Code Signing: Vista 64 Bit
Global Support Centre > Code Signing > Vista 64 Bit
Please note that the following resources are recommended reading:
http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx - The majority of questions are answered by following the signing steps identified in this document.
http://connect.microsoft.com/ - Microsoft Connect offers a full range of driver development tools including Signtool, the command line application used to perform the signing operations. The Connection to choose is the Windows Driver Kit (WDK), Windows Logo Kit (WLK) and Windows Driver Framework (WDF)
A summary of prerequisites to success, each of which is discussed in more details below:-
- Please use a 32bit Windows XP machine to perform the signing operation. At the time of writing this (September 17th 2007) Vista 64bit machines do not yield a successful signing result.
- Ensure the GlobalSign Root certificate is removed from the certificate store on the local machine. If the GlobalSign Root is present, Signtool will fail to embed the cross certificate.
- Ensure the cross certificate is available to the Signtool application.
- Ensure the GlobalSign ObjectSign end entity certificate is available in the local certificate store.
Why 32bit Windows XP?
One of the requirements for cross certificates to be used is that the GlobalSign Root CA is removed
from the Root certificate store on the signing machine. (If the root is present, Signtool will place the
root certificate into the chain which is incorrect for Vista Kernel drivers.) Vista has a fully automated
certificate install capability that ensures the GlobalSign root certificate is always re-installed. In XP the
auto update capability can be turned off from the control panel as follows:-
Note:- disconnecting a Vista system from the internet to prevent automated download is not an ideal scenario as it does not easily allow for timestamping to be used during the final signing process
How to remove the GlobalSign Root Certificate
At the command prompt run the MMC (Microsoft Management Console) by typing certmgr.msc
to ensure the GlobalSign Root CA is removed. i.e. Both ‘Issued To’ and ‘Issued By’ GlobalSign Root CA
Ideally, remove any instances of the GlobalSign RootCA that may also be in the Personal and Intermediate certificate stores as shown below. Intermediate GlobalSign certificates can be left.
Note:- The Root certificate can be added back to the store by clicking on this link:- https://secure.globalsign.net/cacert/root.crt
Where do I get the Cross Certificate?
The Cross certificate is located here:- http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx#EMG
Download and run the application and copy the cross certificate to the directory where Signtool is to be run.
Where do I get the latest Signtool?
The WDK (Windows Driver Kit) and Windows Logo Kit is available on
http://www.microsoft.com/whdc/devtools/WDK/AboutWDK.mspx
How do I know that Signtool supports Cross certificates?
Run signtool sign and check the /ac option is supported
How do I sign my file?
For options outside of this example please refer to the Microsoft Signtool documentation.
In the signing example below:-
- Signtool.exe has been renamed to
Signtoolac.exeto differentiate it from any othersigntool.exeprograms that may be on the system. - Timestamping options have not been selected
- The example toaster.sys file is from the WDK. Below it has been signed and verified with suitable options.
- Important Signtool options:-
- /ac = use the cross certificate MSCV-GlobalSign.cer.
- /sha1 = identify a particular certificate from the local certificate store.
