Changes between Version 2 and Version 3 of BuildingTapWindows6


Ignore:
Timestamp:
04/19/16 09:22:38 (6 years ago)
Author:
Samuli Seppänen
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • BuildingTapWindows6

    v2 v3  
    77Getting the [https://msdn.microsoft.com/en-us/library/windows/hardware/ff686697%28v=vs.85%29.aspx Authenticode signatures] right so that all Windows versions detect them can be quite tricky. This seems to be particularly true for kernel-mode driver packages. This section contains miscellaneous notes about signing driver packages.
    88
    9 == Working with certificates and signatures in Powershell ==
     9== Installing certificates ==
    1010
    11 To install a PFX files to the CurrentUser certificate store:
     11Installing a PFX file to the Currentuser certificate store using Powershell:
    1212{{{
    1313Import-PfxCertificate –FilePath <path-to-pfx> cert:\CurrentUser\My -Password (ConvertTo-SecureString -String "mypassword" -Force –AsPlainText)
    1414}}}
     15If you're not accustomed to Powershell you can just use ''mmc.exe'' and the certificate snap-ins to install the certificate.
    1516
    16 To verify the Authenticode signature of a file:
     17== Querying the certificate store ==
     18
     19To list all certificates in ''Currentuser\My'' store using Powershell:
     20{{{
     21Get-ChildItem cert:\CurrentUser\My
     22}}}
     23Or alternatively:
     24{{{
     25Set-Location cert:\CurrentUser\My
     26dir
     27}}}
     28The ''dir'' command is just an alias for ''Get-!ChildItem''
     29
     30== Creating catalog files with inf2cat ==
     31
     32To create a catalog file for a 32-bit driver:
     33{{{
     34Inf2Cat.exe /driver:<full-path-to-driver-directory> /os:Vista_x86,Server2008_X86,7_X86
     35}}}
     36To create a catalog file for a 64-bit driver:
     37{{{
     38Inf2Cat.exe /driver:<full-path-to-driver-directory> /os:Vista_X64,Server2008_X64,Server2008R2_X64,7_X64
     39}}}
     40Example:
     41{{{
     42Inf2Cat.exe /driver:C:\Users\John\tap6\amd64 /os:Vista_X64,Server2008_X64,Server2008R2_X64,7_X64
     43}}}
     44
     45'''NOTE:''' According to Microsoft Inf2Cat requires a full path to the driver directory.
     46
     47== Adding signatures using signtool.exe ==
     48
     49Adding a signature using a (non-EV) certificate stored in a pfx file. This bypasses the Windows certificate store entirely, thus simplifying things a bit:
     50
     51{{{
     52signtool.exe sign /v /ac <cross-certificate> /t <timestamp-url> /f <pfx-file> /p <pfx-password> <drivername>.cat
     53}}}
     54Example:
     55{{{
     56signtool sign /v /ac digicert-cross-cert.crt /t http://timestamp.digicert.com /f kernel-mode.pfx /p <password> tap6/amd64/tap0901.cat
     57}}}
     58
     59== Validating signatures ==
     60
     61Verifying the Authenticode signature of a file using Powershell:
    1762
    1863{{{
     
    2166Note that even if the above command says that the file's certificate is valid, there is absolutely no guarantee that various Windows versions will accept it. It is unclear whether the Cmdlet checks the entire certificate path or not: it does hang for long periods of time occasionally doing ''something''.
    2267
    23 == Using Signtool.exe ==
    24 
    25 Verifying the signature of a driver package using Signtool.exe:
     68Using signtool.exe to verify a driver's signature probably gives more reliable results than the Get-!AuthenticodeSignature Cmdlet:
    2669{{{
    27 signtool verify /v /kp /c tap0901.cat tap901.sys
     70signtool verify /v /kp /c <drivername>.cat <drivername>.sys
    2871}}}
    29 This command should produce more useful results than the Get-AuthenticodeSignature Cmdlet.