Thawte驱动程序用于64位Windows的签名 [英] Thawte driver signing for 64-bit Windows

问题描述

如果该问题不合时宜，请推荐另一个StackExchange网站将此问题发布到：-）

If this question is off-topic, please recommend another StackExchange site to post this on :-)

我们公司最近从Thawte购买了G2代码签名证书。我已经完成了签署64位驱动程序所需的所有步骤，因此可以将其安装在64位Windows 7下。

Our company recently purchased G2 code signing certificate from Thawte. I've run through all steps neccessary to sign a 64-bit driver, so it can be installed under Windows 7 64-bit.

我有：

• 下载了G2 Thawte交叉证书


• 获得了我们自己的Thawte证书（实际上是一个.p12文件，我必须将其导入并重新导出为.pfx文件才能工作）


• 通过以下命令成功签署了驱动程序： signtool.exe sign / ac cross.cer / f private_key.pfx / p ***** / t http://timestamp.verisign.com/scripts/timstamp.dll / v my_driver.sys


• 将我们的公司证书（甚至是第一个不起作用时的所有Thawte证书）导入到计算机的受信任的根权威和受信任的发布者中。


• 将thawte交叉证书导入到中级证书颁发机构
  

• downloaded a G2 Thawte cross-certificate
• obtained our own Thawte certificate (actually a .p12 file which I had to import and re-export as .pfx file for it to work)
• successfully signed the driver via the following command: signtool.exe sign /ac cross.cer /f private_key.pfx /p ***** /t "http://timestamp.verisign.com/scripts/timstamp.dll" /v my_driver.sys
• imported our company certificate (and even all those Thawte certificates when the first didn't work) into machine's trusted root authorities and trusted publishers
• importted thawte cross-certificate into Intermediate Certification Authorities

我尝试使用 signtool.exe verify / pa / v my_driver.sys 来验证签名，通过了。如果我未在命令行中使用/ pa，则将显示 SignTool错误：已处理证书链，但终止于不受信任提供者信任的根证书。 （是我应该担心的事情吗？）

I've tried to verify the signature using signtool.exe verify /pa /v my_driver.sys, which has passed. If I do not use /pa in the command line, this would say "SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider." (is that something I should be worried about?)

现在，当我尝试使用简单的INF文件（而不是cab文件）安装驱动程序时，结果为红色关于Windows无法验证驱动程序发行者的警告。当我选择不安装驱动程序时，收到以下额外消息：无法验证文件，因为它没有通过Authenticode（tm）签名的关联目录。

Now when I try to install the driver using a simple INF file (not a cab file), the result is red warning about Windows not being able to verify the issuer of the driver. When I choose not to install the driver, I get a following extra message: A file could not be verified because it does not have an associated catalog signed via Authenticode(tm).

我读到，过去Thawte不能真正用于像这样的驱动程序签名，因为不知何故MS停止了对它的支持，但它仍在其网站上列出了交叉证书。不确定这是否仍然有效，找不到任何证据。

I've read that Thawte could not really be used to sign drivers like this in the past because somehow MS stopped to support it, yet it's still listing a cross-certificate on their website. Not sure if this is still valid, cannot find any proof of it.

任何建议都将不胜感激。

Any advice would be greatly appreciated.

推荐答案

您需要向您的inf文件添加 CatalogFile 引用，运行 Inf2Cat.exe （在DDK中）生成cat文件，然后也使用 signtool.exe 对其进行签名。

You need to add a CatalogFile reference to your inf file, run Inf2Cat.exe (in the DDK) to generate the cat file, then use signtool.exe to sign that too.

这篇关于Thawte驱动程序用于64位Windows的签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！