your certificate from a commercial vendor, they should provide you with the appropriate path to their service. - toaster.cat
Specifies the path and file name of the catalog file to be signed.
Signtool indicates completion with the following message:
Successfully signed and timestamped: C:\toaster\device\toaster.cat
- /s MyCompanyCertStore
-
To view and verify your signed catalog file, at the command prompt, type:
start toaster.cat
-
Make sure that the header of the Security Catalog property page now states that the security catalog is "valid", and that the View Signature button is enabled.
-
Click View Signature, and then confirm the details of the signature you added to the package. No other details of the catalog file have changed.