Search code examples
windowscode-signingsigntool

Can I self-sign user-mode USB drivers, or do I need to go through Microsoft's Hardware Program?

Microsoft has deprecated their support for cross-signed root certificates for kernel-mode drivers: https://knowledge.digicert.com/alerts/Kernel-Mode.html

I occasionally release software with USB drivers (as a pair of .inf and .cat files). Until now, I have been signing them with signtool, using:

signtool.exe sign /a /ac $ROOT_CA_CERTIFICATE /tr $TIMESTAMP_SERVICE_URL /td SHA256 $MY_CAT_FILE

and verifying by:

signtool.exe verify /v /kp $MY_SIGNED_CAT_FILE

Under the recent deprecation, this no longer works (details below). The apparent alternative seems to be treating my driver as though it were kernel-mode, and going through Microsoft's full qualification route -- which is cumbersome and prohibitive in several ways.

Is there an easier way to self-sign my driver, given that it does not require kernel-mode?

(I am not well-versed in signtool and code-signing, so don't hesitate to tell me if I'm missing something obvious!)

Details on the signature/verification failures I'm receiving:

  • If I continue to sign using /ac $ROOT_CA_CERTIFICATE , I get the following error, which seems due to the expiration of the cross-certificate:
    Signtool Error: The provided cross certificate would not be present in the certificate chain.

  • If I leave that out, I can successfully sign, but verification with /kp fails:
    SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.
    Whereas with the /kp argument, I get this failure:
    SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Solution

  • Yes, you can sign your user-mode driver despite the microsoft change.

    If the verification fail, it could be that the signature used a code-signing certificate and, as SignTool use by default the Windows Driver Verification Policy, you want instead to avoid it and use the Default Authentication Verification Policy to verify your file.

    So, on your verify command add in the /pa option to tell it to use the Default Authentication Verification Policy instead of the Windows Driver Verification Policy, meaning it will look at your certificate stores instead of the limited set of CAs Microsoft trusts with drivers.

    signtool.exe verify /v /pa $MY_SIGNED_CAT_FILE

    Should give you a success, eg:

    Successfully verified: .\Sources\Driver\usbcom.cat
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0