|Version 3 (modified by pbatard, 2 years ago) (diff)|
Signed Driver Walkthrough
This section documents the use of a driver signing digital credential and libwdi to create a driver installer application that allows the installation of a Windows driver without prompts.
- A set of driver binaries, along with a static inf file matching the devices you plan to support (the inf that libwdi generates cannot work, as it would then need to be signed on the fly, meaning that that you would have to embed the private key used for signing in your application, with is not something you should ever do)
- A valid driver signing certificate (see "Obtaining a driver signing certificate")
- The latest libwdi source, and one of the supported libwdi development environments. Since you will also need the latest WDK below, it might be a good idea to use it as your development environment
- The latest WDK
For the purpose of this exercise, I will be using the OpenOCD libusb-win32_ft2232_driver files as well as driver signing credentials obtained from GlobalSign? [TODO: detail the files obtained], and the development environment with be WDK 7.0.0.
Obtaining a driver signing certificate
To be able to digitally sign a Windows driver, you need a Microsoft Authenticode code signing credential. A credential consists of a public key, embedded in a public certificate, containing your trusted third party verified information, as well as the matching private key, which is used to encrypt to be decrypted using the public key.
Most of the driver signing credentials I am aware of seem to originate either from VeriSign or GlobalSign. This does not mean that they are the only Certification Authorities providing these services, but they are the two that appear to be most commonly used.
An important point to be aware of is that that driver signing certificates can only be delivered to registered companies, which the Certification Authority will check, therefore individual users, who don't have their own registered company, cannot usually purchase driver signing certificate. Of course, you can check with the Certification Authority to find out what their delivery requirements are.
- 1st year driver signing credentials can be obtained for $99
- A lot more expensive than GlobalSign outside of the 1st year promo: $499/year
- More expensive the first year, but cheaper in the long run: $229/year
- More friendly to non-US based customers
From the date of registration, delivery of your certificate can take from a few days, to a few weeks.