Steps for Signing a Device Driver Package

INTRODUCE

Because device drivers run with system-level privileges and can access anything on your computer, it is critical that you trust the device drivers that you install. Trust, in this context, includes two main principles:

  • Authenticity is an assurance that the driver package came from its claimed source. It cannot be malicious code masquerading as something legitimate.
  • Integrity is an assurance that the package is 100 percent intact, and has not been modified by anyone after it was released.

Windows uses digital certificates and digital signatures to provide support for these principles. A digital certificate identifies an organization, and it is trustworthy because it can be checked electronically by a certification authority (CA). A digital signature uses information in the organization’s digital certificate to encrypt specific details about the package.

The encrypted information in a digital signature includes a thumbprint, or hash, for each file included with the package. The thumbprint is generated by a special cryptographic algorithm referred to as a hashing algorithm. The algorithm generates a thumbprint that can only be recreated by using that file’s contents. Changing a single bit in the file changes the thumbprint. After the thumbprints are generated, they are combined together into a catalog, and then encrypted.

The following figure shows the process used to sign a driver package.

In this process the following steps take place:

The original driver package has no signature, and no .cat file in which a signature can be placed. In Step 1 of the diagram the Inf2Cat tool is run to create the .cat file, in which it places a thumbprint for each file identified as part of the driver package, as specified in the .inf file. In Step 2, the SignTool tool is run, specifying a digital certificate to encrypt, and thus sign, the .cat file. In Step 3, the digitally signed .cat file is included with the driver package and deployed to client computers.

The recipient computer confirms the identity of the package originator by using a copy of the certificate to decrypt the signature on the package. A successful decryption proves that the owner of the certificate is the signer of the package.

The same hashing algorithm used to create the thumbprints is used again during the confirmation process. Windows generates a thumbprint for each file received in the package. If the thumbprints generated by the receiving computer are identical to the ones found encrypted in the signature, then the recipient can be sure that the received package is identical to the original. If the thumbprints do not match, then the files were altered in some way after they were signed, and should not be trusted.

On each computer, Windows maintains a store for digital certificates. As the computer administrator, you can add certificates from publishers that you trust. If a package is received for which a matching certificate cannot be found in the certificate store, then Windows presents a page asking the user to confirm that the publisher is trusted. By placing a certificate in the certificate store on all of your client computers, you are telling Windows that all packages signed by that certificate are trusted.

Create a digital certificate for signing

Method 1: Certificates MMC

  1. Click Start, click Run, and then in the Run box, type: mmc
  2. In Console1 – [Console Root], click File, and then click Add/Remove Snap-in.
  3. In Add or Remove Snap-ins, in the Available snap-ins list, select Certificates, and then click Add.
  4. In Certificates snap-in, select Computer Account, and then click Next.
  5. On the Select Computer dialog box, select Local computer: (the computer this console is running on), and then click Finish.
  6. Click OK to close the Add or Remove Snap-ins page.

Method 2: The MakeCert tool

  1. Open an x86 Free Build Environment command prompt with administrator permissions, by right-clicking x86 Free Build Environment on the Start menu, and then selecting Run as administrator.
  2. At the x86 Free Build Environment command prompt, type the following command on a single line (it appears here on multiple lines for clarity and to fit space limitations):
    makecert -r -n "CN=MyCompany - for test use only"
             -ss MyCompanyCertStore 
             -sr LocalMachine

    The meaning of each parameter is as follows:

    • -r
      Specifies that the certificate is to be “self-signed,” rather than signed by a CA. Also called a “root” certificate.
    • -n “CN= MyCompany – for test use only”
      Specifies the name associated with this new certificate. It is recommended that you use a certificate name that clearly identifies the certificate and its purpose.
    • -ss MyCompanyCertStore
      Specifies the name of certificate store in which the new certificate is placed.
    • -sr LocalMachine
      Specifies that the certificate store created by the -ss option is in the per computer store, instead of the default per user store.

    The command returns the message “Succeeded” when the store and certificate are created.

  3. Verify that your new certificate was created correctly. In the Certificates MMC snap-in that you opened earlier, open the node Certificates (Local Computer), then MyCompanyCertStore, and then Certificates.
  4. In the right-hand pane, double-click MyCompany – for test use only.The certificate dialog appears showing your new certificate.
  5. Click OK to close the Certificate page.

Add the certificate to the Trusted Root Certification Authorities store

  1. In the Certificates snap-in, right-click MyCompany – for test use only, and then click Copy.
  2. Right-click Trusted Root Certification Authorities, and then click Paste.
  3. Open Trusted Root Certification Authorities and Certificates, and then double-click your certificate.
  4. Confirm that the “Not trusted” message no longer appears, and then click OK to close the certificate.

