Practical Windows Code and Driver Signing discussion

Hello, my name is David Grayson and I work at Pololu Robotics & Electronics. I recently went through the process of signing all of our company's USB drivers and most of our installers for Windows. I encountered
so many problems along the way that could have been easily avoided if someone had told me about them ahead of time. In response, I have written a 7000-word document that hopefully explains everything you need to know about code and driver signing:
Practical Windows Code and Driver Signing
If you are going through the same process, I sincerely hope that this document can clear up all of your confusion and save you a lot of time. I learned the hard way and now you can learn the easy way.  The basic conclusion of it
all is that you should probably stay away from Go Daddy's certificates and use GlobalSign, and I provide detailed justifications for that.
Click here to read the entire document.
If you have any comments or questions, please post them here! If I missed anything or got anything wrong, let me know.  If you found the document useful and just want to thank me, then you can do that here too!
Also, if you found this document helpful, please click on the little green arrow to the left!
--David Grayson

David, 
Thanks! Sorry, I would have replied earlier but got diverted to the latest crisis.
David Wrote:
"I don't know anything about a Go Daddy "Driver Signing Tool"; maybe you found that statement elsewhere."
My bad, I meant to say Godaddy's "Driver Signing Cert" as opposed to their "Code Signing Cert".
And Yes, I followed your instructions and everything works fine on Win7 now that I installed the root certs you recommended!!
Still I must find a way for my driver package to install without the warning message in Win7 without having users install the cert.
Godaddy support (I have little confidence in them) swears up and down that I can double sign my Catalog file by following instructions here:
http://msdn.microsoft.com/en-us/library/windows/hardware/hh967734%28v=vs.85%29.aspx
Signing a driver package with two signatures
In some cases, you might want to sign a driver package with two different signatures. For example, suppose you want your driver to run on Windows 7 and Windows 8. Windows 8 supports signatures created with the SHA256 hashing algorithm, but Windows 7
does not. For Windows 7, you need a signature created with the SHA1 hashing algorithm.
Suppose you want to build and sign a driver package that will run on Windows 7 and Windows 8 on x64 hardware platforms. You can sign your driver package with a primary signature that uses SHA1. Then you can append a secondary signature that uses SHA256.
You can use the same certificate for both signatures, or you can use separate certificates. Here are the steps to create the two signatures using Visual Studio.
In the Solution Explorer window, right-click Solution SolutionName, and choose Configuration Manager. For the driver project and the package project, set Configuration to Win7
Release, and set Platform to x64.
Open the property pages for the driver package. Navigate to Configuration Properties > Driver Signing > General. In the Sign Mode drop-down list, select Production Sign. For Production
Certificate, enter the path to your signing certificate.
In the property pages for the driver package, navigate to Configuration Properties > Custom Build Step > General. For Description, select Performing Custom Build Step. For Execute
After, selectDriverProductionSign. For Command Line, enter this command.
Signtool sign /fd sha256 /ph /as /sha1 XX...XX $(TargetPath)
where XX...XX is the hash of the certificate you are using for the the secondary signature.
Note  To see the hash (also called the thumb print) of a certificate, open a Command Prompt window and navigate to the directory that contains your certificate. Enter the command certutil -dump CertName.pfx,
whereCertName.pfx is the name of your certificate.
From what I gather, the issue is:
1. Godaddy's "Driver Signing Certs" defaults to signing with a SHA 256. For whatever reason, most Win7 installations do not have the appropriate root cert installed to support SHA 256.
2. According to Godaddy if I resign my Catalog file again with SHA1 then everything should work. They claim they have done this with other users.
3. According to Microsoft the  Signtool utility used with following parameters will resign a Catalog that's already signed with SHA1 to SHA256.
Signtool sign /fd sha256 /ph /as /sha1 XX...XX $(TargetPath)
But I need to resign to SHA1. If I can resign to SHA1, then everything should work properly with the GoDaddy root that's installed normally in Win7 machines.
Questions:
1. Is Godaddy giving me bad info? According to them I can sign my Catalog file twice with the same cert. According to you I will need another cert.
2. If I can double sign the Cat file, what are the proper Signtool parameters to make sure its signed again with SHA1.
The Microsoft sample is for going from SHA1 to SHA256, but I'll need to go from SHA256 to SHA1. If I was using Godaddy's Code Signing Cert this would be an issue.
Thanks
Randy
Randy Feingersh

Similar Messages

  • HT5628 i was installing windows 8 on mac by boot camp and after i put the windows code and choose the partition i formatted the boot camp sector it said windows can not install on this sector because it is gpt

    i was installing windows 8 on mac by boot camp and after i put the windows code and choose the partition i formatted the boot camp sector it said windows can not install on this sector because it is gpt

