n l i t e d

:



Thread Links
next

Driver Signing

📢 PUBLIC Page 1025:56/56 | edit | chip 2018-04-15 12:52:13
Tags: CryptDisk SecureBoot

March 28 2018

With some help from the OSR forum I was able to find and fix a problem in my INF file. I was finally able to load a signed driver on a stock Windows 10 machine on March 21. Like so much of my life, it all looks so simple in retrospect and it is hard to know if I am smart for having accomplished it or just stupid for having so much trouble. The long story is preserved below the fold.

I created a couple bat files to make the process easier. Now I can build and retrieve a signed package easily.

RMakePkg.bat creates a submission package from the release build. DMakePkg.bat does the same thing for the debug build.

RMakePkg.bat: @echo off rmdir /s /q Out\Winx64Release\cat mkdir Out\Winx64Release\cat\64 xcopy /q /y Bin\CryptDisk.inf Out\Winx64Release\cat\ xcopy /q /y Out\Winx64Release\CryptDisk.exe Out\Winx64Release\cat\64\ xcopy /q /y Out\Winx64Release\CryptDriver2.sys Out\Winx64Release\cat\64\ xcopy /q /y Out\Winx64Release\CryptIFS.sys Out\Winx64Release\cat\64\ "%WDKPATH%\bin\x86\inf2cat.exe" /driver:Out\Winx64Release\cat /os:10_x64 /uselocaltime makecab /f Include\Release\MakeCab.txt C:\Bin\7z\7z l Out\Winx64Release\CryptDisk.cab "%WDKPATH%\App Certification Kit\signtool.exe" sign /s my /n nlited /i symantec /t http://timestamp.VeriSign.com/scripts/timstamp.dll Out\Winx64Release\CryptDisk.cab copy /y Out\Winx64Release\CryptDisk.cab %userprofile%\Desktop\ copy /y Out\Winx64Release\CryptDisk.cab Z:\Share start explorer "https://developer.microsoft.com/dashboard/hardware"
CryptDisk.inf: [Version] Signature = "$Windows NT$" Class = Volume ClassGUID = {71a27cdd-812a-11d0-bec7-08002be2092f} Provider = %Mfg% DriverVer = 03/20/2018,3.1.0.1172 CatalogFile = CryptDisk.cat [SourceDisksNames] 3426=Setup [SourceDisksFiles] CryptDisk.exe=3426,\64 CryptDriver2.sys=3426,\64 CryptIFS.sys=3426,\64 [DestinationDirs] xxxx.copy [Manufacturer] %Mfg%=nlited,NTamd64 [nlited] %DeviceDesc% = xxxx, ROOT\FAKE_0001 [nlited.NTamd64] %DeviceDesc% = xxxx, ROOT\FAKE_0001 [xxxx.NT] CopyFiles= xxxx.copy [xxxx.NTamd64] CopyFiles= xxxx.copy [xxxx.copy] CryptDriver2.sys [Strings] Mfg="nlited systems inc."
Bin\MakeCab.txt: .option explicit .set CabinetFileCountThreshold=0 .set FolderFileCountThreshold=0 .set FolderSizeThreshold=0 .set MaxCabinetSize=0 .set MaxDiskFileCount=0 .set MaxDiskSize=0 .set Cabinet=on .set Compress=on .set CabinetNameTemplate=Out\Winx64Release\CryptDisk.cab .set DestinationDir=cat .set DiskDirectoryTemplate=. Out\Winx64Release\cat\CryptDisk.cat Out\Winx64Release\cat\CryptDisk.inf .set DestinationDir=cat\64 Out\Winx64Release\cat\64\CryptDisk.exe Out\Winx64Release\cat\64\CryptDriver2.sys Out\Winx64Release\cat\64\CryptIFS.sys

I make sure the package makes it past the "acceptance" phase, then I go for a coffee break for 20-30 minutes. After downloading the signed driver package I run RUnpack.bat to copy the signed executables into the Out directory.

RUnpack.bat: @echo off move /y %userprofile%\Downloads\Signed_*.zip Out\Winx64Release\Signed.zip cd Out\Winx64Release copy /y Signed.zip Z:\Share\ pkzip -ext -dir -over Signed.zip cd ..\.. explorer Out\Winx64Release\drivers\cat\64

EV vs Class3 Certificates

After the Microsoft Hardware Dashboard account has been created, drivers can be signed with either the EV or Class3 certificate and submitted to be counter-signed. The EV certificate is never needed to sign the drivers. I locked the USB key for my EV certificate in my safe and have never used it since my first driver signing session.

Budget-strapped developers can get by with only a Class3 certificate if they are able to find a kind and friendly developer who already has a Hardware Dashboard account. The budgeteer's Class3 certificate can be added to big daddy's Dashboard account, and since only the developer has the private certificate no one else will be able to use it. Likewise, the EV certificate is not exposed since it requires the USB key. This would be a great service for a developer co-op.

The Rest of the Story...



close comments Comments are closed.

Comments are moderated. Anonymous comments are not visible to other users until approved. The content of comments remains the intellectual property of the poster. Comments may be removed or reused (but not modified) by this site at any time without notice.

  1. [] ok delete


Page rendered by tikope in 263.668ms