开发者

Kernel mode code signing

开发者 https://www.devze.com 2023-01-18 21:35 出处:网络
I made a driver, and now I need to sign it. It runs in kernel mode. From what I\'ve read in Microsoft\'s Kernel Mode Code Signing Walkthrough, I have to buy a software publisher certificate from a co

I made a driver, and now I need to sign it. It runs in kernel mode.

From what I've read in Microsoft's Kernel Mode Code Signing Walkthrough, I have to buy a software publisher certificate from a commercial CA. In that document, they say to look at the end, and follow this link for a list of CAs from which I can buy that certificate. I find the link very confusing somehow because 开发者_JAVA百科I can't figure out exactly what certificate I need to buy. I need to sign the driver so that it will install on 64-bit Windows systems. A direct link would be very welcome (I would like to buy it from GlobalSign).

Is it the Microsoft Authenticode from here?


I asked a similar question in Microsoft Drivers Developers Forum some time ago. This is their answer:

You need to have your company get a code signing certificate from either GlobalSign or VeriSign (the others listed in that link are no longer offered). GlobalSign is cheaper, but Verisign has the advantage of providing access to WHQL if that is of interest to your firm. These are not cheap, the Verisign certificate costs $499 per year. Once you have the cert you can use it instead of the test cert to sign the driver.

Your link contains this information in Supported Platforms: Digitally sign Windows ActiveX controls via Authenticode (32 bit and 64 bit .exe, .ocx, .dll or other) and kernel software for Windows. Windows 7 compatible.

It looks like you are in the right place.

Just to be precise: I have not used the code certification yet, I just learned it. I recommend you to verify this answer in osronline or Microsoft Drivers Developers Forum.


Check out https://www.startssl.com/?app=40 - StartSSL offers such certificates for US$ 199.00

The cross-signed CA certificate is at https://www.startssl.com/certs/ named microsoft.kernel.mode.pem or microsoft.kernel.mode.crt


You can buy a signature from Digicert.

Digicert will issue a cross signing certificate in a zip file. Unzip it DigiCert High Assurance EV Root CA.crt

Double click it and add it to your IE personal store

Using IE, export the cert, with password to a .pfx file

The command to sign the driver is

signtool sign /t http://timestamp.digicert.com /f "path to .pfx file" /p PASSWORD_OF_PFX "path to driver .cat file"

You can use this same command to sign .exe files signtool sign /t http://timestamp.digicert.com /f "path to .pfx file" /p PASSWORD_OF_PFX "path to driver .exe file"

Ensure this machine has internet access otherwise the signing process will fail.

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号