Re: [libwdi-devel] [Libusb-win32-devel] Driver package signing
Windows Driver Installer library for USB devices
Brought to you by:
pbatard
From: Sethuraman R <set...@gm...> - 2012-04-11 09:56:54
|
Dear Pete, I haver also aised a question in MSDN forum and got a reply like, I should go through WHQL, do i want to?? Please find the below link for discussions: http://social.msdn.microsoft.com/Forums/en-US/wdk/thread/28b936d8-22b5-40dd-b16c-8da5f4828bee Regards, Sethu On Mon, Apr 9, 2012 at 8:50 PM, Pete Batard <pe...@ak...> wrote: > Hi, > > On 2012.04.09 15:12, Sethuraman R wrote: > > 2.1. My inf is working fine and i am using only the windows > > default driver(USBSER.sys) in the inf. In this case, is it required to > > sign the default sys file? Or Is it already Signed? Or Is signing not > > required? > > Binary drivers that come from the Windows OS are already signed, though, > unlike non Windows signed drivers, the signature may not be displayed > when right clicking. But unless you use your own custom version, you > should not have to sign this file. > > > 2.2.I have understood that Signing the driver > > binaries(SYS,DLL,...) and Signing the driver package(inf) are completely > > different. > > Indeed. One will prevent you from using the driver altogether, unless > running Windows in test mode, and the other determines whether users are > prompted with a warning during driver installation. > > > Also, the signing warning(Windows can't verify the the > > publisher of the software) occurs only because of my unsigned inf and > > not because of the driver? > > Yes. > > > 2.3 To avoid the above said warning, by assuming USESER.SYS > > doesn't require any signing, i selfsigned or test signed my inf file in > > the following way as mentioned at > > http://www.itninja.com/question/guide-to-signing-unsigned-drivers. > > > > # creted .cat file using Inf2cat.exe > > Inf2Cat.exe /driver:"<Path of the inf>" > > You may also want to have a look at the Signed Cat file part of the > libwdi signed driver walkthrough [1]. You may want to append a /os: > option there, depending on your target OSes. > > > # created certificate using makecert.exe > > MakeCert.Exe -r -pe <path to .cer file you want to generate> -n > > CN=<certificate name> -sv <path to .pvk file you want to generate> -len > > 2048 > > You may also want to have a look at this post from libusb-win32, where I > did something similar [2]. > > > 2.4) As per the MS DDK Documentation, the test signing or Self > > Signing is done without PVK... Am i wrong in the last step? > > > > But here i created the PVK also? > > In a PKI implementation, you always need a private key, so one always > exists. You can't create a self-signing certificate without a private key. > > > # Create Software Publisher's Certificate (SPC) from our certificate > > Cert2Spc.Exe <path to .cer file> <path to .spc file> > > > > # Create a .pfx file > > pvk2pfx.exe -pvk <path of .pvk file created earlier> -pi <password> -spc > > "<path of .pfx to be stored> > > > > # Sign the catalog file > > signtool.exe sign /f "<path of .pfx file>" /p <password> /t > > http://timestamp.comodoca.com/authenticode /v "<cat file to be signed>" > > > > # Installed the certificate in local machine > > certmgr.exe /add "<path of the certificate created>" /s /r localMachine > root > > certmgr.exe /add "<path of the certificate created>" /s /r localMachine > > trustedPublishers > > As long as you have a pfx that matches your self-signed certificate, and > you install the cert in root and trustedPublishers, you should be OK for > validation of the driver package. Be mindful that this needs to be done > from an elevated command prompt. > > The trick not to get the driver package prompt is to have the public key > of your self-signed credential in root and trustedPublishers, and to > sign the inf package with the matching private key. > > > 3. I am successuly created cert file and now, not getting any warnings > > during installation with DPInst. > > So far so good. > > > My critical question here is, can i > > distribute or publish this signed certificate that i created ?? i.e Can > > i install my self signed certificate in my clients machine ( is it legal > > to distribute my signed certificate for commercial use). > > Absolutely. Distribution of the *public* key, which is what is meant to > get installed in the client's security store through a certificate, is > no concern at all and has no legal implication whatsoever (even if you > export it to Iran or something). Many software developers, including > Microsoft of course, export public keys in one way or another, be it for > root certification authorities, and no special concern needs to be taken > to do so. And the same would be true for the private key as well, since > public and private key are usually symmetric, provided it wasn't a very > bad idea to distribute a private key. > > Just make sure that you distribute a certificate (i.e. a container with > the public key only - typically a .cer on Windows) and not a credential > (container with both the private and public key - typically a .pfx), as > making your private key available would allow anyone to sign and get > malicious software installed that validates against your public key, > which is not what you want. > > > Please condsider that there won't be any objection from my client side > > where i want to install the certificate. > > As long as you ensure that your private key remains private and out of > reach from malicious users, installing your certificate on the client's > side shouldn't be a concern. > > > 4.Seems that certmgr.exe is not distibutable and help me in providing > > the alternative tool or code to import the certificate? > > Travis has developed a dpscat utility for libusbK that may be of help. > You can find it in the binary directory of the latest libusbK [3]. > > Regards, > > /Pete > > PS: Sorry for not answering your original e-mail on the libwdi mailing > list. I got confused about the message asking to disregard. > > [1] > > https://sourceforge.net/apps/mediawiki/libwdi/index.php?title=Signed_driver_walkthrough#Creating_a_signed_cat_file > [2] https://sourceforge.net/mailarchive/message.php?msg_id=27223654 > [3] https://sourceforge.net/projects/libusbk/files/libusbK-beta/3.0.5.10/ > > > ------------------------------------------------------------------------------ > For Developers, A Lot Can Happen In A Second. > Boundary is the first to Know...and Tell You. > Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! > http://p.sf.net/sfu/Boundary-d2dvs2 > _______________________________________________ > Libusb-win32-devel mailing list > Lib...@li... > https://lists.sourceforge.net/lists/listinfo/libusb-win32-devel > |