Microsoft

How to Use Your EV Code Signing Certificate to Sign Kernel-Mode Drivers

Benefits of Signing Your Kernel-Mode Drivers

Extended Validation (EV) Code Signing certificates are designed so that you can digitally sign kernel-mode driver packages. When you sign a driver package, users who are installing your program, can verify that the program was released by your company. You also provide users with a way to verity that the driver package has not been tampered with.

If a bad actor has tampered with your installer signed with your EV Code Signing Certificate, the installer package does not show as being issued by your company when the customer runs it. Instead, it warns the user that it is an "untrusted" program. It then asks them if they still want to run the untrusted package.

If your users are running a 64-bit version of Windows 10, 8, 7, or Vista, they'll receive an error "Windows Requires a Digitally Signed Driver". This warning allows users a way to know that they are getting your authentic driver not some virus ridden version.

The process is simple. You write your kernel-mode drivers, sign them with an EV Code Signing Certificate from DigiCert, and your customers get a valuable product they know is safe from a company they can trust released it.

Buy Your EV Code Signing Certificate!

Buy Now Learn More

EV Code Signing Certificate Signing Process

The EV Code Signing Certificate signing process consists of 3 main steps. You may need to do all three steps or one or two.

  1. Preparing the EV Code Signing Certificate

  2. Downloading the Code Signing Cross-Certificate

  3. Using Your EV Code Signing Certificate to Sign Kernel-Mode Drivers

Microsoft Support

Windows 10

Microsoft announced that with the Windows 10 release, all "new" Windows 10 kernel-mode drivers are required to be submitted to the Windows Hardware Developer Center Dashboard portal (Dev Portal) to be digitally signed by Microsoft. However, because of technical and ecosystem readiness issues, Windows Code Integrity could not enforce the requirement and it remained only a policy statement.

Windows 10 Version 1607

Starting with "new" installations of Windows 10, version 1607, the Operating System now enforces the previously outlined driver signing rules, and will not load "new" kernel mode drivers which the Dev Portal has not signed.

Also, all kernel-mode drives submitted to the Hardware Dev Center Dashboard must be signed with an EV Code Signing Certificate before the HDCD can sign them. See Driver Signing changes in Windows 10, version 1607.

Note: The Operating System driver signing rules do not apply to systems that were upgraded from an earlier version of Windows (e.g., 8.1) to Windows 10, version 1607; these systems are not affected by this requirement change.

SHA-1 EV Code Signing Certificates

Microsoft plans to support SHA-1 Code Signing Certificates until Jan 1, 2020. Despite their continued support for SHA-1 CS Certificates, Microsoft recommends using the SHA-256 certificate/digest algorithm/timestamp for all applications.

Microsoft has not yet released a SHA-1 deprecation policy for drivers. Note that Windows 7 does not support SHA-256 signed drivers without an automatic update. Microsoft states, "To install on Windows 10, 8.1, 8, and 7, your driver package can have a single SHA1 signature... SHA1 deprecation does not apply to drivers." For more information, refer to the Windows Enforcement of Authenticode Code Signing and Timestamping page.

Note: By default, DigiCert Code Signing Certificates are SHA-256. If you need a SHA-1 Code Signing Certificate, you can re-key your certificate from inside your DigiCert account.

 

Preparing the EV Code Signing Certificate

After you’ve purchased an EV Code Signing Certificate from DigiCert, we validate your information and then send the token to you in the mail. Before you can begin signing applications (such as drivers) with the EV Code Signing Certificate, you need to do the following:

I. Prepare Your Secure Token

  1. Using a DigiCert Supplied Secure Token

    If you opted to have DigiCert provide you with a secure token with your EV Code Signing Certificate installed on it, do the following:

    1. Activate Token

      Activate your token and retrieve its password from within your DigiCert account.

    2. Install the Driver for the SafeNet eToken Device

      During the token activation process, you are given the link to download and install the driver for the SafeNet eToken device.

    3. Change eToken Password

      After obtaining your password, DigiCert recommends you change your eToken password as a security best practice.

  2. Using Your Own Secure Token

    If opted to use your own FIPS 140-2 Level 2 compliant token from a different vendor, do the following:

    1. Install Device Hardware

      Install your device's hardware on your PC.

    2. Install EV Code Signing Certificate

      Install your EV Code Signing Certificate on your token before proceeding with these instructions.

