Hi,

On 2012.04.09 15:12, Sethuraman R wrote:
>         2.1. My inf is working fine and i am using only the windows
> default driver(USBSER.sys) in the inf. In this case, is it required to
> sign the default sys file? Or Is it already Signed? Or Is signing not
> required?

Binary drivers that come from the Windows OS are already signed, though,
unlike non Windows signed drivers, the signature may not be displayed
when right clicking. But unless you use your own custom version, you
should not have to sign this file.

>         2.2.I have understood that Signing the driver
> binaries(SYS,DLL,...) and Signing the driver package(inf) are completely
> different.

Indeed. One will prevent you from using the driver altogether, unless
running Windows in test mode, and the other determines whether users are
prompted with a warning during driver installation.

> Also, the signing warning(Windows can't verify the the
> publisher of the software) occurs only because of my unsigned inf and
> not because of the driver?

Yes.

>         2.3 To avoid the above said warning, by assuming USESER.SYS
> doesn't require any signing, i selfsigned or test signed my inf file in
> the following way as mentioned at
> http://www.itninja.com/question/guide-to-signing-unsigned-drivers.
>
> # creted .cat file using Inf2cat.exe
> Inf2Cat.exe /driver:"<Path of the inf>"

You may also want to have a look at the Signed Cat file part of the
libwdi signed driver walkthrough [1]. You may want to append a /os:
option there, depending on your target OSes.

> # created certificate using makecert.exe
> MakeCert.Exe -r -pe <path to .cer file you want to generate> -n
> CN=<certificate name> -sv <path to .pvk file you want to generate> -len
> 2048

You may also want to have a look at this post from libusb-win32, where I
did something similar [2].

>        2.4) As per the MS DDK Documentation, the test signing or Self
> Signing is done without PVK... Am i wrong in the last step?
>
> But here i created the PVK also?

In a PKI implementation, you always need a private key, so one always
exists. You can't create a self-signing certificate without a private key.

> # Create Software Publisher's Certificate (SPC) from our certificate
> Cert2Spc.Exe <path to .cer file> <path to .spc file>
>
> # Create a .pfx file
> pvk2pfx.exe -pvk <path of .pvk file created earlier> -pi <password> -spc
> "<path of .pfx to be stored>
>
> # Sign the catalog file
> signtool.exe sign /f "<path of .pfx file>" /p <password> /t
> http://timestamp.comodoca.com/authenticode /v "<cat file to be signed>"
>
> # Installed the certificate in local machine
> certmgr.exe /add "<path of the certificate created>" /s /r localMachine root
> certmgr.exe /add "<path of the certificate created>" /s /r localMachine
> trustedPublishers

As long as you have a pfx that matches your self-signed certificate, and
you install the cert in root and trustedPublishers, you should be OK for
validation of the driver package. Be mindful that this needs to be done
from an elevated command prompt.

The trick not to get the driver package prompt is to have the public key
of your self-signed credential in root and trustedPublishers, and to
sign the inf package with the matching private key.

> 3. I am successuly created cert file and now, not getting any warnings
> during installation with DPInst.

So far so good.

> My critical question here is, can i
> distribute or publish this signed certificate that i created ?? i.e Can
> i install my self signed certificate in my clients machine ( is it legal
> to distribute my signed certificate for commercial use).

Absolutely. Distribution of the *public* key, which is what is meant to
get installed in the client's security store through a certificate, is
no concern at all and has no legal implication whatsoever (even if you
export it to Iran or something). Many software developers, including
Microsoft of course, export public keys in one way or another, be it for
root certification authorities, and no special concern needs to be taken
to do so. And the same would be true for the private key as well, since
public and private key are usually symmetric, provided it wasn't a very
bad idea to distribute a private key.

Just make sure that you distribute a certificate (i.e. a container with
the public key only - typically a .cer on Windows) and not a credential
(container with both the private and public key - typically a .pfx), as
making your private key available would allow anyone to sign and get
malicious software installed that validates against your public key,
which is not what you want.

> Please condsider that there won't be any objection from my client side
> where i want to install the certificate.

As long as you ensure that your private key remains private and out of
reach from malicious users, installing your certificate on the client's
side shouldn't be a concern.

> 4.Seems that certmgr.exe is not distibutable and help me in providing
> the alternative tool or code to import the certificate?

Travis has developed a dpscat utility for libusbK that may be of help.
You can find it in the binary directory of the latest libusbK [3].

Regards,

/Pete

PS: Sorry for not answering your original e-mail on the libwdi mailing
list. I got confused about the message asking to disregard.

[1]
https://sourceforge.net/apps/mediawiki/libwdi/index.php?title=Signed_driver_walkthrough#Creating_a_signed_cat_file
[2] https://sourceforge.net/mailarchive/message.php?msg_id=27223654
[3] https://sourceforge.net/projects/libusbk/files/libusbK-beta/3.0.5.10/

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Libusb-win32-devel mailing list
Libusb-win32-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libusb-win32-devel

Hi,

On 2012.04.09 15:12, Sethuraman R wrote:
>         2.1. My inf is working fine and i am using only the windows
> default driver(USBSER.sys) in the inf. In this case, is it required to
> sign the default sys file? Or Is it already Signed? Or Is signing not
> required?

