From: Alex F on
Following the "Kernel-Mode Code Signing Walkthrough" document
(http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrough.mspx),
I managed to test-sign my driver. Now I want to make release-sign. From the
document:

Step 2: Obtain an SPC
Release-signing requires a code-signing certificate, also referred to as a
Software Publisher Certificate (SPC) from a commercial CA. Follow the CA's
instructions for how to acquire the code-signing certificate and install the
private key on the signing computer. For a list of SPC CAs, see "Resources"
at the end of this paper.

Here I am completely stuck. I also found this page:
http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx but it
doesn't help. Please, give me some explanations, what should I do now.
Thanks.
From: Don Burn on
You need to have your company get a code signing certificate from either
GlobalSign or VeriSign (the others listed in that link are no longer
offered). GlobalSign is cheaper, but Verisign has the advantage of
providing access to WHQL if that is of interest to your firm. These are
not cheap, the Verisign certificate costs $499 per year. Once you have
the cert you can use it instead of the test cert to sign the driver.


Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr




> -----Original Message-----
> From: Alex F [mailto:AlexF(a)discussions.microsoft.com]
> Posted At: Tuesday, June 15, 2010 7:37 AM
> Posted To: microsoft.public.development.device.drivers
> Conversation: How to Release-Sign a Kernel Module
> Subject: How to Release-Sign a Kernel Module
>
> Following the "Kernel-Mode Code Signing Walkthrough" document
> (http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrough.mspx),
> I managed to test-sign my driver. Now I want to make release-sign. From
> the
> document:
>
> Step 2: Obtain an SPC
> Release-signing requires a code-signing certificate, also referred to as
> a
> Software Publisher Certificate (SPC) from a commercial CA. Follow the
> CA's
> instructions for how to acquire the code-signing certificate and install
> the
> private key on the signing computer. For a list of SPC CAs, see
> "Resources"
> at the end of this paper.
>
> Here I am completely stuck. I also found this page:
> http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx but
> it
> doesn't help. Please, give me some explanations, what should I do now.
> Thanks.
>
>
> __________ Information from ESET Smart Security, version of virus
> signature
> database 5197 (20100615) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>

From: Alex F on
Thank you! If it is possible, please give me some more details.
Let's say my company decides to buy VeriSign certificate, I guess, this is
possible from here:
http://www.verisign.com/code-signing/content-signing-certificates/microsoft-authenticode/index.html.
I understand that this gives me some .cer file, which I can use instead of
home-made .cer file. My questions:
1) How it is related to Verisign MSCV-VSClass3.cer file that I can download
from the "Microsoft Cross-Certificates" WEB page?
2) Does this mean, that having such certificate, I can sign my driver, and
it can be installed in Win7 x64? Or some additional driver testing is
required?
3) From yout reply: "Verisign has the advantage of providing access to WHQL
if that is of interest to your firm". Actually, I have no idea, should I be
interested in this? We have kernel-mode driver which is shipped with our
product, and I need to ensure that it can be installed in Win7 x64.



"Don Burn" wrote:

> You need to have your company get a code signing certificate from either
> GlobalSign or VeriSign (the others listed in that link are no longer
> offered). GlobalSign is cheaper, but Verisign has the advantage of
> providing access to WHQL if that is of interest to your firm. These are
> not cheap, the Verisign certificate costs $499 per year. Once you have
> the cert you can use it instead of the test cert to sign the driver.
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
> > -----Original Message-----
> > From: Alex F [mailto:AlexF(a)discussions.microsoft.com]
> > Posted At: Tuesday, June 15, 2010 7:37 AM
> > Posted To: microsoft.public.development.device.drivers
> > Conversation: How to Release-Sign a Kernel Module
> > Subject: How to Release-Sign a Kernel Module
> >
> > Following the "Kernel-Mode Code Signing Walkthrough" document
> > (http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrough.mspx),
> > I managed to test-sign my driver. Now I want to make release-sign. From
> > the
> > document:
> >
> > Step 2: Obtain an SPC
> > Release-signing requires a code-signing certificate, also referred to as
> > a
> > Software Publisher Certificate (SPC) from a commercial CA. Follow the
> > CA's
> > instructions for how to acquire the code-signing certificate and install
> > the
> > private key on the signing computer. For a list of SPC CAs, see
> > "Resources"
> > at the end of this paper.
> >
> > Here I am completely stuck. I also found this page:
> > http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx but
> > it
> > doesn't help. Please, give me some explanations, what should I do now.
> > Thanks.
> >
> >
> > __________ Information from ESET Smart Security, version of virus
> > signature
> > database 5197 (20100615) __________
> >
> > The message was checked by ESET Smart Security.
> >
> > http://www.eset.com
> >
>
> .
>
From: Don Burn on
I am not the best signing expert, but for some of the answers. First once
you sign your driver with the cert it will be loadable in a 64-bit
environment, but it will still popup a question of whether you trust the
vendor. If you go through WHQL which is an addition expense and requires
passing the tests from the Windows Logo Kit (WLK), your driver will
install without the popup.

IIRC you use the cross certificate with the verisign or globalsign
certificate to sign the driver so that Microsoft has the root authority.


Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr





> -----Original Message-----
> From: Alex F [mailto:AlexF(a)discussions.microsoft.com]
> Posted At: Tuesday, June 15, 2010 10:31 AM
> Posted To: microsoft.public.development.device.drivers
> Conversation: How to Release-Sign a Kernel Module
> Subject: RE: How to Release-Sign a Kernel Module
>
> Thank you! If it is possible, please give me some more details.
> Let's say my company decides to buy VeriSign certificate, I guess, this
> is
> possible from here:
> http://www.verisign.com/code-signing/content-signing-certificates/microsoft-
> authenticode/index.html.
> I understand that this gives me some .cer file, which I can use instead
> of
> home-made .cer file. My questions:
> 1) How it is related to Verisign MSCV-VSClass3.cer file that I can
> download
> from the "Microsoft Cross-Certificates" WEB page?
> 2) Does this mean, that having such certificate, I can sign my driver,
> and it
> can be installed in Win7 x64? Or some additional driver testing is
> required?
> 3) From yout reply: "Verisign has the advantage of providing access to
> WHQL if
> that is of interest to your firm". Actually, I have no idea, should I be
> interested in this? We have kernel-mode driver which is shipped with our
> product, and I need to ensure that it can be installed in Win7 x64.
>
>
>
> "Don Burn" wrote:
>
> > You need to have your company get a code signing certificate from
> > either GlobalSign or VeriSign (the others listed in that link are no
> > longer offered). GlobalSign is cheaper, but Verisign has the
> > advantage of providing access to WHQL if that is of interest to your
> > firm. These are not cheap, the Verisign certificate costs $499 per
> > year. Once you have the cert you can use it instead of the test cert
> > to
> sign the driver.
> >
> >
> > Don Burn (MVP, Windows DKD)
> > Windows Filesystem and Driver Consulting
> > Website: http://www.windrvr.com
> > Blog: http://msmvps.com/blogs/WinDrvr
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Alex F [mailto:AlexF(a)discussions.microsoft.com]
> > > Posted At: Tuesday, June 15, 2010 7:37 AM Posted To:
> > > microsoft.public.development.device.drivers
> > > Conversation: How to Release-Sign a Kernel Module
> > > Subject: How to Release-Sign a Kernel Module
> > >
> > > Following the "Kernel-Mode Code Signing Walkthrough" document
> > > (http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrou
> > > gh.mspx), I managed to test-sign my driver. Now I want to make
> > > release-sign. From the
> > > document:
> > >
> > > Step 2: Obtain an SPC
> > > Release-signing requires a code-signing certificate, also referred
> > > to as a Software Publisher Certificate (SPC) from a commercial CA.
> > > Follow the CA's instructions for how to acquire the code-signing
> > > certificate and install the private key on the signing computer. For
> > > a list of SPC CAs, see "Resources"
> > > at the end of this paper.
> > >
> > > Here I am completely stuck. I also found this page:
> > > http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx
> > > but it doesn't help. Please, give me some explanations, what should
> > > I do now.
> > > Thanks.
> > >
> > >
> > > __________ Information from ESET Smart Security, version of virus
> > > signature database 5197 (20100615) __________
> > >
> > > The message was checked by ESET Smart Security.
> > >
> > > http://www.eset.com
> > >
> >
> > .
> >
>
>
> __________ Information from ESET Smart Security, version of virus
> signature
> database 5198 (20100615) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>

From: Alex F on
Thank you for your help.


