Test-Signing Drivers

Posted on by

Previously, I wrote about how not having signed drivers can be quite a pain on a 64-bit Windows system. I remedied that and made it less of a pain today.

Microsoft provides a set of tools in it’s Windows Driver Kit for the test-signing of drivers to be used for development purposes. What this means in simple terms is that it provides a way for the self-signing of drivers, and thus, getting the system to accept it as though it were digital signed by MS. This would avoid having to disable driver signature enforcement on start-up each time.

To begin with, download the Windows Driver Kit, and install the build environment and tools. Once that is done, launch the x64 Free Build Environment shortcut from the shortcuts created in the start menu with administrative rights. In my case, I made a folder consisting of my extracted raid drivers which look like this:

rr174x.cat
rr174x.inf
rr174x.sys

Now, to create the test certificate, we run the following:

makecert -r - pe -ss PrivateCertStore -n CN=mythokia.net(Test) TestCert.cer

Where mythokia.net(Test) can be replaced by any name. ‘Suceeded’ would be echoed upon successful execution of the above. That being done, we proceed to install the certificate on the machine as a Trusted Root Certificate Authority and Trusted Publishers so that items signed by this particular certificate would be recognized.

certmgr /add TestCert.cer /s /r localMachine root
certmgr /add TestCert.cer /s /r localMachine trustedpublisher

‘CertMgr Succeeded’ should be echoed for each. Now to sign the drivers with our certificate. This can be done either by signing the catalog file (one with the .cat extension), and/or the embedding the signature directly into the binary. From Microsoft’s explanation, drivers loaded at boot time are required to have their signatures embedded in the driver’s binary file itself. Unsure if signing just the binary is sufficient, I went ahead and did both.

signtool sign /v /s PrivateCertStore /n mythokia.net(Test) /t http://timestamp.verisign.com/scripts/timestamp.dll rr174x.cat
signtool sign /v /s PrivateCertStore /n mythokia.net(Test) /t http://timestamp.verisign.com/scripts/timestamp.dll rr174x.sys

Watch the output to see if both were successful. We’re almost ready to install the driver now, but one last twist. The bootloader has to be configured to allow for the running of test drivers. We issue this:

bcdedit -set TestSigning on

This adds an unobtrusive watermark to the bottom right of the screen that says ‘Test Mode’ that I can live with. Besides, I run my server headless anyway, except for the occasion RDP into it.

Now all that is done, we can finally install our self-signed driver like you would a normal driver. No more manually disabling the enforcement of digitally signed drivers every boot up.

Once again, these steps are detailed, and a lot more thoroughly so on MSDN, but here’s the rough guide to the self-signing of drivers for use on Windows x64 systems. I can finally remove that keyboard from my server.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>