Binary drivers that come from the Windows OS are already signed, though,
unlike non Windows signed drivers, the signature may not be displayed
when right clicking. But unless you use your own custom version, you
should not have to sign this file.

>         2.2.I have understood that Signing the driver
> binaries(SYS,DLL,...) and Signing the driver package(inf) are completely
> different.

Indeed. One will prevent you from using the driver altogether, unless
running Windows in test mode, and the other determines whether users are
prompted with a warning during driver installation.

> Also, the signing warning(Windows can't verify the the
> publisher of the software) occurs only because of my unsigned inf and
> not because of the driver?

Yes.

>         2.3 To avoid the above said warning, by assuming USESER.SYS
> doesn't require any signing, i selfsigned or test signed my inf file in
> the following way as mentioned at
> http://www.itninja.com/question/guide-to-signing-unsigned-drivers.
>
> # creted .cat file using Inf2cat.exe
> Inf2Cat.exe /driver:"<Path of the inf>"

You may also want to have a look at the Signed Cat file part of the
libwdi signed driver walkthrough [1]. You may want to append a /os:
option there, depending on your target OSes.

> # created certificate using makecert.exe
> MakeCert.Exe -r -pe <path to .cer file you want to generate> -n
> CN=<certificate name> -sv <path to .pvk file you want to generate> -len
> 2048

You may also want to have a look at this post from libusb-win32, where I
did something similar [2].

>        2.4) As per the MS DDK Documentation, the test signing or Self
> Signing is done without PVK... Am i wrong in the last step?
>
> But here i created the PVK also?

In a PKI implementation, you always need a private key, so one always
exists. You can't create a self-signing certificate without a private key.

> # Create Software Publisher's Certificate (SPC) from our certificate
> Cert2Spc.Exe <path to .cer file> <path to .spc file>
>
> # Create a .pfx file
> pvk2pfx.exe -pvk <path of .pvk file created earlier> -pi <password> -spc
> "<path of .pfx to be stored>
>
> # Sign the catalog file
> signtool.exe sign /f "<path of .pfx file>" /p <password> /t
> http://timestamp.comodoca.com/authenticode /v "<cat file to be signed>"
>
> # Installed the certificate in local machine
> certmgr.exe /add "<path of the certificate created>" /s /r localMachine root
> certmgr.exe /add "<path of the certificate created>" /s /r localMachine
> trustedPublishers

As long as you have a pfx that matches your self-signed certificate, and
you install the cert in root and trustedPublishers, you should be OK for
validation of the driver package. Be mindful that this needs to be done
from an elevated command prompt.

The trick not to get the driver package prompt is to have the public key
of your self-signed credential in root and trustedPublishers, and to
sign the inf package with the matching private key.

> 3. I am successuly created cert file and now, not getting any warnings
> during installation with DPInst.

So far so good.

> My critical question here is, can i
> distribute or publish this signed certificate that i created ?? i.e Can
> i install my self signed certificate in my clients machine ( is it legal
> to distribute my signed certificate for commercial use).

Absolutely. Distribution of the *public* key, which is what is meant to
get installed in the client's security store through a certificate, is
no concern at all and has no legal implication whatsoever (even if you
export it to Iran or something). Many software developers, including
Microsoft of course, export public keys in one way or another, be it for
root certification authorities, and no special concern needs to be taken
to do so. And the same would be true for the private key as well, since
public and private key are usually symmetric, provided it wasn't a very
bad idea to distribute a private key.

Just make sure that you distribute a certificate (i.e. a container with
the public key only - typically a .cer on Windows) and not a credential
(container with both the private and public key - typically a .pfx), as
making your private key available would allow anyone to sign and get
malicious software installed that validates against your public key,
which is not what you want.

> Please condsider that there won't be any objection from my client side
> where i want to install the certificate.

As long as you ensure that your private key remains private and out of
reach from malicious users, installing your certificate on the client's
side shouldn't be a concern.

> 4.Seems that certmgr.exe is not distibutable and help me in providing
> the alternative tool or code to import the certificate?

Travis has developed a dpscat utility for libusbK that may be of help.
You can find it in the binary directory of the latest libusbK [3].

Regards,

/Pete

PS: Sorry for not answering your original e-mail on the libwdi mailing
list. I got confused about the message asking to disregard.

[1]
https://sourceforge.net/apps/mediawiki/libwdi/index.php?title=Signed_driver_walkthrough#Creating_a_signed_cat_file
[2] https://sourceforge.net/mailarchive/message.php?msg_id=27223654
[3] https://sourceforge.net/projects/libusbk/files/libusbK-beta/3.0.5.10/

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Libusb-win32-devel mailing list
Libusb-win32-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libusb-win32-devel