You are here:   Research
  |  Login

Welcome to my blog, quickest way to find articles is usually to search for them.

Minimize
Search in All Title Contents
 
     

Sign your unsigned drivers - Damn It

Jun 08 2012

The drivers saga continues...

Update 2015-01-28: This article is for Windows 7 only. To learn sign drivers for Windows 8.1 and Windows Server 2012 R2, with real certificates, check this article:

Deploying Windows Server 2012 R2 to Intel NUC devices using MDT 2013

http://www.deploymentresearch.com/Research/tabid/62/EntryId/222/Deploying-Windows-Server-2012-R2-to-Intel-NUC-devices-using-MDT-2013.aspx



For a driver to be ranked correctly by the windows 7 setup it should be signed, and for Windows 7 x64 deployments it really needs to be signed. However, sometimes vendors don't provide signed drivers, or you need to modify a driver for a specific device, and when you do, you break the signing. For Windows 7, the solution is to sign the driver yourself.

In this example you sign an unsigned driver for Windows 7 named b57nd60a.inf (yes, it's the Broadcom NetXtreme Desktop driver) for the fictive company ViaMonstra. The scenario is that you have modified the b57nd60a.inf file so that the signing is now broken.

This means if you for example try to add the driver to the Windows 7 driver store using pnputil -a b57nd60a.inf you will be met by the following.






Signing drivers - Overview

- Get the tools
- Create the certificate and private key
- Create the catalog file
- Sign and timestamp the driver
- Install the certificate


Signing drivers - Detailed steps

Again, in this example you sign an unsigned driver named b57nd60a.inf for the fictive company ViaMonstra. Remember that the scenario is that you have modified the b57nd60a.inf file so that the signing is now broken.


Step 1 - Get the tools

- Go to www.microsoft.com/downloads, download and then install the Windows SDK for Windows 7

- Go to www.microsoft.com/downloads, download and then install the Windows Driver Kit 7.1.0



Step 2 - Create the certificate and private key

- Create a folder named C:\ViaMonstraDriversCert

- Start the command prompt and type the following commands, press Enter after each command.

cd /d "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin"

makecert -r -sv C:\ViaMonstraDriversCert\ViaMonstraDrivers.pvk -n CN="ViaMonstra" C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer


Assign a password of P@ssw0rd


cert2spc C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer C:\ViaMonstraDriversCert\ViaMonstraDrivers.spc

pvk2pfx -pvk C:\ViaMonstraDriversCert\ViaMonstraDrivers.pvk -pi P@ssw0rd -spc C:\ViaMonstraDriversCert\ViaMonstraDrivers.spc -pfx C:\ViaMonstraDriversCert\ViaMonstraDrivers.pfx -po P@ssw0rd


Step 3 - Create the catalog file

- Create the C:\ViaMonstraDriversCert\Broadcom folder and copy the b57nd60a.inf and b57nd60a.sys file to it.

- Start the command prompt and type the following commands, press Enter after each command.

cd /d "C:\WinDDK\7600.16385.1\bin\selfsign"

inf2cat.exe /driver:"C:\ViaMonstraDriversCert\Broadcom" /os:7_X64 /verbose



Running inf2cat.exe


Step 4 - Sign and timestamp the driver

- Create the C:\ViaMonstraDriversCert\Broadcom folder and copy the b57nd60a.inf file to it.

- Start the command prompt and type the following commands, press Enter after each command.

cd /d "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin"

signtool sign /f C:\ViaMonstraDriversCert\ViaMonstraDrivers.pfx /p P@ssw0rd /t http://timestamp.verisign.com/scripts/timstamp.dll /v C:\ViaMonstraDriversCert\Broadcom\b57nd60a.cat




Running the Signtool


Step 5 - Install the certificate


To trust the certificate on a single test computer (current signing certificate is private, and not yet trusted by the operating system) start the command prompt and type the following commands, press Enter after each command.

certmgr.exe -add C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer -s -r localMachine ROOT

certmgr.exe -add C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer -s -r localMachine TRUSTEDPUBLISHER

Note #1:
You can also use certutil to install the certificate

Note#2:
You also need to configure Windows to allow drivers certificates that are not cross-signed by Microsoft by running the following command in an elevated command prompt and then reboot: bcdedit /set testsigning on


After configuring the bcd and rebooting Windows 7, you see the new "Test Mode" text in the right hand corner.




Now when you try running pnputil -a b57nd60a.inf you will be met by the following:

  
  
  
  
  
  
   

References:

MSDN docs on driver ranking:

How Windows Ranks Drivers (Windows Vista and Later)
http://msdn.microsoft.com/en-us/library/windows/hardware/ff546225%28v=vs.85%29.aspx

 

Happy deployment, and thanks for reading!
/ Johan

     
     

Blog Archive

Minimize