Changes between Version 2 and Version 3 of BuildingTapWindows6
- Timestamp:
- 04/19/16 09:22:38 (8 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
BuildingTapWindows6
v2 v3 7 7 Getting the [https://msdn.microsoft.com/en-us/library/windows/hardware/ff686697%28v=vs.85%29.aspx Authenticode signatures] right so that all Windows versions detect them can be quite tricky. This seems to be particularly true for kernel-mode driver packages. This section contains miscellaneous notes about signing driver packages. 8 8 9 == Working with certificates and signatures in Powershell==9 == Installing certificates == 10 10 11 To install a PFX files to the CurrentUser certificate store:11 Installing a PFX file to the Currentuser certificate store using Powershell: 12 12 {{{ 13 13 Import-PfxCertificate –FilePath <path-to-pfx> cert:\CurrentUser\My -Password (ConvertTo-SecureString -String "mypassword" -Force –AsPlainText) 14 14 }}} 15 If you're not accustomed to Powershell you can just use ''mmc.exe'' and the certificate snap-ins to install the certificate. 15 16 16 To verify the Authenticode signature of a file: 17 == Querying the certificate store == 18 19 To list all certificates in ''Currentuser\My'' store using Powershell: 20 {{{ 21 Get-ChildItem cert:\CurrentUser\My 22 }}} 23 Or alternatively: 24 {{{ 25 Set-Location cert:\CurrentUser\My 26 dir 27 }}} 28 The ''dir'' command is just an alias for ''Get-!ChildItem'' 29 30 == Creating catalog files with inf2cat == 31 32 To create a catalog file for a 32-bit driver: 33 {{{ 34 Inf2Cat.exe /driver:<full-path-to-driver-directory> /os:Vista_x86,Server2008_X86,7_X86 35 }}} 36 To create a catalog file for a 64-bit driver: 37 {{{ 38 Inf2Cat.exe /driver:<full-path-to-driver-directory> /os:Vista_X64,Server2008_X64,Server2008R2_X64,7_X64 39 }}} 40 Example: 41 {{{ 42 Inf2Cat.exe /driver:C:\Users\John\tap6\amd64 /os:Vista_X64,Server2008_X64,Server2008R2_X64,7_X64 43 }}} 44 45 '''NOTE:''' According to Microsoft Inf2Cat requires a full path to the driver directory. 46 47 == Adding signatures using signtool.exe == 48 49 Adding a signature using a (non-EV) certificate stored in a pfx file. This bypasses the Windows certificate store entirely, thus simplifying things a bit: 50 51 {{{ 52 signtool.exe sign /v /ac <cross-certificate> /t <timestamp-url> /f <pfx-file> /p <pfx-password> <drivername>.cat 53 }}} 54 Example: 55 {{{ 56 signtool sign /v /ac digicert-cross-cert.crt /t http://timestamp.digicert.com /f kernel-mode.pfx /p <password> tap6/amd64/tap0901.cat 57 }}} 58 59 == Validating signatures == 60 61 Verifying the Authenticode signature of a file using Powershell: 17 62 18 63 {{{ … … 21 66 Note that even if the above command says that the file's certificate is valid, there is absolutely no guarantee that various Windows versions will accept it. It is unclear whether the Cmdlet checks the entire certificate path or not: it does hang for long periods of time occasionally doing ''something''. 22 67 23 == Using Signtool.exe == 24 25 Verifying the signature of a driver package using Signtool.exe: 68 Using signtool.exe to verify a driver's signature probably gives more reliable results than the Get-!AuthenticodeSignature Cmdlet: 26 69 {{{ 27 signtool verify /v /kp /c tap0901.cat tap901.sys70 signtool verify /v /kp /c <drivername>.cat <drivername>.sys 28 71 }}} 29 This command should produce more useful results than the Get-AuthenticodeSignature Cmdlet.