Re: [libwdi-devel] [Libusb-win32-devel] Driver package signing

[Sethuraman R <set...@gm...>]

Dear Pete,

I haver also aised a question in MSDN forum and got a reply like, I should
go through WHQL, do i want to?? Please find the below link for discussions:

http://social.msdn.microsoft.com/Forums/en-US/wdk/thread/28b936d8-22b5-40dd-b16c-8da5f4828bee


Regards,
Sethu


On Mon, Apr 9, 2012 at 8:50 PM, Pete Batard <pe...@ak...> wrote:

> Hi,
>
> On 2012.04.09 15:12, Sethuraman R wrote:
> >         2.1. My inf is working fine and i am using only the windows
> > default driver(USBSER.sys) in the inf. In this case, is it required to
> > sign the default sys file? Or Is it already Signed? Or Is signing not
> > required?
>
> Binary drivers that come from the Windows OS are already signed, though,
> unlike non Windows signed drivers, the signature may not be displayed
> when right clicking. But unless you use your own custom version, you
> should not have to sign this file.
>
> >         2.2.I have understood that Signing the driver
> > binaries(SYS,DLL,...) and Signing the driver package(inf) are completely
> > different.
>
> Indeed. One will prevent you from using the driver altogether, unless
> running Windows in test mode, and the other determines whether users are
> prompted with a warning during driver installation.
>
> > Also, the signing warning(Windows can't verify the the
> > publisher of the software) occurs only because of my unsigned inf and
> > not because of the driver?
>
> Yes.
>
> >         2.3 To avoid the above said warning, by assuming USESER.SYS
> > doesn't require any signing, i selfsigned or test signed my inf file in
> > the following way as mentioned at
> > http://www.itninja.com/question/guide-to-signing-unsigned-drivers.
> >
> > # creted .cat file using Inf2cat.exe
> > Inf2Cat.exe /driver:"<Path of the inf>"
>
> You may also want to have a look at the Signed Cat file part of the
> libwdi signed driver walkthrough [1]. You may want to append a /os:
> option there, depending on your target OSes.
>
> > # created certificate using makecert.exe
> > MakeCert.Exe -r -pe <path to .cer file you want to generate> -n
> > CN=<certificate name> -sv <path to .pvk file you want to generate> -len
> > 2048
>
> You may also want to have a look at this post from libusb-win32, where I
> did something similar [2].
>
> >        2.4) As per the MS DDK Documentation, the test signing or Self
> > Signing is done without PVK... Am i wrong in the last step?
> >
> > But here i created the PVK also?
>
> In a PKI implementation, you always need a private key, so one always
> exists. You can't create a self-signing certificate without a private key.
>
> > # Create Software Publisher's Certificate (SPC) from our certificate
> > Cert2Spc.Exe <path to .cer file> <path to .spc file>
> >
> > # Create a .pfx file
> > pvk2pfx.exe -pvk <path of .pvk file created earlier> -pi <password> -spc
> > "<path of .pfx to be stored>
> >
> > # Sign the catalog file
> > signtool.exe sign /f "<path of .pfx file>" /p <password> /t
> > http://timestamp.comodoca.com/authenticode /v "<cat file to be signed>"
> >
> > # Installed the certificate in local machine
> > certmgr.exe /add "<path of the certificate created>" /s /r localMachine
> root
> > certmgr.exe /add "<path of the certificate created>" /s /r localMachine
> > trustedPublishers
>
> As long as you have a pfx that matches your self-signed certificate, and
> you install the cert in root and trustedPublishers, you should be OK for
> validation of the driver package. Be mindful that this needs to be done
> from an elevated command prompt.
>
> The trick not to get the driver package prompt is to have the public key
> of your self-signed credential in root and trustedPublishers, and to
> sign the inf package with the matching private key.
>
> > 3. I am successuly created cert file and now, not getting any warnings
> > during installation with DPInst.
>
> So far so good.
>
> > My critical question here is, can i
> > distribute or publish this signed certificate that i created ?? i.e Can
> > i install my self signed certificate in my clients machine ( is it legal
> > to distribute my signed certificate for commercial use).
>
> Absolutely. Distribution of the *public* key, which is what is meant to
> get installed in the client's security store through a certificate, is
> no concern at all and has no legal implication whatsoever (even if you
> export it to Iran or something). Many software developers, including
> Microsoft of course, export public keys in one way or another, be it for
> root certification authorities, and no special concern needs to be taken
> to do so. And the same would be true for the private key as well, since
> public and private key are usually symmetric, provided it wasn't a very
> bad idea to distribute a private key.
>
> Just make sure that you distribute a certificate (i.e. a container with
> the public key only - typically a .cer on Windows) and not a credential
> (container with both the private and public key - typically a .pfx), as
> making your private key available would allow anyone to sign and get
> malicious software installed that validates against your public key,
> which is not what you want.
>
> > Please condsider that there won't be any objection from my client side
> > where i want to install the certificate.
>
> As long as you ensure that your private key remains private and out of
> reach from malicious users, installing your certificate on the client's
> side shouldn't be a concern.
>
> > 4.Seems that certmgr.exe is not distibutable and help me in providing
> > the alternative tool or code to import the certificate?
>
> Travis has developed a dpscat utility for libusbK that may be of help.
> You can find it in the binary directory of the latest libusbK [3].
>
> Regards,
>
> /Pete
>
> PS: Sorry for not answering your original e-mail on the libwdi mailing
> list. I got confused about the message asking to disregard.
>
> [1]
>
> https://sourceforge.net/apps/mediawiki/libwdi/index.php?title=Signed_driver_walkthrough#Creating_a_signed_cat_file
> [2] https://sourceforge.net/mailarchive/message.php?msg_id=27223654
> [3] https://sourceforge.net/projects/libusbk/files/libusbK-beta/3.0.5.10/
>
>
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> _______________________________________________
> Libusb-win32-devel mailing list
> Lib...@li...
> https://lists.sourceforge.net/lists/listinfo/libusb-win32-devel
>