Add the certificate to the per machine Trusted Publishers store

  1. In the Certificates snap-in, right-click your certificate, and then click Copy.
  2. Right-click Trusted Publishers, and then click Paste.
  3. Open Trusted Publishers and Certificates, and then confirm that a copy of your certificate is in the folder.
  4. Click OK to close the certificate.

Sign the device driver package with the certificate

Prepare the driver package .inf file

  1. At the x86 Free Build Environment command prompt with administrator permissions, change to the folder that contains your driver package. Type the following command:
    cd c:\toaster\device
    
  2. Then type the command:
    Notepad toastpkg.inf
    

    Notepad opens with the .inf file displayed.

  3. Find the [Version] section. The original file includes the lines:
    CatalogFile.NTx86 = tostx86.cat
    CatalogFile.NTIA64 = tostia64.cat
    CatalogFile.NTAMD64 = tstamd64.cat
    
  4. Delete those three lines, and replace them with following single line:
    CatalogFile=toaster.cat
    
  5. In the [Version] section, find the line that begins with DriverVer=. Replace the date and version number so that the line appears as follows:
    DriverVer=05/01/2009,9.9.9.9
    
  6. In the [Toaster_Device.NT.CoInstallers] section, find and delete these three lines:
    [Toaster_Device.NT.CoInstallers]
    AddReg=CoInstaller_AddReg
    CopyFiles=CoInstaller_CopyFiles
    
  7. Save your changes, and then close Notepad.

Create a catalog file for the driver package

  1. At the x86 Free Build Environment command prompt with administrator permissions, type the following command:

    inf2cat /driver:c:\toaster\device /os:7_x86

    The meaning of each parameter is as follows:

    • /driver: c:\toaster\device
      Specifies the location of the .inf file for the driver package. You must specify the complete folder path. A ‘.’ character does not work here to represent the current folder.
    • /os: 7_x86
      Identifies the 32-bit version of Windows 7as the operating system. Run the command inf2cat /? for a complete list of supported operating systems and their codes.
  2. Review the output of the inf2cat tool.
    Signability test complete
    ......................
    Errors:
    None
    
    Warnings:
    None
    
    Catalog generation complete.
    C:\toaster\device\toaster.cat
    
  3. Review the completed .cat file. At the command prompt, type
    start toaster.cat
    

    The Security Catalog dialog box appears, indicating that the catalog is not digitally signed. Because the .cat file is not signed, the View Signature button is disabled.

  4. Click the Security Catalog tab. There are three entries in the Catalog entries section, one each for the .inf file, the .sys file, and the .dll file of the driver package. Click each entry, and note in the Entry Details section that each file in the package has an entry, along with a “thumbprint” (the hash) that can be used to confirm the integrity of the file.
  5. Click OK to close the Security Catalog dialog box.

Sign the catalog file by using SignTool

  1. At the x86 Free Build Environment command prompt with administrator permissions, type the following command all on one line. It appears here on multiple lines for clarity and to fit space limitations:
    SignTool sign /s MyCompanyCertStore /n “MyCompany – for test use only”
             /t http://timestamp.verisign.com/scripts/timestamp.dll
             toaster.cat
    

    The meaning of each parameter is as follows:

    • /s MyCompanyCertStore
      Specifies the name of the certificate store in which SignTool searches for the certificate specified by the parameter /n.
    • /n “ MyCompany – for test use only
      Specifies the name of the certificate to be used to sign the package. You must include enough of the name to allow SignTool to distinguish it from others in the store. If this name includes spaces, then you must surround the name with double quotes.
    • /t path to time stamping service
      Specifies the path to a time stamping service at an approved certification authority. If you purchase your certificate from a commercial vendor, they should provide you with the appropriate path to their service.
    • toaster.cat
      Specifies the path and file name of the catalog file to be signed.

    Signtool indicates completion with the following message:

    Successfully signed and timestamped: C:\toaster\device\toaster.cat 
    
  2. To view and verify your signed catalog file, at the command prompt, type:
    start toaster.cat
    
  3. Make sure that the header of the Security Catalog property page now states that the security catalog is “valid”, and that the View Signature button is enabled.
  4. Click View Signature, and then confirm the details of the signature you added to the package. No other details of the catalog file have changed.

REFERENCE

 

喜欢 (0)
COMMENT
Cancel Comment

EMOJI

Hi, We need some information

  • Nickname (*)
  • E-Mail (*)
  • Website