问题
To be honest, I myself have no idea where to put this, but I'm putting this in here since the signing process requires VS's signtool. I am a bit confused here regarding signing and digital certificate.
Correct me if I am wrong.
1) There is two types of signing : code signing and driver signing. Driver must do the latter, while end-user software only needs to do the code signing.
2) Driver signing requires a digital certificate from sources like VeriSign, GlobalSign. While for code signing, we can generate our own certificate using our own generated public key.
Did I understand things correctly?
回答1:
There is two types of signing : code signing and driver signing. Driver must do the latter, while end-user software only needs to do the code signing.
The 2 types are: code signing and EV code signing. Drivers require the later plus additional verification and approval, but only when it comes for drivers for Windows 10.
Driver signing requires a digital certificate from sources like VeriSign, GlobalSign. While for code signing, we can generate our own certificate using our own generated public key.
EV signing (used for drivers) comes from the same companies however they have a hardware token included which is require for each signing,
Drivers for Windows 10 require the following:
An EV (Extended Validation) code signing which requires a hardware token and costs more than a regular code signing certificate.
Submission to Microsoft to be counter code signed by them. To do so, the signer (who must register with Microsoft hardware program). This requirement is since January 2016.
There is an excellent tutorial about the process.
回答2:
Some time ago I learned driver signing using Kernel-Mode Code Signing Walkthrough http://msdn.microsoft.com/en-us/library/windows/hardware/gg487328.aspx (available for download as doc file). I have never heard about code signing of kernel-mode drivers. For drivers, there are two signing types: test-sign and release-sign. Test-sign is used for development process, Win7 and Vista 64 bit allow test-signed drivers only in special mode. Release-sign is used for production release and requires purchasing digital certificate. Release-signed driver can be installed in any Windows version without restrictions.
Kernel-Mode Code Signing Walkthrough contains step-by-step instructions for test and release-signing of kernel-mode drivers.
来源:https://stackoverflow.com/questions/11266868/driver-code-signing