    Reinstalling Mavericks depends on several factors:
    if you erased your recovery partition
    what OS originally came on your Mac.
    I'll assume you don't have a backup available that you made before your mishap,  because you didn't mention it.
    That's really the take home message here: have a backup!
    If you still have your recovery partition:
    boot into the recovery partition (command R at restart)
    use the recovery partition to reinstall Mavericks. see: OS X: About OS X Recovery
    if you do not still have your recovery partition, then it depends on whether your Mac originally came with installer disks or not.
    If it originally came with installer disks, you would boot from the installer disks, erase your HD, and then reinstall the OS that is on the installer disks, and then upgrade as necessary until you get to Mavericks.
    If your mac did not originally come with installer disks, but you managed to erase your recovery partition, then you can try to boot into internet recovery (option-command-R at restart), and use internet recovery to erase your HD and reinstall the OS that originally came with your computer, and then upgrade to Mavericks if you need to. See: Hands on with Mountain Lion's OS X Recovery and Internet Recovery | Macworld
             (the reference refers to ML but it applies just as well to Mavericks).

  • Best Windows version and drive for my Mac Pro?

    I am looking to purchase an new internal drive for my new mac pro exclusively for the purpose of installing windows and playing pc games via BootCamp. Questions: Which drive will work best for this?(looking for 500GB or less) and which version of Windows will be more reliable and perform best (XPpro, XPhome, Vista) in my system? Thanks!!

    Hi:
    I just had exactly the same situation- I looked at different hard drives and bought the Western Digital Caviar Black WD6401AALS from Buy.com for about $78.00. Incidentally when you look at the prices of these products , the range is very tight- just $9 get you an additional 140 gigs and the black series is much faster than the SEII series for only a slight increase in cost. The drive is fast and quiet.
    I tried using boot camp to install Vista ultimate and got a series of formatting error messages, then pulled out my mac OS drive, installed Vista without any trouble at all, then installed the drivers to be used with the mac pro and boot camp for windows. Works great so far. Then I reinstalled the mac os hard drive and now can boot into windows or mac. The 64 bit version of vista ultimate is very fast on the mac pro (2008 version).

  • Re: Satellite P855-31V - Downgrade to Windows 7 and driver install order

    I recently bought my first Toshiba laptop and after a few tries with W8, I would like to downgrade it to the previous version, of which I own a valid license of the Pro edition.
    I checked which wlan card i had installed (my "PC Information" is below) and downloaded all 44 files available from support.
    I updated the bios to 6.50, loaded the default values, changed the "secure boot" to disable and also changed the "boot mode" to csm boot. This allowed me to install W7.
    I start installing the drivers: chipset, Intel display driver, Intel Management Engine Interface, Rapid Storage Technology Driver and some more and that's when things start to get ugly - some drivers aren't supported by W7, the nvidia drivers don't recognize the video card, upon reboot after installing some of the drivers windows starts to complain and tries to repair things. A mess.
    Did I mess the order of the installs? If so, can anyone post the correct procedure? There are 44 files, some with names like "Toshiba System Driver", "Registry Patch"... I don't know when to install these, plus some of the other files don't have an accurate description.
    If W7 can not run correctly on this machine I will have to upgrade it W8 Pro (as I need remote desktop), and again will have to install all drivers, so the correct order to install the drivers and utilities is still very much needed.
    Thanks in advance for any helpful input.
    *PC Information*
    Model Name SATELLITE P855
    Part Number PSPKFE-01400QEP
    OS Version Microsoft Windows 8 6.2.9200
    BIOS Version 6.40
    CPU Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz
    Physical Memory 8192MB RAM
    Hard Disk Capacity 738,595,958,784 [Byte] 687.871 [GB]
    Hard Disk Free Space Capacity 696,930,287,616 [Byte] 649.067 [GB]
    Video NVIDIA GeForce GT 640M version=9.18.13.546
    Screen Resolution 1920 x 1080 Pixels
    Color Quality True Color (32 Bit)
    Sound Realtek High Definition Audio version=6.0.1.6738
    Intel(R) Display Audio version=6.14.0.3097
    Network Realtek PCIe GBE Family Controller version=8.3.730.2012
    Intel(R) Centrino(R) Wireless-N 2230 version=15.5.0.43
    Modem None
    Internet Explorer 10.0.9200.16466
    IDE Device TOSHIBA MQ01ABD075
    TSSTcorp CDDVDW SN-208AB FW version=TO04

    >I checked which wlan card i had installed (my "PC Information" is below) and downloaded all 44 files available from support.
    I checked the Toshiba EU driver page too.
    I found only the Win 8 drivers for Satellite P855 PSPKFE
    So possibly you have chosen the Win 7 drivers for another P855 series and therefore not all drivers were compatible
    To be honest, the special order is not really necessary only few drivers require right order.
    For example BT filter package needs to be installed before BT stack also the Toshiba VAP should be installed before other tools have been installed.

