Test Signing the Drivers
------------------------

Signing the drivers requires Windows Device Driver Kit version 7600.16385.1
or later.  The following commands should be executed in a tree containing the
INF files you want to sign.  Note that Windows 2000 INF file syntax is not
understood by inf2cat. Since inf2cat operates recursively on all directories
below the one it is executed in it is important to ensure that no Windows 2000
INF files exist in the subtree.

This information is derived from a Microsoft document named "Code Signing Best
Practices" which can be found at http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/best_practices.doc

This file contains instructions on test signing drivers using a certificate
that you create yourself and also production signing drivers using a 
certificate issued by a trusted commercial certificate authority.

Creating a test certificate
---------------------------

Prior to running the signtool command, you must create a test certificate for
use in signing your drivers and install this certificate on your machine.  This
need only be done once using the following commands from a Windows Device
Driver Kit build environment command prompt:

1. makecert.exe -$ individual -r -pe -ss TestCertStore -n CN="<YourTestCertificateName>" TestCertificate.cer

where you replace <YourTestCertificateName> with a string identifying the
certificate source and the fact that it is a test certificate. An example may
be "Company XYZ Software Test Certificate".

2. CertMgr -add TestCertificate.cer -s -r localMachine root

to add the newly created certificate to your machine's local store.

Test Signing the Drivers
------------------------

In a directory containing all the INF files for drivers you wish to sign,
execute the following commands:

1. Build catalog files for each driver with the command:

inf2cat /driver:. /os:7_X64,7_X86,Vista_X64,Vista_X86,XP_X86,XP_X64

2. Sign the catalog files with our software test certificate:

signtool sign /v /s TestCertStore /n "<YourTestCertificateName>" /t http://timestamp.verisign.com/scripts/timestamp.dll XXX.cat

  calling this tool once for each of the cat files generated by inf2cat. This
  assumes that the "<YourTestCertificateName>" certificate has been installed
  on your build machine in the TestCertStore certificate store.

Release Signing Drivers
-----------------------

Release signing drivers involves the use of a Software Publisher Certificate
(SPC) issued by a commercial certificate authority (CA). See

http://msdn.microsoft.com/en-us/library/ff549391%28v=VS.85%29.aspx

for information on obtaining such a certificate.

To set up your build machine with the correct certificates, do the 
following. This only needs to be done once (or whenever your signing
certificate expires and needs to be updated).

1. Obtain a Software Publisher Certificate. This may be provided in the form
of a Personal Information Exchange (.pfx) file or as an .spc file containing
the certificate and a seperate .pvk file containing the private key.

2. If you received a .spc file and a .pvk file, convert them to a .pfx
file as described in

  http://msdn.microsoft.com/en-us/library/ff549703%28v=VS.85%29.aspx

  The required command will look something along the lines of the 
following with filenames and passwords replaced with customer-specific
values:

  Pvk2Pfx -pvk abc.pvk -pi pvkpassword -spc abc.spc -pfx abc.pfx -po pfxpassword -f

3. Import the PFX file into the Windows Certificate Store using:

  certutil -user -p pfxpassword -importPFX abc.pfx

  where "pfxpassword" is the password for the PFX file as provided either 
to the issuing CA or in the pvk2pfx step above.

  If you don't have "certutil.exe" (which is likely if you're not running
Windows Server), you can also use the CertMgr tool that is included in
the DDK. Run this in GUI mode (start using "certmgr" with no command line
parameters) and choose "Import". Add the .pfx file to your Personal 
certificate store.

4. Obtain the Microsoft cross certificate associated with your CA by
following the instructions found at:

  http://msdn.microsoft.com/en-us/library/ff541084%28v=VS.85%29.aspx

  If you find that the thumbprint of the root authority certificate in
your certificate chain doesn't match the one in this document and you
used Verisign, get the closest matching cross certificate then perform
some additional certificate juggling to install two intermediate
certificates as described here:

  http://www.64k-tec.de/2011/02/kernel-driver-code-signing-with-the-verisign-class-3-primary-ca-g5-certificate/

  Make sure you install the intermediate certificates into the 
"Trusted Root Certification Authorities" store rather than the default
that is offered when you double-click the .der files.

5. Copy the Microsoft cross-certificate into a known location on the
build system hard disk since you will need to reference it directly
during future signing operations.

Each time you want to sign a driver, do the following from within the
driver directory (the directory containing the driver INF file(s)):

1. Create your driver CAT files as usual using inf2cat

inf2cat /driver:. /os:7_X64,7_X86,Vista_X64,Vista_X86,XP_X86,XP_X64

2. Sign the catalog files with your release certificate:

signtool sign /v /n "<YourCertificateName>" /ac "<FullPathToCrossCertificate>.cer" /t http://timestamp.verisign.com/scripts/timestamp.dll <YourCATFile>.cat

calling this tool once for each of the cat files generated by inf2cat. This
assumes that the "<YourCertificateName>" certificate has been installed
on your build machine in the Personal certificate store for the current user.

