[windows driver] 如何設定 windows 的數位簽章

最近要替 windows 7, 8, 8.1, 10 的 driver 設定數位簽章，以下針對不同版本的windows的數位簽章流程做個紀錄。

需要工具: Windows Driver Kit 裡面的 inf2cat, signTool 、makeCab(windows 內建工具)。

需要檔案: certification.cer , 這個檔案是要向微軟購買的數位簽章, 一個 token USB裡面的檔案.

Windows 7:
step1: 利用 inf2cat 建立 cat檔案 /driver: driver 的路徑
    /os: driver的平台 ( XP_X86,XP_X64,Vista_X86,Vista_X64,7_X86,7_X64)

  以 windows 7 64bit為例:

 inf2cat /driver:"d:\driver\" /os:7_X64

  step2:利用certification.cer 建立數位簽章

signtool sign /v /ac "C:\Sign\certification.cer" /s my /n "Company name" /t http://timestamp.verisign.com/scripts/timestamp.dll "d:\driver\catalog.cat"
signtool sign /v /ac "C:\Sign\certification.cer" /s my /n "Company name" /t http://timestamp.verisign.com/scripts/timestamp.dll "d:\driver\driver.sys"

Windows &8.1:
step1: 新增 echo.cdf 檔案來建立 cat檔案

 OSAttr:2:6.2-->windows8, OSAttr:2:6.3-->windows81,

 echo.cdf:

[CatalogHeader]
Name=nvme86.cat
PublicVersion=0x0000001
EncodingType=0x00010001
CATATTR1=0x10010001:OSAttr:2:6.3
[CatalogFiles]
<hash>File1=F:\nvmeDriver\windows81\x86\1.5\nvme.inf
<hash>File2=F:\nvmeDriver\windows81\x86\1.5\nvme.sy

 使用WinDDK工具makecat執行 makecat -v echo.cdf 做出nvme86.cat檔案(檔案會放在makecat程式的資料夾)

step2:利用certification.cer 建立數位簽章

signtool sign /v /ac "C:\Sign\certification.cer" /s my /n "Company name" /t http://timestamp.verisign.com/scripts/timestamp.dll "d:\driver\catalog.cat"
signtool sign /v /ac "C:\Sign\certification.cer" /s my /n "Company name" /t http://timestamp.verisign.com/scripts/timestamp.dll "d:\driver\driver.sys"

windows 10:
step1: 新增 echo.ddf 檔案來建立 cab檔案:

MakeCab /f "d:\driver\echo.ddf

echo.ddf:

.OPTION EXPLICIT ;Generate errors
.Set CabinetFileCountThreshold=0
.Set FolderFileCountThreshold=0
.Set FolderSizeThreshold=0
.Set MaxCabinetSize=0
.Set MaxDiskFileCount=0
.Set MaxDiskSize=0
.Set CompressionType=MSZIP
.Set Cabinet=on
.Set Compress=on
;Specify file name for new cab file
.Set CabinetNameTemplate=nvmex64.cab
;Specify the subdirectory for the files.  
;Your cab file should not have files at the root level, 
;and each driver package must be in a separate subfolder.
.Set DestinationDir=x64
;Specify files to be included in cab file
F:\nvmeDriver\windows10\x64\nvme.inf
F:\nvmeDriver\windows10\x64\nvme.sys

step2:利用certification.cer 建立數位簽章

signtool sign /v /ac "C:\Sign\certification.cer" /s my /n "Company name" /t http://timestamp.verisign.com/scripts/timestamp.dll "d:\driver\nvmex64.cab"

把各版本都做好數位簽章後，經過WHQL test完成後就可以透過此連結登入微軟的儀表板並由微軟來提供官方的數位簽章