Problem

Sign Microsoft Windows 64-bit kernel-mode software using Microsoft Authenticode or Microsoft Office and VBA

Resolution

64-bit versions of Microsoft Windows requires Kernel Mode Signing.

To sign 64-bit kernal-mode software using Microsoft Authenticode or Microsoft Office and VBA, you will need to download and install the following:

  1. Microsoft Windows SDK (Must be installed to get signtool.exe)
  2. VeriSign cross certificate (The certificate is attached below)
  3. PVK Import (This tool is not supported by VeriSign)

If your certificate is not already in the certificate store, use PVK Import to import your certificate into the Personal Store.

Use signtool.exe (command line based) from the Command Line Interface to sign your code.

signtool sign /v /ac “C:\Authenticode\MSCV-VSClass3.cer” /s MY /n “VeriSign Inc.” /t http://timestamp.verisign.com/scripts/timstamp.dll “C:\CatFileName.cat”

Replace CatFileName.cat with the file you want to sign.

This example uses several of the arguments that SignTool supports:

  • Sign: Configures the tool to sign the intended file
  • /v: Specifies the verbose option for successful execution and warning messages
  • /ac: Adds the cross-certificate from the CrossCertificateFile file to the digital signature
  • /s: Specifies a certificate store (If the certificate is imported into the Personal store, the SPCCertificateStore is My)
  • /n: Refers to the company name in your certificate as it appears in the “ISSUED TO” field of the certificate
  • /t: Specifies that the digital signature will be timestamped by the Time-Stamp Authority (TSA) indicated by the URL

Note: The timestamping URL for VeriSign is http://timestamp.verisign.com/scripts/timstamp.dll (The timstamp.dll filename is required to conform to old MS-DOS naming convention)

For more information, refer to the following documents from the Microsoft knowledge base:
http://www.microsoft.com/whdc/driver/64bitguide.mspx

http://msdn.microsoft.com/en-us/library/aa388170

Microsoft also supplies the following summarized version of the signing process:

Problem – Troubles signing driver using signtool and cross-certificates
Environment – Windows 64bit
Resolution – Install your certificate by double-clicking and allow it to install automatically based upon the certificate type.  This way you do not have to worry about which certificate store it is placed in

Use the x64 checked build environment or the Server 2008 SDK build environment when using SIGNTOOL
Only cross-sign .SYS files. CAT files do not need to be cross-signed. The system during load, only looks at the SYS file for verification and never looks at the CAT file (on 64bit systems only).

When cross-signing, use the following syntax:

NOTE: The Company Cert Name should be exactly as is shown in the certificate ‘”ISSUED TO” field of your own cert.
The following syntax signs the file using a certificate stored in your Personal certificate store

Without the timestamp:

signtool sign /v /ac “C:\Authenticode\MSCV-VSClass3.cer” /s MY /n “VeriSign Inc.” “C:\driver.sys”

With the timestamp:

signtool sign /v /ac “C:\Authenticode\MSCV-VSClass3.cer” /s MY /n “VeriSign Inc.” /t http://timestamp.verisign.com/scripts/timstamp.dll “C:\driver.sys”

The following syntax signs the file using a certificate stored in a password protected PFX file

Without the timestamp:

signtool sign /v /ac “C:\Authenticode\MSCV-VSClass3.cer” /f C:\Authenticode\YourCert.pfx /p Password /n “VeriSign Inc.” “C:\driver.sys”

With the timestamp:

signtool sign /v /ac “C:\Authenticode\MSCV-VSClass3.cer” /f C:\Authenticode\YourCert.pfx /p Password /n “VeriSign Inc.” /t http://timestamp.verisign.com/scripts/timstamp.dll “C:\driver.sys”

To verify that the driver was properly cross signed, use the following syntax and look for the “Microsoft Code Verification Root”:

signtool verify /v /kp “C:\driver.sys”

For cross signing purposes, you only need to install the PFX file. Remember to only double-click this file to properly install it.  For some reason, any other method places the cert in the incorrect store.