How to sign Microsoft Windows 64-bit kernel-mode software using Code Signing Certificate for Microsoft Authenticode and Code Signing Certificate for Microsoft Office and VBA

Solution ID:    SO5820
Version:    29.0
Published:    12/12/2007
Updated:    02/18/2015

Solution

Oct. 2014:  At this time kernel mode signing with a SHA-256 certificate is only compatible with Windows 8. Microsoft is working on backporting SHA-256 support for Windows 7 and Vista. For maximum ubiquity it is recommended to use a SHA1 certificate.  A SHA1 equivalent certificate can be issued for free through your Symantec management portal.


64-bit versions of Microsoft Windows require Kernel Mode Signing.

To sign 64-bit kernel-mode software using Code Signing Certificate for Microsoft Authenticode or Code Signing Certificate for Microsoft Office and VBA, you will need to download and install the following:

  1. Windows Driver Kit WDK (Must be installed to acquire the following required tools)
    • pvk2pfx.exe
    • inf2cat.exe
    • signtool.exe
       
  2. Microsoft cross certificate
    Please download the attached file below at the bottom of this solution named: MSCV-VSClass3.cer

  3. PVK Import  (This tool is not supported by Symantec)
    If your certificate is not already in the certificate store, use PVK Import to import your certificate into the Personal Store.

    Use signtool.exe (command line based) from the Command Line Interface to sign your code.
     

To successfully sign driver files, please ensure the following steps are followed:

  1. Ensure the Microsoft Authenticode Signing Certificate is installed in the user's personal certificate store.  (This may require pvk2pfx.exe and/or pvkimport.exe)
     
  2. Use inf2cat.exe to validate the driver package INF file and create a valid catalog file.  If successful a catalog file (*.cat) will be created.
  1. Use signtool.exe to sign the catalog (*.cat) and all driver (*.sys) files as below.

    NOTE: Replace "C:\CatFileName.cat" with the name of the specific file you are signing, this will need to be run against all of the drivers  and the  catalog)

signtool sign /v /ac "C:\Authenticode\MSCV-VSClass3.cer" /s MY /n "Symantec Corp" /t http://timestamp.VeriSign.com/scripts/timstamp.dll "C:\CatFileName.cat"

 

  1. Verify that the file was properly cross signed, use the following syntax and look for the "Microsoft Code Verification Root":

    signtool verify /v /kp "C:\driver.sys" 


Replace CatFileName.cat with the file you want to sign.

This example uses several of the arguments that SignTool supports:

  • Sign: Configures the tool to sign the intended file
  • /v: Specifies the verbose option for successful execution and warning messages
  • /ac: Adds the cross-certificate from the CrossCertificateFile file to the digital signature
  • /s: Specifies a certificate store (If the certificate is imported into the Personal store, the SPCCertificateStore is My)
  • /n: Refers to the company name in your certificate as it appears in the "ISSUED TO" field of the certificate
  • /t: Specifies that the digital signature will be timestamped by the Authenticode Time-Stamp Authority (TSA) indicated by the URL
  • /tr: Specifies that the digital signature will be timestamped by the RFC 3161 Time-Stamp Authority (TSA) indicated by the URL
     

Note: The Authenticode timestamping URL for Symantec is http://timestamp.verisign.com/scripts/timstamp.dll (The timstamp.dll filename is required to conform to old MS-DOS naming convention).

The RFC 3161 timestamping URL for Symantec is: http://timestamp.geotrust.com/tsa

For more information, refer to the following documents from the Microsoft knowledge base:
Windows Driver Kit (WDK):  http://www.microsoft.com/whdc/driver/64bitguide.mspx
Using SignTool to Sign a File:  http://msdn.microsoft.com/en-us/library/aa388170
Cross-Certificates for Kernel Mode Code Signing:  http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454(v=vs.85).aspx

Microsoft also supplies the following summarized version of the signing process:

Problem - Troubles signing driver using signtool and cross-certificates
Environment - Windows 64bit
Resolution - Install your certificate by double-clicking and allow it to install automatically based upon the certificate type. This way you do not have to worry about which certificate store it is placed in.

When cross-signing, use the following syntax:

Note: The Company Cert Name should be exactly as is shown in the certificate '"ISSUED TO" field of your own cert.

 
The following syntax signs the file using a certificate stored in your Personal certificate store

Without the timestamp:

signtool sign /v /ac "C:\Authenticode\MSCV-VSClass3.cer" /s MY /n "Symantec Corp" "C:\driver.sys"

 

With the timestamp:

signtool sign /v /ac "C:\Authenticode\MSCV-VSClass3.cer" /s MY /n "." /t http://timestamp.verisign.com/scripts/timstamp.dll "C:\driver.sys"

 

The following syntax signs the file using a certificate stored in a password protected PFX file

Without the timestamp:

signtool sign /v /ac "C:\Authenticode\MSCV-VSClass3.cer" /f C:\Authenticode\YourCert.pfx /p Password /n "Symantec Corp" "C:\driver.sys"

 

With the timestamp:

signtool sign /v /ac "C:\Authenticode\MSCV-VSClass3.cer" /f C:\Authenticode\YourCert.pfx /p Password /n "Symantec Corp" /t http://timestamp.verisign.com/scripts/timstamp.dll "C:\driver.sys"

 

TIPS

  • You should verify your signature for a driver file using the following command:

    signtool verify /v /kp "C:\driver.sys" 
  • You should verify that a given driver is "signed" by a given catalog file using the following command:
    signtool verify /v /kp /c "C:\CatFileName.cat" "C:\driver.sys"
  • To significantly decrease boot time, sign all drivers and catalog files. 

 

Attachment

MSCV-VSClass3.cer
0Bytes • < 1 minute @ 56k, < 1 minute @ broadband


Legacy ID

vs41181

Disclaimer:

Terms of use for this information are found in Legal Notices

Contact Support

Knowledge Center

Languages:

This article is available in the following languages: