I am an individual, not a company and i am working on a virtual kernel mode device driver. I am aware that I can test sign a driver and run in test mode. However I want to distribute my driver free of cost , but i don't have the resources to buy signature through verisign or globalsign as it is very costly and i am not earning anything through this driver .
Also test signing a driver will be a daunting task for some of the user . So i want to know is there any workaround to use the driver without signature in 64bit ?. Like run it in compatibility for 32bit , or a script that can self sign the driver on behalf of the user.
So now the question essentially is , if i distribute all the exes mentioned in this procedure and make a script to run all these commands . Then can the driver be signed by the user using the script?
PROCEDURE :
1.execute Inf2Cat.exe /driver:"U:\MyDriver" /os:7_X64
2.Find makecert.exe in WDK Makecert -r -pe -ss PrivateCertStore -n "CN=TestCertforWDK" TestCert.cer
3.Use Signtool.exe in WDK to sign the cat file Signtool sign /v /s PrivateCertStore /n TestCertForWDK /t http://timestamp.verisign.com/scripts/timestamp.dll "U:\MyDriver\MyDriver.cat"
4.Use Signtool.exe in WDK to sign the driver Signtool sign /v /s PrivateCertStore /n TestCertForWDK /t http://timestamp.verisign.com/scripts/timestamp.dll "U:\MyDriver\MyDriver.sys"
5.On test computer, import the certificate: certmgr.exe /add TestCert.cer /s /r localMachine root
6.Add it to trusted publisher list certmgr.exe /add TestCert.cer /s /r localMachine trustedpublisher
7.Verify the sign for driver Signtool verify /pa /v MyDriver.sys
8.Verify the sign for cat file Signtool verify /pa /v /c MyDriver.cat MyDriver.inf
So the answer to this question is a big fat no. I'm sorry, but unless you find a user driven workaround, or some company willing to sponsor (sign your driver) it is impossible (i mean improbable :) ). This feature has been implemented in windows to prevent the installation of them pesky rootkits.
Although it probably seems harsh, it prevents a lot of rootkits from being able to install on user machines. In fact, Microsoft recently patched a flaw related to driver signing that was allowing hackers to use microsoft's signing engine within windows to sign drivers that would be accepted by the system.
I highly doubt that you find a way to get around this programmatically. And if you do, let me know.