II. Rekeying/Reissuing Your EV Code Signing Certificate

  1. Get a SHA-1 Version of Your EV Code Signing Certificate

    By default, DigiCert EV Code Signing Certificates are SHA-256. If you are a DigiCert customer getting a SHA-1 version of your EV Code Signing Certificate is relatively easy. See Getting Your SHA1 EV Code Signing Certificate.

  2. Install Your SHA1 EV Code Signing Certificate on Your Token

    Installing the SHA1 version of the EV CS Certificate on your token is relatively straight forward. See the How to Install Your SHA1 EV Code Signing Certificate on Your Token section of the Getting Your SHA1 EV Code Signing Certificate instruction.

III. DigiCert Code Signing Cross-Certificate

Next, download the DigiCert Code Signing Cross-Certificate.

 

Downloading the Code Signing Cross-Certificate

Before you can use Signtool to sign applications, you need to download the DigiCert Code Signing Cross-Certificate on the computer where you will be signing applications. You will need to specify this certificate in Signtool.

Click here to download the DigiCert Code Signing Cross-Certificate.

 

Using Your EV Code Signing Certificate to Sign Kernel-Mode Drivers

For general instructions on using your EV Code Signing Certificate to sign your kernel-mode drivers, we recommend that you download and read the Microsoft Kernel-Mode Code Signing Walkthrough document. This document contains in-depth instructions for getting started with kernel-mode code signing, as well as using an EV Code Signing Certificate to sign drivers and other applications.

Prepare to Sign Code by Installing the Windows SDK

To use SignTool.exe to sign your application, you need to do one of the following options:

Option 1: Install Visual Studio

Install Microsoft Visual Studio 2005 (or later).

Option 2: Install Windows SDK

On the machine where you will be signing code, download and install one of the following versions of Microsoft Windows SDK:

If you have the Windows SDK 6.0 or lower on Windows Vista, you can use the SignTool Digital Signature Wizard GUI interface. All new versions of the Windows SDK (7 and newer) require you to use the command line instructions below.

Use Your EV Code Signing Certificate to Sign Your Files

Once your token and computer are ready, you can use the SignTool command to sign your kernel-mode driver.

Automatic versus Manual

If you have more than one EV Code Signing Certificate on your token, we recommend that you manually select which certificate to use for signing code. When running any of the SignTool commands, modify the section in red to match your filename(s). After running the command, you are prompted to enter your device's password.

SingTool Automatically Selects the EV Code Signing Certificate

To let SignTool automatically select the EV Code Signing Certificate to use to sign your kernel-mode driver, do one of the following options:

  1. How to Sign Code with a SHA-256 Certificate/Digest Algorithm/Timestamp

    1. On your Windows workstation, plug in your EV Code Signing Certificate token.

    2. Open a Command Prompt as an admin.

      1. On the Windows Start screen/menu, type cmd.

      2. Right-click on Command Prompt and then click Run as administrator.

    3. In the Command Prompt, run the command below, modify the section in red to match your filename(s):

      Important: When using SHA-256 for signing, make sure to use the latest version of SignTool (6.3 or later) to avoid errors.

      signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /a /tr http://timestamp.digicert.com /td sha256 /fd sha256 "c:\path\to\FileToSign.cat"
    4. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

      c:\Code>signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /a /tr http://timestamp.digicert.com /td sha256 /fd sha256 "c:\path\to\FileToSign.cat"
      Done Adding Additional Store
      Successfully signed and timestamped: FileToSign.cat
  2. How to Sign Code with a SHA-1 Certificate/Digest Algorithm/Timestamp

    1. On your Windows workstation, plug in your EV Code Signing Certificate token.

    2. Open a Command Prompt as an admin.

      1. On the Windows Start screen/menu, type cmd.

      2. Right-click on Command Prompt and then click Run as administrator.

    3. In the Command Prompt, run the command below, modify the section in red to match your filename(s):

      signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /a /t http://timestamp.digicert.com "c:\path\to\FileToSign.cat"
    4. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

      c:\Code>signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /a /t http://timestamp.digicert.com "c:\path\to\FileToSign.cat"
      Done Adding Additional Store
      Successfully signed and timestamped: FileToSign.cat

Manually Specify the EV Code Signing Certificate You Want SignTool to Use

To select which EV CS Certificate you want SignTool to use to sign your kernel-mode driver, do the following:

  1. Retrieve the EV Code Signing Certificate’s Subject Name

    1. On your Windows workstation, plug in your EV Code Signing Certificate token.

    2. Open the CertMgr tool.

      On the Windows Start screen/menu, type certmgr.msc and press Enter.

