By default, all 64-bit Windows versions, starting from Windows 7, prohibit to install drivers of the devices that do not have a valid digital signature. The digital signature guarantees (to some extent) that the driver has been issued by a certain developer or vendor, and its code hasn’t been modified after it was signed.
In Windows 7 x64, there are several ways to disable the verification of a digital signature of the installed driver: with a group policy or a test boot mode.
Today we’ll show how to sign any unsigned driver for the 64-bit version of Windows 7.
Suppose we have a certain device driver for Windows 7 x64 for which there is no digital signature (in our example, it is the driver for quite old video card). The archive with drivers for our Windows version has been downloaded from the manufacturer’s website and its contents has been extracted to c:\tools\drv1\. Let’s try to install the driver by adding it to Windows driver store with a standard tool pnputil.
Pnputil –a c:\tools\drv1\xg20gr.inf
During installation, the system displays a warning that it cannot verify the digital signature for this driver.
Let’s try to sign this driver with a self-signed certificate.
What Tools We Need
For our work, we need to download and install (with default settings) the following Windows app development tools.
- Microsoft Windows SDK for Windows is distributed as an ISO image GRMSDK_EN_DVD.iso with the size of 595 MB
- Windows Driver Kit 7.1.0 is the ISO of the image GRMWDK_EN_7600_1.ISO with the size of 649 MB
Create a Self-Signed Certificate and Private Key
Create a C:\DriverCert folder in the root directory.
Open the command line and go to the following directory:
cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\bin
Create a self-signed certificate and private key, issued, say, for the company WinOSHub:
makecert -r -sv C:\DriverCert\Drivers.pvk -n CN="WinOSHub" C:\DriverCert\Drivers.cer
In process of creation the tool prompts you to specify a password for the key, let it be P@ss0wrd.
Create a public key for a publisher certificate (PKSC) we have created earlier.
cert2spc C:\DriverCert\Drivers.cer C:\DriverCert\Drivers.spc
Combine the public key (.spc) and the private key (.pvk) in a single certificate file into a single file with format Personal Information Exchange (.pfx)
pvk2pfx -pvk C:\DriverCert\Drivers.pvk -pi P@ss0wrd -spc C:\DriverCert\Drivers.spc -pfx C:\DriverCert\Drivers.pfx -po P@ss0wrd
Preparation of the Driver Package
Create the directory C:\DriverCert\xg20 and copy all files from the folder into which the driver from the archive has been originally extracted (c:\tools\drv1\). Make sure that there are files with the extensions .sys and .inf among these files (in our case, they are xg20grp.sys and xg20gr.inf).
Go to the directory:
Generate a CAT file (contains information about all the files in the driver package) on the base of the INF file.
inf2cat.exe /driver:"C:\DriverCert\xg20" /os:7_X64 /verbose
To make sure that the procedure was correct, check if the log file contains the messages:
Signability test complete.
Catalog generation complete.
After the command is executed, xg20gr.cat in the driver directory should be updated
Sign the driver with the self-signed certificate
Go to the directory
cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\Bin
Sign the set of the driver files with the certificate we have created using Verisign as a timestamp service.
signtool sign /f C:\DriverCert\Drivers.pfx /p P@ss0wrd /t http://timestamp.verisign.com/scripts/timstamp.dll /v C:\DriverCert\xg20\xg20gr.cat
Installing the Certificate
Since the certificate we created is self-signed, by default the system doesn’t trust it. Add our certificate in the local certificate store. You can do it using the following commands:
certmgr.exe -add C:\DriverCert\Drivers.cer -s -r localMachine ROOT
certmgr.exe -add C:\DriverCert\Drivers.cer -s -r localMachine TRUSTEDPUBLISHER
Or with the graphical certificate import wizard (the certificate should be put in Trusted Publishers and Trusted Root Certification Authorities stores)
Installation of the Driver Validated with the Self-signed Certificate
Try to install the driver we have signed again using the command:
Pnputil –i –a C:\DriverCert\xg20\xg20gr.inf
Now you won’t see the warning of the missing digital signature of the driver, the system only asks you instead if you are sure you want to install this driver. By clicking «Install», you install the driver in the system.