  • When I launch Firefox several windows open and several Sign In requests. How can I resolve?

    This has been happening for the past 3-4 days. I click to open Firefox and anywhere from 3 to 6 separate windows open along with 1-2 sign in windows and a web address that I was on 2 days ago. If I close them all, and just leave one open, when I try to access any website, all the windows open again.

    Re-setting the Home page did the trick (I think). by clicking on the icon to the left of the Home page and dragging it to the Home icon as you indicated. Would never have thought of that one. So thanks a lot. An annoying problem has been resolved!!!

  • I purchased one to one from apple i entered the activation code and then signed in then it asked me for a membership code how do i get this?

    Does anyone know how to get this?????

    According to http://www.apple.com/retail/onetoone/: Soon after you buy One to One, you’ll receive an email from Apple explaining how to get started. It should contain all the details. Otherwise call an Apple Store or AppleCare.

  • Satellite C660-1ZM Win 7 64bit: mousepad and USB - "code 52" driver error

    Hello,
    Having recently set up a new Satellite C660-1ZM running Windows 7 64bit (upgraded from Home Premium to Ultimate) for a friend, the mousepad and USB ports have suddenly stopped working. The drivers show an exclamation mark against them and the error is "code 52" which is related to driver signing. Windows doesn't seem to recognise the driver signatures for the published drivers that came on the machine's pre-installed disc, so the devices don't work. I've updated the drivers (Intel chipset [which includes USB]; Synaptics touchpad) to the latest ones publised on the Toshiba web site - and we have the same problem.
    Pressing F8 on boot allows you to select "disable checking of driver signing" in the WIndows 7 boot options, which then enables the drivers and all is well, until you reboot - at which point you have to hit F8 again.
    I think that one of the many recent Windows updates has somehow messed things up, but we can't easily prove that. The machine worked fine for a week or so, then the mousepad suddenly quit working around 8th August 2012.
    1) Are there valid signed drivers that pass whatever checks Microsoft impose on driver signing, including whatever checks they've potentially just imposed via some recently inflicted update?
    2) Does anyone know exactly how to disable the checking of driver signing permanently, so that a reboot will not require the F8 keypress and so on?
    Uninstalling the mousepad driver and rebooting gives the basic mouse functionality, without the Synaptics cleverness. However, the USB ports still don't work because their driver doesn't load, so an external mouse doesn't work.
    It's an infernal nusiance. Driving the system off the keyboard to uninstall drivers etc. is not much fun.
    Cheers, Colin.

    Hi
    Did you receive the error that windows cannot verify the digital signature for the drivers required for this device? Usually this means the error code 52
    Since the USB drivers are parts of the Windows OS, I dont think that this could be an signature issue I think some files are damaged.
    Try to uninstalling/reinstalling the driver and deleting the device and its drivers from device manager before reinstalling.
    Usually this should help, if not, well try to repair the system.
    Power up the unit and press F8. Then choose Repair my Computer.
    Now choose the first option which would help to repair the system.

  • TS1368 I cannot connect to the iTunes Store.  I receive Error Code -1202.  This problem began yesterday.  I have been successfully connecting to the store for months on this PC.  I am running Windows 7 and the Windows Security Center.  Thanks for any help

    I am unable to connect to the iTunes Store.  This issue began yesterday, 3/11/13.  I previously have been able to connect to the store successfully on this computer which runs Windows 7 and Security Center since November.  I also used the iTunes Store on my previous computer for several years.  I am able to connect to the store with my new iPod Touch 5th generation.  I did a Google search for Error Code -1202 but did not find any pertinent results.  I would greatly appreciate any assistance in troubleshooting this situation.  Thank you!

    Hello alankilner,
    And welcome to Apple Discussions!
    Using Proxy: Yes
    Try temporarily disabling this setting by following the steps outlined in this Apple support document.
    http://support.apple.com/kb/TS1490
    B-rock

  • I cannot connect to the iTunes Store.  I receive Error Code -1202.  This problem began yesterday.  I have been successfully connecting to the store for months on this PC.  I am running Windows 7 and the Windows Security Center.  Thanks for any help

    TS1368 I cannot connect to the iTunes Store.  I receive Error Code -1202.  This problem began yesterday.  I have been successfully connecting to the store for months on this PC.  I am running Windows 7 and the Windows Security Center.  Thanks for any help.

    Hello alankilner,
    And welcome to Apple Discussions!
    Using Proxy: Yes
    Try temporarily disabling this setting by following the steps outlined in this Apple support document.
    http://support.apple.com/kb/TS1490
    B-rock

  • I'm running Windows 7 and my Pavillion dv6500 no longer recognizes the CD/DVR drive. Help?

    I installed Windows 7 and my Pavillion dv6500 no longer recognizes the CD/DVR drive.
    It's not even in the device list!

    Hi:
    What is the specific dv6500 model you have?  If you don't know, please look for the product code which is on the same sticker as the serial number and post it.
    It is possible your notebook may need the chipset driver installed.
    Paul

  • How do you solve a DVD drive recognition conflict between Windows 7 and iTunes?

    After doing an iTunes reinstall to resolve another issue, I discovered that my PC running Windows 7 would not recognize my DVD burner, drive E:
    when attempting to do a backup to a DVD disk. Window 7 Device Manager indicated that there was a registry issue and assigned a code 19. I called Microsoft Support and they want into my Windows registry and made the required changes to correct the problem for $99 as the OS is out of support. I bring this issue to your attention in case you have a similar DVD recognition issue if you do an iTunes reinstall. The issue has been resolved. However, when I open iTunes now, I get a message as follows:
    "The registry used by the iTunes drivers for importing and burning CDs and DVDs are missing. This can happen as a result of installing other CD burning software". I did not install other CD burning software. Only iTunes was reinstalled. I can still import CDs into iTunes using my DVD drive so I ignore this annoying message every time I open iTunes. I am an iPad 2 user on iOS 6.
    Casey9

    Thanx b Noir for your recommendation. I did not see your recommended solution from my search. As a user with medium IT technical skills, I would only put this caveat out there that any time you change a system registry your risk is very high and the downside consequences can be severe due to any error e.g. A space or incorrect character, incorrect instruction, etc. So each user should decide based on their own experience and confidence level which remediation route they should take - third party remediation or do it yourself help.
    Casey9

  • Preparation for installing bootcamp and windows 7, and in the absence of a DVD drive

    I am not sure that I submitted this with the right boxes ticked, so i am re submitting it!
    In preparation for installing bootcamp and windows 7, and in the absence of a DVD drive on my MacBook Air, before starting, can I partition my external drive (for use with my Mac) to have an ISO image file location for Windows downloads? 
    Cyfromayo

    The Boot Camp instructions are located here: http://www.apple.com/support/bootcamp/
    The Boot Camp Discussion Community is located here: https://discussions.apple.com/community/windows_software/boot_camp

  • My computer has rolled back and I have lost my licence code how do I find it? I am running windows xp and Photpshope Elements 12

    Hoping that someone can help my computer has rolled back and I have lost my licence code I am running windows XP and Photoshop Elements 12

    If you registered it with Adobe, you can sign in to your account and find it:
    Find your serial number quickly

  • Windows Code Signing Certificate

    How to convert Windows Code Signing Certificate from p7s format to AET format

    Where did you get this 'p7s' file?  Did someone try to send you an AET in an SMIME encoded message? 
    File extension: p7s, is usually associated with a file containing PKCS #7 signed data and 'AET' usually refers to an 'Application Enrollment Token', which is associated with Windows Phone Enterprise application management.
    To create an AET for Windows Phone you need to have a proper code signing certificate from Symantec. (...you can't use just any code signing certificate.)
    When you obtain a code signing certificate from Symantec it should be installed into your computers certificate store.  You can then export the certificate and private key to a *.pfx file to use for signing apps or if you need to move it to a different
    computer.
    see:
    Windows Phone 8: Steps to acquire an Enterprise Mobile Code Signing Certificate required to sign LOB or company apps
    and:
    Frequently asked questions about Windows Phone Company Hub apps
    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast
    your votes for existing suggestions.

  • I'm trying to install Star Wars: Empire at War (origional) and I'm getting a data2.cab (cycle redundancy check) error. Can this be fixed so I can install this game on my Windows XP virtual drive?

    I insert the CD and it is recognized. Then I enter the game code off the box and it begins to install for a couple of minutes until it gets this error. I can go no further afterward. The Cd is not scratched enough to damage the files on it because I installed it on my Dell XPS laptop just fine.

    I have just now successfully installed this game on my Windows XP virtual drive on my Macbook Pro laptop. It works like a charm. I kept at it and resolved the issue on my own. The CD had to be copied and installed from the file.

Maybe you are looking for