Driver Signing

Disclaimer, the following information has been re-produced into a step-by-step process that I have followed to create the required package along with any extra information that I found was required. I don’t know the original author of the process but am happy to add credit if the person can be identified, contact me with a link.

Unsigned Drivers within a package that need to be installed onto multiple machines without any prompts will appear from time to time and there are a couple of methods to resolve this issue depending on your environment and how much control you have over that environment.

The two solutions require the same thing: The drivers need to be signed and the signing certificate needs to be published to the client machine.

There are a couple of approaches to publishing the signing certificate, firstly if your environment is tightly controlled and you are currently using Group Policy’s (GPO’s) then you can distribute the certificate to all machines via the relevant GPO and you just need to ensure that the drivers are signed with the same central certificate each time, this is the preferred method due to its centralised control and clean approach and you will only ever need 1 certificate. The second method (and the one shown in full below) is to create a certificate, sign the drivers with this certificate and distribute and install the certificate with the MSI package via a custom action. The second approach is a viable solution for environments where there is not so such tight control over the desktops or in environments where the application packaging is completed off-site by another team.

Before we can start the process the following tools are required:

Download the following from Microsoft, both are freely available although are very large (typical as we only need a few small files from them):

· Windows Server 2003 SP1 Platform SDK

· Windows Driver Kit

Once the above 2 packages have been downloaded and installed we need the following files which can be found under C:\Program Files\Microsoft Platform SDK\Bin:

• makecert.exe
• cert2spc.exe
• pvk2pfx.exe
• certmgr.Exe
• signtool.exe

You also need:

• inf2cat.exe (C:\winDDK\7600.16385.0\bin\selfsign)
• dpinst.exe (C:\winDDK\7600.16385.0\redsist\DIFx\dpinst\EngMui\x86)

Once you have these files I recommend that you keep a copy of them safe for use at a future date (maybe in your central packaging `tools` directory)

Create your Certificate

Ok the first step is to create your certificate that you will be using.

On your development machine create a directory called "C:\DriverSigning" and copy the makecert.exe file across to this directory:

Open up a CMD prompt and navigate to the "C:\DriverSigning" directory, then enter the following command: (change any reference to BovisTech to your own company name or valid identifier)

Makecert.exe -r -sv BovisTech.pvk -n "CN=BovisTech" BovisTech.cer

The following GUI will appear, enter a password and click Ok to continue, in this example I have used the password “password” all lower case.

Enter the same password in the Shared Key when the window below appears and click OK to continue.

You have now created the required certificate but we need to create the Software publisher certificate and to copy the private and public key information.

Copy cert2spc.exe into the "C:\DriverSigning" folder and run the following command:

Cert2spc.exe BovisTech.cer BovisTech.spc

Now copy the pvk2pfx.exe file across to the "C:\driverSigning" folder and run the following command:

Pvk2pfx.exe -pvk BovisTech.pvk -pi password -spc BovisTech.spc -pfx BovisTech.pfx -po password

You can also use the GUI for the export by typing in the following command (I initially had issues with the full command which is why I have included the cut-down command and GUI info)

Pvk2pfx.exe -pvk BovisTech.pvk -pi password -spc BovisTech.spc

The GUI will then appear as follows

Click Next to the welcome screen

At the next screen make sure that you select the option to “Yes export the private key” by selecting the option box and click Next.

Click Next to the "Export File Format" screen shown below

Enter the password in the required boxes this is the same password that we used in the MakeCert step of the process.

Finally select the location to save the file and the filename "C:\DriverSigning\BovisTech.pfx" and click next to continue

Finally click Finish to the GUI

This completes the certificate creation process.

Identify your drivers

Now we need to identify the driver files that are required for the install.

The drivers I am using in this example are from the Lego RoboLab software (these happen to be the ones I have handy and they are also a good example)

Transfer your driver files over to the "C:\DriverSigning\drivers" directory on your development machine. This is where we are going to create and test our driver signing package.

My drivers contained a .cat file but we are going to re-create this file so we can just delete this from our drivers directory, you may not have a cat file included in your drivers, either way we need to re-create it so just delete the supplied one.

Create your .Cat file

Firstly there are a couple of things to check in the .inf file.

Edit the .inf file with notepad

The contents of my file are (i’ve only included the ones of interest):

DriverVer=01/21/2004, 1.0.50.0164

Class=LEGODevices

ClassGUID={03B3FAA0-00BE-11d4-B2F7-00C04FA4CB5A}

;CatalogFile=LTower.cat

Two things to notice about the extract of the .inf file, the "DriverVer=" must have the date set to after 04/01/2006 which is a requirement for windows Vista and above (I am currently testing on windows 7 32bit). The second thing to note with this .inf file is that the "CatalogFile=" has been commented out and needs to be added back in.

The new .inf file section now looks like this.

DriverVer=01/01/2011, 1.0.50.0164

Class=LEGODevices

ClassGUID={03B3FAA0-00BE-11d4-B2F7-00C04FA4CB5A}

CatalogFile=LTower.cat

To create the .cat file we need the utility inf2cat.exe, if not already transfer this to the "C:\driverSigning" directory and run the following command.

Inf2cat /driver:"C:\DriverSigning\Drivers" /os:7_x86 /verbose

Ensure the driver directory is set correctly to point to the folder that contains all the driver files.

The list of Desktop OS version flags are (a full list is available from Microsoft’s website):

· Windows 7 x64 Edition - 7_X64

· Windows 7 x86 Edition - 7_X86

· Windows Vista x64 Edition - Vista_X64

· Windows Vista x86 Edition - Vista_X86

· Windows XP x64 Edition - XP_X64

· Windows XP x86 Edition - XP_X86

· Windows 2000 - 2000

Signing the Cat file

Now we have created the cat file and the certificates we need to sign the cat file with the pfx file we created earlier using the signtool.exe.

Copy the signTool.exe across to the “C:\DriverSigning” folder and enter the following command.

Signtool sign /f bovistech.pfx /p password /t http://timestamp.verisign.com/scripts/timestamp.dll /v C:\driversigning\drivers\ltower.cat

This should result in the .cat file being signed and time stamped.

Testing the Signed driver

So now you have a collection of files.

The driver files themselves and the all important certificate file, the .cat file has been signed with our newly created certificate file. We can test the process with the following process.

Copy the CertMgr.exe to the "C:\DriverSigning" folder and run the following commands:

certMgr -add BovisTech.cer -s -r LocalMachine TRUSTEDPUBLISHER

certMgr -add BovisTech.cer -s -r LocalMachine ROOT

These should both result in the output “CertMgr Succeeded” if you get an error double check the command line and also ensure you are using “minus” symbols and not dashes in the command line.

The certMgr commands above will become our custom actions when we create the MSI package.

Finally test the driver install:

Copy the dpinst.exe utility across to the "C:\driverSigning" directory and run the following command:

dpinst /PATH C:\DriverSigning\Driver\. /A /F /SA /S

This should install the drivers silently and you should be able to plug in your hardware to fully test.