    3. In the certmgr window, in the navigation pane on the left, expand the Personal folder and select the Certificates folder to see a list of all the certificates installed for that user account.

    4. In the pane on the right, under Issued To, the certificates are listed by their "subject name".

      Make sure to note the "subject name" (e.g., YourCompany Inc.) of the certificate you want SignTool to use.

  2. Use one of the following options to sign your kernel-mode driver:

    1. How to Sign Code with a SHA-256 Certificate/Digest Algorithm/Timestamp

      1. Open a Command Prompt as an admin.

        1. On the Windows Start screen/menu, type cmd.

        2. Right-click on Command Prompt and then click Run as administrator.

      2. In the Command Prompt, run the command below, modify the section in red to match your filename(s):

        Important: When using SHA-256 for signing, make sure to use the latest version of SignTool (6.3 or later) to avoid errors.

        signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /s my /n "Subject Name" "c:\path\to\FileToSign.cat"
      3. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

        c:\Code>signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /s my /n "Subject Name" "c:\path\to\FileToSign.cat"
        Done Adding Additional Store
        Successfully signed and timestamped: FileToSign.cat
    2. How to Sign Code with a SHA-1 Certificate/Digest Algorithm/Timestamp

      1. Open a Command Prompt as an admin

        1. On the Windows Start screen/menu, type cmd.

        2. Right-click on Command Prompt and then click Run as administrator.

      2. In the Command Prompt, run the command below, modify the section in red to match your filename(s):

        signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /s my /n "Subject Name" /t http://timestamp.digicert.com "c:\path\to\FileToSign.cat"
      3. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

        c:\Code>signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /s my /n "Subject Name" /t http://timestamp.digicert.com "c:\path\to\FileToSign.cat"
        Done Adding Additional Store
        Successfully signed and timestamped: FileToSign.cat

Additional Information:

Batch Signing Files

If you want to batch sign your files with your EV Code Signing Certificate, you must enable single logon for the SafeNet Token. Once single logon is enabled and you have logged into the Token, you can batch sign your files, enabling you to enter your password only once per user session.

How to Enable Single Logon for a SafeNet Token

  1. Open SafeNet Authentication Client Tools.

    Navigate to Start > Program Files > Safenet > Safenet Authentication Client Tools.

  2. Click the Advanced View icon (gold gear).

  3. In the menu tree in the left pane, select Client Settings.

  4. In the right pane, select the Advanced tab.

  5. On the Advanced tab, select the Enable single logon option.

  6. Click Save.

  7. To activate the single logon feature, log off from the computer and log on again.

Identify a Certificate by its Hash Value

Using the hash value of a Code Signing Certificate is another way to select which Code Signing Certificate you want SignTool to use.

If your Personal Certificate store contains multiple certificates, it may be better to use the /sha1 option to specify the hash value of the Code Signing Certificate instead of using /a or /n "subject name" in the signing command.

In this situation, you use the thumbprint value of your Code Signing Certificate. You must remove all spaces from the thumbprint value; if you do not, it won't work. You can also use our DigiCert Utility to easily get the thumbprint; see How to Get Your EV Code Signing Certificates' Thumbprint .

  1. Option 1: How to Sign Code with a SHA-256 Certificate/Digest Algorithm/TimestampSHA-256 signing:

    In the Command Prompt, run the command below, modify the section in red to match your certificate’s thumbprint and the filename(s):

    signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 XXSHA-256CERTTHUMBPRINTXX "c:\path\to\FileToSign.cat"
  2. Option 2: How to Sign Code with a SHA-1 Certificate/Digest Algorithm/Timestamp:

    In the Command Prompt, run the command below, modify the section in red to match your certificate’s thumbprint and the filename(s):

    signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /sha1 XXSHA-1CERTTHUMBPRINTXX /t http://timestamp.digicert.com "c:\path\to\FileToSign.cat"

For more information on the different signtool.exe options, see Microsoft's SignTool Documentation.