Ask a Question

64-bit Driver Kernel Mode Signing with Thawte Code Signing for Microsoft Authenticode (Multi-Purpose)

Solution

NOTE:  At this time (Oct. 2014), kernel mode signing with a SHA-256 certificate is only compatible with Windows 8. Microsoft is working on backporting SHA-256 support for Windows 7 and Vista. For maximum ubiquity, it is recommended to use a SHA1 certificate. A SHA1 equivalent certificate can be issued for free through your Thawte management portal.

Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Windows Hardware Developer Center Dashboard portal. OS signing enforcement is only for new OS installations; systems upgraded from an earlier OS to Windows 10, version 1607 will not be affected by this change. The portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate.  For more information, click here.

Note: Unfortunately, Thawte does not offer an EV Code Signing certificates at this time; however, if you would like to enroll for this certificate, please click
here for Symantec's EV Code Signing enrollment page.

64-bit versions of Microsoft Windows requires Kernel Mode Signing.  To sign 64-bit kernel-mode software using a Thawte Code Signing for Microsoft Authenticode (Multi-Purpose) or Thawte Code Signing for Microsoft Office and VBA, you will need to download and install the following:

  1. Microsoft Windows SDK (contains signtool.exe used for signing)
  2. Thawte Cross Certificate (also attached to the bottom of the page)

NOTE:  While we do our best to provide information for signing, Thawte does not support the code signing software and tools.

Use signtool.exe (command line based) from the Command Line Interface to sign your code.

SHA-1 with Timestamp

signtool sign /v /ac "C:\MSCV-ThawteClass3.cer" /a /s MY /n "YourIssuedToFieldName" /t http://timestamp.verisign.com/scripts/timstamp.dll "C:\YourFileName"

SHA-256 with RFC 3161 Timestamp:

signtool sign /v /ac "C:\MSCV-ThawteClass3.cer" /a /s MY /n "YourIssuedToFieldName" /fd sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp/ "C:\YourFileName"


NOTE:  Replace YourIssuedToFieldName with the company name the certificate was approved for, and as it appears in the 'Issued to' field of the certificate.  Replace YourFileName with the path and file you want to sign.

This example uses several of the arguments that SignTool supports:

  • Sign: Configures the tool to sign the intended file
  • Verify: Verifies the digital signature of files by determining whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.
  • /a: Automatically selects the best signing certificate. Sign Tool will find all valid certificates that satisfy all specified conditions and select the one that is valid for the longest time. If this option is not present, Sign Tool expects to find only one valid signing certificate.
  • /ac: Adds the cross-certificate from the CrossCertificateFile file to the digital signature
  • /f: Specifies the signing certificate in a file. Only the Personal Information Exchange (PFX) file format is supported
  • /fd: Specifies the file digest algorithm to use for creating file signatures. The default is SHA1.
  • /kp: Performs the verification by using the x64 kernel-mode driver signing policy.
  • /n: Specifies the Common Name of a certificate.  Use this option if you have certificates issued to more then one organization in your certificate store.
  • /p: If the file is in PFX format protected by a password, use the /p option to specify the password
  • /s: Specifies a certificate store (If the certificate is imported into the Personal store, the SPCCertificateStore is MY)
  • /t: Specifies that the digital signature will be timestamped by the Time-Stamp Authority (TSA) indicated by the URL
  • /tr: Specifies the URL of the RFC 3161 time stamp server.  This option cannot be used with the /t option.
  • /v: Specifies the verbose option for successful execution and warning messages.
      

Important: Thawte recommends customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn’t allow use of SHA2 service.

Note:  If you are signing the file with a certificate stored in a password protected PFX file, simply use the arguments "/f YourCertFileName.pfx /p pfxpassword" instead of "/a /s MY /n "YourIssuedToFieldName" in the command.

Note: The SHA-1 timestamping URL is http://timestamp.verisign.com/scripts/timstamp.dll
            (The timstamp.dll filename is required to conform to old MS-DOS naming convention).

The SHA-1 with RFC 3161 timestamping URL is http://sha1timestamp.ws.symantec.com/sha1/timestamp

The SHA-256 with RFC 3161 timestamping URL is http://sha256timestamp.ws.symantec.com/sha256/timestamp
 

Test Your Signature
 
Method 1: Using signtool

  1. Go to: Start > Run
  2. Type CMD > click OK
  3. At the command prompt, enter the directory where signtool exists
  4. Run the following:
signtool.exe verify /kp /v "C:\YourFileName"


Method 2: Using Windows

  1. Right-click the signed file
  2. Select Properties
  3. Select the Digital Signatures tab.  The signature will be displayed in the Signature list section.  

Related Information and Resources

Microsoft's knowledge base on this topic:

Windows Driver Kit (WDK):
http://www.microsoft.com/whdc/driver/64bitguide.mspx
Using SignTool to Sign a File:
http://msdn.microsoft.com/en-us/library/aa388170
Cross-Certificates for Kernel Mode Code Signing:
http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454(v=vs.85).aspx

Attachments