Overview of Using a Code Signing Certificate in Vista/Windows 7 64-bit
Before Signing Your Code
- For best results, use a 32-bit Windows XP machine to perform the signing operation. Vista and Windows 7 64-bit machines do not yield a successful signing result.
- Make sure the GlobalSign root certificate is removed from the certificate store on the local machine. If the GlobalSign root is present, SignTool will fail to embed the cross certificate.
- Make sure the cross certificate is available to the SignTool application.
- Make sure the GlobalSign ObjectSign end entity certificate is available in the local certificate store.
In order for cross certificates to be used, the GlobalSign root CA must be removed from the root certificate store on the signing machine. If the root is present SignTool will place the root certificate into the chain, rendering it incorrect for Vista/Windows 7 Kernel drivers. Vista/Windows 7 has a fully automated certificate install capability that ensures the GlobalSign root certificate is always re-installed. In XP the auto update capability can be turned off from the control panel as follows:
Note: Disconnecting a Vista/Windows 7 system from the internet to prevent automated download makes timestamping during the final signing process difficult. Avoid doing this if possible.
Removing the GlobalSign Root Certificate
Run the Microsoft Management Console (MMC) by entering "certmgr.msc". This will ensure that the GlobalSign root CA is removed.
Ideally, remove any instances of the GlobalSign root CA that may also be in the Personal and Intermediate certificate stores as shown below. Intermediate GlobalSign certificates can be left as they are
Note: The root certificate can be added back to the store by clicking this link: https://secure.globalsign.net/cacert/root.crt
Location of the Cross Certificate
The cross certificate is located here: http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx#EMG
Download and run the application and copy the cross certificate to the directory where SignTool is to be run.
Install the Latest Signtool
The Windows Driver Kit (WDK) and Windows Logo Kit is available at: http://www.microsoft.com/whdc/devtools/WDK/AboutWDK.mspx
Signtool Support for Cross Certificates
Run SignTool and select the "/ac" option.
Signing a File
For options outside of this example please refer to the Microsoft Signtool documentation. In the signing example below:
- Signtool.exe has been renamed to "Signtoolac.exe" to differentiate it from any other signtool.exe programs that may be on the system.
- Timestamping options have not been selected.
- The example toaster.sys file is from the WDK. Below it has been signed and verified with suitable options.
- /ac = use the cross certificate MSCV-GlobalSign.cer.
- /sha1 = identify a particular certificate from the local certificate store.
The majority of questions are answered by following the signing steps identified in this document: http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
Microsoft Connect offers a full range of driver development tools including Signtool, the command line application used to perform the signing operations. The Connection to choose is the Windows Driver Kit (WDK), Windows Logo Kit (WLK) and Windows Driver Framework (WDF): http://connect.microsoft.com/