"Don Burn" wrote:

> I am not the best signing expert, but for some of the answers. First once
> you sign your driver with the cert it will be loadable in a 64-bit
> environment, but it will still popup a question of whether you trust the
> vendor. If you go through WHQL which is an addition expense and requires
> passing the tests from the Windows Logo Kit (WLK), your driver will
> install without the popup.
>
> IIRC you use the cross certificate with the verisign or globalsign
> certificate to sign the driver so that Microsoft has the root authority.
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
>
> > -----Original Message-----
> > From: Alex F [mailto:AlexF(a)discussions.microsoft.com]
> > Posted At: Tuesday, June 15, 2010 10:31 AM
> > Posted To: microsoft.public.development.device.drivers
> > Conversation: How to Release-Sign a Kernel Module
> > Subject: RE: How to Release-Sign a Kernel Module
> >
> > Thank you! If it is possible, please give me some more details.
> > Let's say my company decides to buy VeriSign certificate, I guess, this
> > is
> > possible from here:
> > http://www.verisign.com/code-signing/content-signing-certificates/microsoft-
> > authenticode/index.html.
> > I understand that this gives me some .cer file, which I can use instead
> > of
> > home-made .cer file. My questions:
> > 1) How it is related to Verisign MSCV-VSClass3.cer file that I can
> > download
> > from the "Microsoft Cross-Certificates" WEB page?
> > 2) Does this mean, that having such certificate, I can sign my driver,
> > and it
> > can be installed in Win7 x64? Or some additional driver testing is
> > required?
> > 3) From yout reply: "Verisign has the advantage of providing access to
> > WHQL if
> > that is of interest to your firm". Actually, I have no idea, should I be
> > interested in this? We have kernel-mode driver which is shipped with our
> > product, and I need to ensure that it can be installed in Win7 x64.
> >
> >
> >
> > "Don Burn" wrote:
> >
> > > You need to have your company get a code signing certificate from
> > > either GlobalSign or VeriSign (the others listed in that link are no
> > > longer offered). GlobalSign is cheaper, but Verisign has the
> > > advantage of providing access to WHQL if that is of interest to your
> > > firm. These are not cheap, the Verisign certificate costs $499 per
> > > year. Once you have the cert you can use it instead of the test cert
> > > to
> > sign the driver.
> > >
> > >
> > > Don Burn (MVP, Windows DKD)
> > > Windows Filesystem and Driver Consulting
> > > Website: http://www.windrvr.com
> > > Blog: http://msmvps.com/blogs/WinDrvr
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Alex F [mailto:AlexF(a)discussions.microsoft.com]
> > > > Posted At: Tuesday, June 15, 2010 7:37 AM Posted To:
> > > > microsoft.public.development.device.drivers
> > > > Conversation: How to Release-Sign a Kernel Module
> > > > Subject: How to Release-Sign a Kernel Module
> > > >
> > > > Following the "Kernel-Mode Code Signing Walkthrough" document
> > > > (http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrou
> > > > gh.mspx), I managed to test-sign my driver. Now I want to make
> > > > release-sign. From the
> > > > document:
> > > >
> > > > Step 2: Obtain an SPC
> > > > Release-signing requires a code-signing certificate, also referred
> > > > to as a Software Publisher Certificate (SPC) from a commercial CA.
> > > > Follow the CA's instructions for how to acquire the code-signing
> > > > certificate and install the private key on the signing computer. For
> > > > a list of SPC CAs, see "Resources"
> > > > at the end of this paper.
> > > >
> > > > Here I am completely stuck. I also found this page:
> > > > http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx
> > > > but it doesn't help. Please, give me some explanations, what should
> > > > I do now.
> > > > Thanks.
> > > >
> > > >
> > > > __________ Information from ESET Smart Security, version of virus
> > > > signature database 5197 (20100615) __________
> > > >
> > > > The message was checked by ESET Smart Security.
> > > >
> > > > http://www.eset.com
> > > >
> > >
> > > .
> > >
> >
> >
> > __________ Information from ESET Smart Security, version of virus
> > signature
> > database 5198 (20100615) __________
> >
> > The message was checked by ESET Smart Security.
> >
> > http://www.eset.com
> >
>
> .
>