Having a bit of trouble signing my kernel mode driver and creating a service for it.
So, I've created a self-signed certificate using makecert:
makecert -r -pe -n "CN=XXX" -ss "XXX" -sr LocalMachine
then using the certificate management snap-in I exported the certificate to a .pfx file and signed the .sys driver using signtool:
signtool sign /f myCert.pfx /p xxx /t http://timestamp.comodoca.com/authenticode driver.sys
Which was successful. Upon using signtool to verify, I received:
Verifying: driver.sys Hash of file (sha1): 9A...7F
Signing Certificate Chain:
Issued to: XXX
Issued by: xxx
Expires: Sat Dec 31 16:59:59 2039
SHA1 hash: 12...46
The signature is timestamped: Sun Jun 10 03:35:21 2012
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 11:40:36 2019
SHA1 hash: E1...46
Issued to: COMODO Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Sun May 10 16:59:59 2015
SHA1 hash: 3D...C8
Successfully verified: driver.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
However, when I try to create a service for it:
sc create ncd binPath= C:\Windows\System32\drivers\driver.sys type= kernel
(the binpath is verified to exist), the service is created, but about 10-20 seconds later, the "Program Compatibility Assistant" appears with the annoying "Windows requires a digitally signed driver" dialog.
What gives? It's proven to be signed. I've tried the process three times over, with no luck. I've tried starting the service, but I get a BSOD with a BC code that refers to this issue (the unsigned driver works just fine on XP/32-bit 7).
Some useful documentation you can find here: http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454(v=vs.85).aspx
As Luke said you need both steps, the link provided explains step 2. And with the cross-certificate obtained from Microsoft you should sign those drivers. The signing is done with Win sdk tools.