it's been since WinXP I don't use the Windows DDK (now WDK) and I've noticed something big is changed.
I'm developing a legacy NT4 filter driver (without .inf and without .cat) with the latest Win7 DDK, my environment is
Windows 7 64bit
Visual Studio 2010
WinDDK v7600.16385.1
VisualDDK plugin for VS (latest version)
I have issue self signing this driver, since I'm still developing it I don't have (and don't know how to get) an appropriate WHQL certificate, therefore I'm following a procedure I've found online.
@echo off
set SIGNTOOL="c:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe"
set MAKECERT="c:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\makecert.exe"
set PVK2PFX="c:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\pvk2pfx.exe"
set CERTPVK="C:\Users\myself\Desktop\testdriver\avtxagent\package\mycompanynametest.pvk"
set CERTPFX="C:\Users\myself\Desktop\testdriver\avtxagent\package\mycompanynametest.pfx"
set CERT="C:\Users\myself\Desktop\testdriver\avtxagent\package\mycompanynametest.cer"
set DRIVER="C:\Users\myself\Desktop\testdriver\avtxagent\package\avtxagent.sys"
set CERTSUBJ="mycompanyname (test)"
del *.cer *.pfx *.pvk
cls
%MAKECERT% -r -n "CN=mycompanyname (test)" -sv %CERTPVK% %CERT%
%PVK2PFX% -pvk %CERTPVK% -spc %CERT% -pfx %CERTPFX%
pause
cls
%SIGNTOOL% sign /v /f %CERTPFX% /t "http://timestamp.verisign.com/scripts/timestamp.dll" %DRIVER%
pause
cls
:: verification
%SIGNTOOL% verify /pa /v %DRIVER%
pause
Basically what I'm doing is generate the certificate each time (I've already tried with a certificate generated only once, still same issue), signing my driver and then trying to verify the signature. In this last step, the verification, I get the issue:
SignTool Error: A certificate chain processed, but terminated in a
root certificate which is not trusted by the trust provider.
Obviously when I try to install and then start the legacy driver both programmatically and with sc, I get the error:
[SC] CreateService SUCCESS
[SC] StartService FAILED 577:
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
If I follow this guide http://technet.microsoft.com/en-us/library/cc754841.aspx and import the certificate inside the Trusted Certification the verification process goes well, but I get the same error from sc.
What am I doing wrong ? And, is there anyone can explain what I have to do to get an appropriate certificate to use in production environment since the documentation is kind of lacky?
You don't need a WHQL signature to sign a kernel-mode driver. What you do need is a code signing certificate purchased from GlobalSign or Verisign (others won't work). When you have one, use this code signing certificate to sign your driver. NOTE: you also need to include a cross-certificate from Microsoft.
Alternatively (solely for debugging purposes) you can load the system in test mode, in which the signature is not checked. To do this you need to press F8 during system boot and choose the corresponding option in the menu.