Search code examples
windows64-bitmakecertdriver-signing

Driver signing: how to get MakeCert test certificates to work on x64

I'm trying to load a kernel driver that's been signed with a certificate generated by MakeCert.exe.

I followed the instructions given in the Windows Driver Kit documentation:

  1. Sign the driver with MakeCert.exe
  2. Verify the signature with SignTool verify /v /pa DriverFileName.sys.
  3. Installing the cert into the test computer's Trusted Root Certification Authorities store and Trusted Publishers store, using CertMgr.exe

When I verify the signature with SignTool verify /v /pa DriverFileName.sys as described in WDK Microsoft Docs, SignTool reports that the signature is ok. I've done this on both the development computer and the test machine that is supposed to load the driver.

However, the driver doesn't actually load. The Windows CodeIntegrity log says 3004: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\path\DriverFileName.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

I looked at this similar question. I get the same results as in that question, when I run SignTool verify /v /kp DriverFileName.sys. It says: SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.

The linked question's resolution involved using a real, non-test certificate, and changing the signing setup so that it correctly chained to the Microsoft Root Certificate. I'm not yet at that stage; I just want to get my test infrastructure working "properly".

I'm interested in having the kernel load my driver, and verify the signature using the certificates that I've manually installed on the test machine. I know I can use bcdedit -set testsigning yes to disable signature validation entirely, but that seems like overkill - it will allow any signed driver to run, even if it wasn't signed with the test certificate I've installed on the machines. Is it possible to leave "testsigning" mode turned off (so the driver signature is still actually validated against an installed cert), but still use my internal self-generated MakeCert.exe test certificate?

Solution

  • It looks the answer is no, it's not possible.

    Can I install self-signed drivers on 64-bit Windows without test mode if the self-signed CA root certificate is imported to the machine store?

    The WDK documentation seems quite misleading. Installing the certificate generated by MakeCert.exe on x64 test machines seems to be entirely pointless, since the kernel never pays any attention to it.

    If TESTSIGNING mode is on, the signature isn't validated, so the cert doesn't need to be installed.

    If TESTSIGNING mode is off, the self-signed certificate isn't cross-signed by anything the kernel trusts, so it's not considered valid, so installing the cert doesn't help.

    I'm happy to accept corrections.