Digital signing of Hitachi microdriver

Discussion in 'Windows 8' started by win8togo, Oct 17, 2012.

  1. win8togo

    win8togo MDL Novice

    Oct 17, 2012
    5
    0
    0
    Hi all,

    In addition to discussion on thread "Running Windows from an external USB drive with Windows To Go"

    I would like to thank 100 once again for recompiling Hitachi microdriver for use on x64 systems!

    As you can see from my post, I was trying to digitally sign that driver but from some reason I was unsuccessful.

    I can't post links but just google "Sign your unsigned drivers damn it" and "Signed driver walktrough" and technet for "Steps for Signing a Device Driver Package" and you will find procedures I used to try to digitally sign this driver.

    I'm no programmer so I have no clue on how to troubleshoot cause of signing errors or edit, decompile and recompile any of the files in microdriver folder.

    Any help in making this work would be greatly appreciated!

    I really don't know if I'm on the right track or not but only thing that I was able to notice is that after installation of the driver, there is cfadisk.sys in c:\windows\system32\drivers folder and in 100's microdriver folder there are cfadisk32.sys and 64.sys

    Following above mentioned procedures some stated that signing only .cat file is enough and some stated that signing only .sys files is enough.
    I've tried everything including signing everything and still no go, c:\windows\system32\drivers\cfadisk.sys still doesn't have a valid sign.

    I have tried with .cat from 100's microdriver folder and to create new one with inf2cat.exe

    I have tried this on Windows 7 x64 and on a virtual Windows 8 x64

    I'm sure that many would benefit from this so Windows 8 To Go could be installed on almost any USB drive with enough capacity.

    I hope that someone versed in creating drivers could find time to check this out.

    Best regards,
    Walter
     
  2. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,085
    60
    Where do I get your signed version of the hitachi driver from ?
     
  3. win8togo

    win8togo MDL Novice

    Oct 17, 2012
    5
    0
    0
    #5 win8togo, Oct 18, 2012
    Last edited: Oct 18, 2012
    (OP)
    I didn't know that only action required is to rename and then copy cfadisk64.sys.

    The reason I tried the self-signing procedures I mentioned in earlier post is to avoid DSEO signing and therefor using always enabled test mode.
    Is there a way to "unsign" DSEO signed drivers or can you post a link to the same package but unsigned if you have it unsigned somewhere, so I could try signing them myself?

    Thank you!
    Best regards,
    Walter
     
  4. joakim

    joakim MDL Novice

    Dec 30, 2009
    21
    6
    0
    Nice recompile for x64!

    Regarding certificate, you can remove it manually by using a pe editor. Just delete the signature itself (ie the last hidden section behind resources), and then zero out the values for Security in the data directories. Then no need to recompile and you can test sign as many times as you want.
     
  5. 100

    100 MDL Expert

    May 17, 2011
    1,346
    1,542
    60
    Right, let's continue in this thread then.

    Well a self-signed certificate is enough to sign the driver, but it isn't enough to install it. Unless it was signed with a CA-issued signing certificate, the driver will only be loaded in test mode.
    I think signing with signtool.exe will replace an existing signature when signing a file, but without an appropriate certificate it won't help you much because you will still need test mode enabled.

    No action should be required, the renaming is done through the .inf. Depending on the OS (x86/x64), the driver installer will place either cfadisk32.sys or cfadisk64.sys in the driver directory, just with the name of "cfadisk.sys".
     
  6. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,085
    60
    What is to stop us from importing a self signed certificate into our trusted root as a new CA, then using that CA to sign the driver so that it comes from a trusted CA ?
     
  7. win8togo

    win8togo MDL Novice

    Oct 17, 2012
    5
    0
    0
    Did some more research today and this is, unfortunately, correct.
    If whatever certificate you use is not chained to MS, it won't work.
    One has to purchase a code signing certificate from trusted CA and use cross certificate to successfully sign a driver.

    Well, that’s about it, this unfortunate fact ends my endeavor to self-sign an x64 driver.

    Thank you all for your help!
    Best regards,
    Walter
     
  8. joakim

    joakim MDL Novice

    Dec 30, 2009
    21
    6
    0
    Signtool is not able to overwrite an existing one. You will have to manually remove it like I explained before you can re-sign it. Of course test mode is still necessary with all that comes with that. On the other hand you could also hide the fact (read watermark) that test mode is activated, by doing some mod trickery. Unless you are able to properly patch PatchGuard..
     
  9. taviruni

    taviruni MDL Member

    May 8, 2010
    193
    112
    10