All geek questions in one place

Difficulties signing a Windows driver (re-naming and re-subscribing a driver using OpenVPN)

It is unclear how the driver should be signed in my specific circumstances.

OpenVPN has a tap driver, which consists of tap0901.sys, tap0901.cat and OemWin2k.inf files.

When I install it using "devcon install OemWin2k.inf tap0901" on my 64-bit win7, it installs without any scary warnings.

I renamed the driver to another ogtap100 name (renaming the files to ogtap100.sys, ogtap100.cat and replacing the lines "tap0901" in OemWin2k.inf with "ogtap100" according to http://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers and comments in OemWin2k.inf).

However, when I run "devcon install OemWin2k.info ogtap100" in the renamed driver, I get a big scary warning from Windows that the driver comes from an unknown source. It will be installed, but I plan to send it as part of my application, so a big scary warning is not good.

When I run "signtool verify / v ogtap100.cat", I get: "SignTool error: the certificate chain has been processed but completed in the root certificate that the trusted trust provider does not trust." even though he also says the root certificate is "Issued: DigiCert High Assurance EV Root CA".

I tried re-signing (signtool sign / f cert.pfx ogtap100.cat) with my own certificate (which works when signing regular .exe files), but I get the same scary warning.

What am I missing?

Could it be. to do with a directory (.cat) file?

I read http://msdn.microsoft.com/en-us/windows/hardware/gg463050 , but suggests that I create the .cat file myself. I already have a .cat file from OpenVPN. Should I re-generate it after renaming files and OewmWin2k.inf? If so, how?

+4
source share
2 answers

1) Did you guarantee that you received a digicert certificate with a high degree of confidence? The standard that they release is not intended for drivers. It is easy to change ... https://www.digicert.com/code-signing/driver-signing-in-windows-using-signtool.htm

2) If you download the Windows 7 DDK and read the intent and code a bit, and not just follow the instructions, you can create your own driver (cat and sys files), correctly renamed and signed. https://community.openvpn.net/openvpn/wiki/BuildingTapWindows

Take a look at OemWin2k.inf generated for some powerful renaming tips. Note: the timestamp must be correct, and it is in the (funny) mm / dd / yyyy format.

3) As for the warning message, at least you can get it to correctly display the name of your company, and Windows will accept (and not disable) the correctly signed driver.

0
source

For more information on signing a driver, check https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/0b00c9d4-dff9-4fbe-b741-768c9b39349c/practical-windows-code-and-driver-signing-discussion? forum = wdk

This is a chronicle that points to some background documents. Generating a .cat file from inf is simple.

Check the syntax and working order. I also use Digicert certificate. make sure you have one issued to sign the driver, and pay attention to make sure that the cross certificate is correct.

The script assembly uses the inf2cat method, so if you follow the WHOLE instructions (and look for material in the settings that inf didn't tell you about ... look at the constants), then you generate a .cat file.

For my installation, I realized that the .sys file must be signed before creating the .cat and signing it.

Also, make sure all Windows updates are on your PC. In fact, it really worked to “fix” a computer that had the same error signature. (He did not have the required certificate to verify the cross certificate, which he automatically uploaded.)

0
source

Source: https://habr.com/ru/post/1447381/

More articles:


All Articles