How to Release-Sign a Kernel Module

Following the "Kernel-Mode Code Signing Walkthrough" document
(http://www.microsoft.com/whdc/driver...lkthrough.mspx),
I managed to test-sign my driver. Now I want to make release-sign. From the
document:

Step 2: Obtain an SPC
Release-signing requires a code-signing certificate, also referred to as a
Software Publisher Certificate (SPC) from a commercial CA. Follow the CA's
instructions for how to acquire the code-signing certificate and install the
private key on the signing computer. For a list of SPC CAs, see "Resources"
at the end of this paper.

Here I am completely stuck. I also found this page:
http://www.microsoft.com/whdc/driver...crosscert.mspx but it
doesn't help. Please, give me some explanations, what should I do now.
Thanks.

Thank you! If it is possible, please give me some more details.
Let's say my company decides to buy VeriSign certificate, I guess, this is
possible from here:
http://www.verisign.com/code-signing...ode/index.html.
I understand that this gives me some .cer file, which I can use instead of
home-made .cer file. My questions:
1) How it is related to Verisign MSCV-VSClass3.cer file that I can download
from the "Microsoft Cross-Certificates" WEB page?
2) Does this mean, that having such certificate, I can sign my driver, and
it can be installed in Win7 x64? Or some additional driver testing is
required?
3) From yout reply: "Verisign has the advantage of providing access to WHQL
if that is of interest to your firm". Actually, I have no idea, should I be
interested in this? We have kernel-mode driver which is shipped with our
product, and I need to ensure that it can be installed in Win7 x64.



"Don Burn" wrote:

> You need to have your company get a code signing certificate from either
> GlobalSign or VeriSign (the others listed in that link are no longer
> offered). GlobalSign is cheaper, but Verisign has the advantage of
> providing access to WHQL if that is of interest to your firm. These are
> not cheap, the Verisign certificate costs $499 per year. Once you have
> the cert you can use it instead of the test cert to sign the driver.
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
> > -----Original Message-----
> > From: Alex F [private.php?do=newpm&u=]
> > Posted At: Tuesday, June 15, 2010 7:37 AM
> > Posted To: microsoft.public.development.device.drivers
> > Conversation: How to Release-Sign a Kernel Module
> > Subject: How to Release-Sign a Kernel Module
> >
> > Following the "Kernel-Mode Code Signing Walkthrough" document
> > (http://www.microsoft.com/whdc/driver...lkthrough.mspx),
> > I managed to test-sign my driver. Now I want to make release-sign. From
> > the
> > document:
> >
> > Step 2: Obtain an SPC
> > Release-signing requires a code-signing certificate, also referred to as
> > a
> > Software Publisher Certificate (SPC) from a commercial CA. Follow the
> > CA's
> > instructions for how to acquire the code-signing certificate and install
> > the
> > private key on the signing computer. For a list of SPC CAs, see
> > "Resources"
> > at the end of this paper.
> >
> > Here I am completely stuck. I also found this page:
> > http://www.microsoft.com/whdc/driver...crosscert.mspx but
> > it
> > doesn't help. Please, give me some explanations, what should I do now.
> > Thanks.
> >
> >
> > __________ Information from ESET Smart Security, version of virus
> > signature
> > database 5197 (20100615) __________
> >
> > The message was checked by ESET Smart Security.
> >
> > http://www.eset.com
> >
>
> .
>

Thank you for your help.


"Don Burn" wrote:

> I am not the best signing expert, but for some of the answers. First once
> you sign your driver with the cert it will be loadable in a 64-bit
> environment, but it will still popup a question of whether you trust the
> vendor. If you go through WHQL which is an addition expense and requires
> passing the tests from the Windows Logo Kit (WLK), your driver will
> install without the popup.
>
> IIRC you use the cross certificate with the verisign or globalsign
> certificate to sign the driver so that Microsoft has the root authority.
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
>
> > -----Original Message-----
> > From: Alex F [private.php?do=newpm&u=]
> > Posted At: Tuesday, June 15, 2010 10:31 AM
> > Posted To: microsoft.public.development.device.drivers
> > Conversation: How to Release-Sign a Kernel Module
> > Subject: RE: How to Release-Sign a Kernel Module
> >
> > Thank you! If it is possible, please give me some more details.
> > Let's say my company decides to buy VeriSign certificate, I guess, this
> > is
> > possible from here:
> > http://www.verisign.com/code-signing...tes/microsoft-
> > authenticode/index.html.
> > I understand that this gives me some .cer file, which I can use instead
> > of
> > home-made .cer file. My questions:
> > 1) How it is related to Verisign MSCV-VSClass3.cer file that I can
> > download
> > from the "Microsoft Cross-Certificates" WEB page?
> > 2) Does this mean, that having such certificate, I can sign my driver,
> > and it
> > can be installed in Win7 x64? Or some additional driver testing is
> > required?
> > 3) From yout reply: "Verisign has the advantage of providing access to
> > WHQL if
> > that is of interest to your firm". Actually, I have no idea, should I be
> > interested in this? We have kernel-mode driver which is shipped with our
> > product, and I need to ensure that it can be installed in Win7 x64.
> >
> >
> >
> > "Don Burn" wrote:
> >
> > > You need to have your company get a code signing certificate from
> > > either GlobalSign or VeriSign (the others listed in that link are no
> > > longer offered). GlobalSign is cheaper, but Verisign has the
> > > advantage of providing access to WHQL if that is of interest to your
> > > firm. These are not cheap, the Verisign certificate costs $499 per
> > > year. Once you have the cert you can use it instead of the test cert
> > > to
> > sign the driver.
> > >
> > >
> > > Don Burn (MVP, Windows DKD)
> > > Windows Filesystem and Driver Consulting
> > > Website: http://www.windrvr.com
> > > Blog: http://msmvps.com/blogs/WinDrvr
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Alex F [private.php?do=newpm&u=]
> > > > Posted At: Tuesday, June 15, 2010 7:37 AM Posted To:
> > > > microsoft.public.development.device.drivers
> > > > Conversation: How to Release-Sign a Kernel Module
> > > > Subject: How to Release-Sign a Kernel Module
> > > >
> > > > Following the "Kernel-Mode Code Signing Walkthrough" document
> > > > (http://www.microsoft.com/whdc/driver...kmcs-walkthrou
> > > > gh.mspx), I managed to test-sign my driver. Now I want to make
> > > > release-sign. From the
> > > > document:
> > > >
> > > > Step 2: Obtain an SPC
> > > > Release-signing requires a code-signing certificate, also referred
> > > > to as a Software Publisher Certificate (SPC) from a commercial CA.
> > > > Follow the CA's instructions for how to acquire the code-signing
> > > > certificate and install the private key on the signing computer. For
> > > > a list of SPC CAs, see "Resources"
> > > > at the end of this paper.
> > > >
> > > > Here I am completely stuck. I also found this page:
> > > > http://www.microsoft.com/whdc/driver...crosscert.mspx
> > > > but it doesn't help. Please, give me some explanations, what should
> > > > I do now.
> > > > Thanks.
> > > >
> > > >
> > > > __________ Information from ESET Smart Security, version of virus
> > > > signature database 5197 (20100615) __________
> > > >
> > > > The message was checked by ESET Smart Security.
> > > >
> > > > http://www.eset.com
> > > >
> > >
> > > .
> > >
> >
> >
> > __________ Information from ESET Smart Security, version of virus
> > signature
> > database 5198 (20100615) __________
> >
> > The message was checked by ESET Smart Security.
> >
> > http://www.eset.com
> >
>
> .
>