Sign an Unsigned Driver for Windows 7 x64


To totally unlock this section you need to Log-in


Login

By default, all 64-bit Windows versions, starting from Windows 7, prohibit to install drivers of the devices that do not have a valid digital signature. The digital signature guarantees (to some extent) that the driver has been issued by a certain developer or vendor, and its code hasn’t been modified after it was signed.

In Windows 7 x64, there are several ways to disable the verification of a digital signature of the installed driver: with a group policy or a test boot mode.

Suppose we have a certain device driver for Windows 7 x64 for which there is no digital signature (in our example, it is the driver for quite old video card). The archive with drivers for our Windows version has been downloaded from the manufacturer’s website and its contents has been extracted to C:\tools\drv1\. Let’s try to install the driver by adding it to Windows driver store with a standard tool pnputil.

pnputil –a c:\tools\drv1\xg20gr.inf

NOTE: this command and all the next ones are run in the command line with administrator privileges.

During installation, the system displays a warning that it cannot verify the digital signature for this driver.

Sign an Unsigned Driver for Windows 7 x64

Let’s try to sign this driver with a self-signed certificate.

What Tools We Need

For our work, we need to download and install (with default settings) the following Windows app development tools.

  • Microsoft Windows SDK for Windows is distributed as an ISO image GRMSDK_EN_DVD.iso with the size of 595 MB.
  • Windows Driver Kit 7.1.0 is the ISO of the image GRMWDK_EN_7600_1.ISO with the size of 649 MB.

Before installing these tools, make sure that you have the .NET Framework 4.0.

Create a Self-Signed Certificate and Private Key

Create a C:\DriverCert folder in the root directory. Open the command line and go to the following directory:

cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\bin

Create a self-signed certificate and private key, issued, say, for the company WinOSHub:

makecert -r -sv C:\DriverCert\Drivers.pvk -n CN="WinOSHub" C:\DriverCert\Drivers.cer

In process of creation the tool prompts you to specify a password for the key, let it be P@ss0wrd.

Sign an Unsigned Driver for Windows 7 x64

Create a public key for a publisher certificate (PKSC) we have created earlier.

cert2spc C:\DriverCert\Drivers.cer C:\DriverCert\Drivers.spc

Combine the public key (.spc) and the private key (.pvk) in a single certificate file into a single file with format Personal Information Exchange (.pfx):

pvk2pfx -pvk C:\DriverCert\Drivers.pvk -pi P@ss0wrd -spc C:\DriverCert\Drivers.spc -pfx C:\DriverCert\Drivers.pfx -po P@ss0wrd

Preparation of the Driver Package

Create the directory C:\DriverCert\xg20 and copy all files from the folder into which the driver from the archive has been originally extracted (c:\tools\drv1\). Make sure that there are files with the extensions .sys and .inf among these files (in our case, they are xg20grp.sys and xg20gr.inf).

Go to the directory:

cd C:\WinDDK\7600.16385.1\bin\selfsign

Generate a CAT file (contains information about all the files in the driver package) on the base of the INF file.

inf2cat.exe /driver:"C:\DriverCert\xg20" /os:7_X64 /verbose

Sign an Unsigned Driver for Windows 7 x64

To make sure that the procedure was correct, check if the log file contains the messages:

Signability test complete.

and
Catalog generation complete.

After the command is executed, xg20gr.cat in the driver directory should be updated.

Sign the driver with the self-signed certificate

Go to the directory:

cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\Bin

Sign the set of the driver files with the certificate we have created using Verisign as a timestamp service.

signtool sign /f C:\DriverCert\Drivers.pfx /p P@ss0wrd /t http://timestamp.verisign.com/scripts/timstamp.dll /v C:\DriverCert\xg20\xg20gr.cat

Sign an Unsigned Driver for Windows 7 x64

NOTE: The digital signature of the driver is contained in the .cat file referenced in the .inf file.

Installing the Certificate

Since the certificate we created is self-signed, by default the system doesn't trust it. Add our certificate in the local certificate store. You can do it using the following commands:

certmgr.exe -add C:\DriverCert\Drivers.cer -s -r localMachine ROOT

certmgr.exe -add C:\DriverCert\Drivers.cer -s -r localMachine TRUSTEDPUBLISHER

Or with the graphical certificate import wizard (the certificate should be put in Trusted Publishers and Trusted Root Certification Authorities stores).

Sign an Unsigned Driver for Windows 7 x64

NOTE: You can check if the certificate we created is in the list of trusted certificated by opening the certificate management snap-in (certmgr.msc) and make sure that our certificate (issued for our company) is in the corresponding stores.

Sign an Unsigned Driver for Windows 7 x64

Installation of the Driver Validated with the Self-signed Certificate

Try to install the driver we have signed again using the command:

pnputil –i –a C:\DriverCert\xg20\xg20gr.inf

Now you won’t see the warning of the missing digital signature of the driver, the system only asks you instead if you are sure you want to install this driver. By clicking «Install», you install the driver in the system.

Sign an Unsigned Driver for Windows 7 x64