Some notes on signing
We had some extended discussion at the MVP summit on the topic of driver signing. Jennifer Stepler from the WDK team spent a couple of hours talking through the various kinds of signing and clearing up the confusion.
To recap, there are two kinds of signing used in the [Windows] world today: code signing and device installation signing. Code signing means embedding a digital signature in your compiled binary, such as a .sys file. These signatures are checked by the loader and (on x64) your driver will not load if it’s not signed in this way. Notice that this happens at load time, which is every time PnP decides to fire up your driver (i.e. every boot, plus immediately after install time).
The other type of signing is device installation signing. The device manager checks for signatures in .cat files that go with your driver package. To sign a .cat file, you first have to generate one, and then sign it with signtool. This signature allows the device to be installed without the big nasty unsigned driver
warning. There are two kinds of signatures that you can put on a driver package: you can get your driver signed by WHQL, or you can sign your driver package with your own code signing certificate, similar to other code (called an Authenticode
signature). If you use an Authenticode signature, the user will get a friendly “Do you want to install software from XYZ Corp?” prompt, with an option to always trust this publisher from now on. If you use a WHQL signature, the installation is totally silent.
It is Microsoft’s recommendation to use both kinds of signatures on all drivers, x86 or x64.
March 23rd, 2007 at 12:12 am
re: Authenticode
if the cert is pre-installed to trusted publisher store (either manually or through group policy in a corporation environment), the installation will go through silently. right?
re: load time check
will it simply check the presence of a valid signature, or will it go further to check the issuer is indeed in trusted store?
March 23rd, 2007 at 6:57 am
These signatures are checked by the loader and (on x64) your driver will not load if it’s not signed in this way. Notice that this happens at load time, which is every time PnP decides to fire up your driver (i.e. every boot, plus immediately after install time).
I believe this is incorrect. Embedded signatures are only required by the loader, which mean they’re only needed for Boot Start drivers. Drivers loaded by the OS (e.g. most PNP drivers) require a signed catalog.
March 23rd, 2007 at 9:51 am
Anonymous: yes, if you pre-install the cert, the installation will proceed silently. Obviously, you shouldn’t do that without user consent.
Re: the load time check, it will indeed validate that the signature is valid, using a cross-signature. I’ll try to write more about that in a future post.
John: You can use an embedded signature to any driver; you don’t need a .cat file. If you don’t have an embedded signature, the OS will look for a signed .cat file.
March 23rd, 2007 at 10:04 am
Further clarification: by “load time” in my article, I meant when the OS loads the driver, not specifically when the OS is being loaded by the boot loader.
March 25th, 2007 at 10:26 am
Are you sure about that nice, friendly dialog that has an “always trust” option? On Vista x64? What we found was that by Authenticode-signing our drivers we get a big red (very unfriendly) dialog that rambles on about unsigned code, and clicking through the dialog will allow the driver to be installed. There’s no “Always trust” option, only a misleading, outright incorrect message.
March 26th, 2007 at 8:37 am
Yeah. You need to sign both the binary *and* the .cat file to get rid of the big red box. The binary signature merely lets the OS *load* the driver.
Signing the .cat file lets the device installer see the signature too. It doesn’t look at the binary for a sig during device install, so that won’t be seen, hence the warning box.
March 27th, 2007 at 4:27 am
Argh - you’re right of course. I was using a .cat but forgot to include the .inf in the catalog def file. Easy to fix, and the dialog is a lot friendlier now.