Ask a Question

Solution ID : SO20529

Last Modified : 06/25/2018

How to sign Microsoft Windows 64-bit kernel-mode drivers using Extended Validation (EV) Code Signing

Solution

64-bit versions of Microsoft Windows drivers require Kernel Mode Signing.

To sign 64-bit kernal-mode drivers using an Extended Validation (EV) Code Signing certificate, you will need to download and install the following:

  1. Windows Driver Kit WDK (Must be installed to acquire the following required tools)
    • inf2cat.exe
    • signtool.exe
       
  2. Microsoft cross certificate which is located at the bottom of the page labeled MSCV-VSClass3.cer
  3. SafeNet eToken Drivers
     

The below signtool examples use several of the arguments that SignTool supports:

  • Sign: Configures the tool to sign the intended file
  • Verify: Verifies the digital signature of files by determining whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.
  • /ac: Adds the cross-certificate from the CrossCertificateFile file to the digital signature
  • /fd: Specifies the file digest algorithm to use for creating file signatures. The default is SHA1.
  • /kp: Performs the verification by using the x64 kernel-mode driver signing policy.
  • /n: Specifies the Common Name of a certificate.  Use this option if you have certificates issued to more then one organization in your certificate store.
  • /s: Specifies a certificate store (If the certificate is imported into the Personal store, the SPCCertificateStore is MY)
  • /t: Specifies that the digital signature will be timestamped by the Time-Stamp Authority (TSA) indicated by the URL
  • /tr: Specifies the URL of the RFC 3161 time stamp server.  This option cannot be used with the /t option.
  • /v: Specifies the verbose option for successful execution and warning messages.
     

Important: Symantec recommends customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn’t allow use of SHA2 service.

Note: The SHA-1 timestamping URL is http://timestamp.verisign.com/scripts/timstamp.dll
            (The timstamp.dll filename is required to conform to old MS-DOS naming convention).

The SHA-1 with RFC 3161 timestamping URL is http://sha1timestamp.ws.symantec.com/sha1/timestamp

The SHA-256 with RFC 3161 timestamping URL is http://sha256timestamp.ws.symantec.com/sha256/timestamp


To successfully sign driver files, please follow these steps:

  1. Insert the Safenet USB token into the computer. 
     
  2. Use inf2cat.exe to validate the driver package INF file and create a valid catalog file.  If successful, a catalog file (*.cat) will be created.
     
  3. Use signtool.exe to sign the catalog (*.cat) and all driver (*.sys) files as below.

    NOTE: Replace "C:\driver.sys" with the name of the specific file you are signing.  This will need to be run against all of the drivers and the catalog.
    NOTE: SignTool will use SHA-1 as the default signature digest algorithm, even if you are using a SHA-256 certificate. Please use the command to add the appropriate signature digest algorithm.

    SHA-1 with Timestamp:
     
    signtool sign /v /ac "C:\Authenticode\After_10-10-10_MSCV-VSClass3.cer" /s MY /n "Company Name /t http://timestamp.verisign.com/scripts/timstamp.dll "C:\driver.sys"


    SHA-256 with RFC 3161 Timestamp:
     
    signtool sign /v /ac "C:\Authenticode\After_10-10-10_MSCV-VSClass3.cer" /s MY /n Company Name /fd sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp C:\driver.sys"


    NOTE: If there are multiple certificates installed in your Personal certificate store, use the /sha1 option to specify the hash value of the EV Code Signing Certificate.
    This would be the thumbprint value of your EV Code Signing Certificate. Please ensure to remove all spaces for the thumbprint value.
    For example:

     
    signtool sign /v /ac "C:\Authenticode\After_10-10-10_MSCV-VSClass3.cer" /s MY /sha1 sha1_thumbprint_value /n "Company Name" /t http://timestamp.verisign.com/scripts/timstamp.dll "C:\driver.sys"

     
  4. After running one of the above commands, you will be prompted to enter in your Token Password:



    Note: If you want to batch sign your files, you will need to enable single logon for the SafeNet Token.  Please refer to the this solution. Once you have enabled single logon and have logged into the Token, you will be able to batch sign your files without being prompted for the Token Password every time.

     
  5. You will receive a message that the file has been successfully signed.
     
  6. To verify that the file was properly cross-signed, use the following syntax:
     
    signtool verify /v /kp "C:\driver.sys"

     
  7. Verify the Cross Certificate Chain and confirm that it chains to the Microsoft Code Verification Root.  For Example:



For more information, refer to the following documents from the Microsoft knowledge base:
http://www.microsoft.com/whdc/driver/64bitguide.mspx

http://msdn.microsoft.com/en-us/library/aa388170

TIPS

  • You should verify that a given driver is "signed" by a given catalog file using the following command:
    signtool verify /v /kp /c "C:\CatFileName.cat" "C:\driver.sys"
  • To significantly decrease boot time, sign all drivers and catalog files.