- Windows 7 has recently been patched by Microsoft to support SHA256 signatures. For EV Code Signing Certificate, kindly check this guide.
- Starting January 26, 2021, GlobalSign will no longer offer SHA-1 Authenticode and CodeSign Timestamping services.
- GlobalSign Code Signing Certificate
- Windows Software Development Kit (SDK) For Windows 8.1
- Cross Certificate:
- SHA-256 orders additionally use the R1-R3 Cross Certificate – default March 31, 2014 & after. (The R1-R3 Cross Certificate will need to be installed on the signing computer but not specified as an additional Certificate during the signing procedure)
Important SignTool Options:
- /ac Specify an Additional Certificate.
- /f Specify the signing Certificate in a file.
- /p Specify the password for the signing Certificate.
- /fd Specify the file digest algorithm used in creating file signatures.
- E.g. /fd sha256 to place a SHA256 signature (SHA1 is default).
- /n "Certificate Common Name" Specifies the Certificate to sign the file from your Windows Certificate Store using the Certificate common name.
- /t Specify a Microsoft Authenticode compatible time stamp server.
- /tr Specify an RFC 3161 compliant trusted time stamp server.
You can watch the video below for a tutorial.
Or, you can check the step by step guidelines below.
- In order for your driver to install successfully, the following file types in your project must be signed:
- You can either sign these files out of a working directory, or you can place them in your Windows SDK\bin folder.
- Acquire the Microsoft Code Signing Cross Certificate for GlobalSign and place it into your working directory.
- Use the following signtool command to sign the code:
signtool sign /ac MSCrossCert.crt /f CodeSign.pfx /p password1234 /tr http://timestamp.globalsign.com/tsa/r6advanced1 filter.sys
This code will place a signature including the Cross Certificate, that is timestamped in compliance with RFC 3161.
- Next verify your signature using the following signtool command.
signtool verify /v /kp
-v is for a verbose output and -kp validates it according to kernel mode driver signing criteria.
The output should look like this:
- Repeat the same process with the .cat file.
- Once the driver has been signed, you can install the properly signed driver.
If the driver is signed properly the install screen will look like this (Windows 7):
Full list of SignTool commands:
Kernel-Mode Code Signing Walkthrough:
Digital Signatures for Kernel Modules on Windows: