对内核驱动程序进行证明签名以便公开发布Attestation signing a kernel driver for public release

本主题介绍如何使用证明签名对驱动程序签名。This topic describes how to sign a driver using attestation signing.

重要

除非可通过全新 Windows 硬件开发人员中心仪表板对驱动程序签名,否则仍必须通过硬件开发人员中心 (Sysdev) 来使用证明签名对驱动程序签名。You must still use Hardware Dev Center (Sysdev) to sign a driver using attestation signing until driver signing is available through the new Windows Hardware Dev Center dashboard.

备注

证明签名具有下列属性。Attestation signing has the following properties.

  • 证明签名支持 Windows 10 桌面版内核模式和用户模式驱动程序。Attestation signing supports Windows 10 Desktop kernel mode and user mode drivers. 尽管用户模式驱动程序无需由适用于 Windows 10 的 Microsoft 进行签名,但相同的证明过程可以同时用于用户和内核模式驱动程序。Although user mode drivers do not need to be signed by Microsoft for Windows 10, the same attestation process can be used for both user and kernel mode drivers.
  • 证明签名需要使用 EV 证书,才能将驱动程序提交到硬件开发人员中心 (Sysdev) 仪表板。Attestation signing requires the use of an EV Certificate to submit the driver to the Hardware Dev Center (Sysdev) dashboard.
  • 证明签名的驱动程序仅适用于 Windows 10 桌面版。An attestation signed driver will only work for Windows 10 Desktop. 它不适用于其他版本的 Windows(如 Windows Server 2016、Windows 8.1 或 Windows 7)。It will not work for other versions of Windows, such as Windows Server 2016,Windows 8.1, or Windows 7.
  • 证明签名要求驱动程序文件夹名称不包含特殊字符,且长度小于 40 个字符。Attestation signing requires driver folder names to contain no special characters, and to be less than 40 characters long.

对内核模式驱动程序进行证明签名Attestation Signing a Kernel Mode Driver

若要对内核模式驱动程序进行证明签名,请完成以下步骤:To attestation sign a kernel mode driver complete the following steps:

  1. 获取 EV 代码签名证书Acquire an EV Code Signing Certificate
  2. 为你的公司注册硬件开发人员中心 (Sysdev)Register your company for the Hardware Dev Center (Sysdev)
  3. 下载并安装 Windows 驱动程序工具包Download and install the Windows Driver Kit
  4. 创建 CAB 文件提交Create a CAB files submission
  5. 使用 EV 证书对 CAB 文件提交签名Sign the CAB file submission with your EV Cert
  6. 使用硬件开发人员中心 (Sysdev) 仪表板提交 EV 签名的 Cab 文件Submit the EV signed Cab file using the Hardware Dev Center (Sysdev) dashboard
  7. 验证驱动程序是否已正确签名Validate that the driver was properly signed
  8. 在 Windows 10 桌面版上测试驱动程序Test your driver on Windows 10 for Desktop

获取 EV 代码签名证书Acquire an EV Code Signing Certificate

在可以使用要进行签名的仪表板提交二进制文件前,需要获取扩展验证 (EV) 代码签名证书,才能确保数字信息安全。Before you can submit binaries files using the dashboard to be signed, you need to acquire an extended validation (EV) code signing certificate to secure your digital information. 此证书是用于建立你的公司对你所提交代码的所有权的接受标准。This certificate is the accepted standard for establishing your company's ownership of the code you submit. 它让你可以用数字形式签署 PE 二进制文件,例如 .exe、.cab、.dll、.ocx、.msi、.xpi 和 .xap 文件。It allows you to digitally sign PE binaries, such as .exe, .cab, .dll, .ocx, .msi, .xpi and .xap files.

按照获取代码签名证书中描述的过程获取所需的 EV 代码签名证书。Follow the process described in Get a code signing certificate to acquire the needed EV code signing certificate.

为你的公司注册硬件开发人员中心 (Sysdev) 仪表板服务Register your company for Hardware Dev Center (Sysdev) Dashboard Services

可以使用传统 (Sysdev) 仪表板对你的驱动程序签名。You can sign your drivers using the legacy (Sysdev) dashboard. 若要访问 Sysdev 仪表板,需要注册自己的公司并获取代码签名证书。To access the Sysdev dashboard, you'll need to register your company and get a code signing certificate.

按照登录之前中描述的过程设置仪表板上所需的帐户。Follow the process described in Before You Sign In to set up the account you will need on the dashboard.

下载并安装 Windows 驱动程序工具包 Download and install the Windows Driver Kit

你将需要下载并安装 Windows 驱动程序工具包 (WDK),才能获得对用于签署二进制文件的工具的访问权限。You will need to download and install the Windows Driver Kit (WDK) to gain access to tools that are used to sign binary files.

按照下载适用于 Windows 10 的工具包和工具中描述的过程下载并安装 WDK。Follow the process described in Download kits and tools for Windows 10 to download and install the WDK.

创建 CAB 文件提交Create a CAB Files Submission

若要创建适用于仪表板的 CAB 文件提交,请完成以下步骤。To create a CAB files submission for the dashboard, complete the following steps.

  1. 收集将在单个目录中提交以进行签名的二进制文件。Gather the binaries that you will submit to be signed in a single directory. 在此示例中,我们将使用 C:\Echo。In this example, we will use C:\Echo. 此处所述的步骤将在该位置引用 GitHub 中可用的回显驱动程序。The steps described here, will reference the echo driver available in GitHub at this location

<https://github.com/Microsoft/Windows-driver-samples/tree/master/general/echo/kmdf/driver/AutoSynchttps://github.com/Microsoft/Windows-driver-samples/tree/master/general/echo/kmdf/driver/AutoSync>

典型的 cab 文件提交包含以下内容。Typical cab file submissions contain the following.

  • 驱动程序本身,例如 Echo.sysThe driver itself, for example Echo.sys
  • 仪表板用来促进签名过程的驱动程序 INF 文件。The driver INF file that is used by the dashboard to facilitate the signing process.
  • 不需要目录 .CAT 文件。Catalog .CAT files are not required. Microsoft 会重新生成目录文件,并替换已提交的任何目录文件。Microsoft regenerates catalog files and replaces any catalog files that were submitted.
  1. 使用 MakeCab.exe 处理 DDF 文件并创建 cab 文件。Use MakeCab.exe to process the DDF file and create a cab file.

以管理员身份打开命令提示符窗口。Open a Command Prompt window as Administrator. 然后输入以下命令以查看 MakeCab 选项:Then enter the following command to view the MakeCab options:

MakeCab /?MakeCab /?

C:\Echo> MakeCab /?
Cabinet Maker - Lossless Data Compression Tool

MAKECAB [/V[n]] [/D var=value ...] [/L dir] source [destination]
MAKECAB [/V[n]] [/D var=value ...] /F directive_file [...]

  source         File to compress.
  destination    File name to give compressed file.  If omitted, the
                 last character of the source file name is replaced
                 with an underscore (_) and used as the destination.
  /F directives  A file with MakeCAB directives (may be repeated). Refer to
                 Microsoft Cabinet SDK for information on directive_file.
  /D var=value   Defines variable with specified value.
  /L dir         Location to place destination (default is current directory).
  /V[n]          Verbosity level (1..3).
  1. 准备 cab 文件 DDF 输入文件。Prepare a cab file DDF input file. 对于我们的回显驱动程序,它可能看起来如下所示。For our Echo driver it might look something like this.
;*** Echo.ddf example
;
.OPTION EXPLICIT     ; Generate errors
.Set CabinetFileCountThreshold=0
.Set FolderFileCountThreshold=0
.Set FolderSizeThreshold=0
.Set MaxCabinetSize=0
.Set MaxDiskFileCount=0
.Set MaxDiskSize=0
.Set CompressionType=MSZIP
.Set Cabinet=on
.Set Compress=on
;Specify file name for new cab file
.Set CabinetNameTemplate=Echo.cab
; Specify the subdirectory for the files.  
; Your cab file should not have files at the root level,
; and each driver package must be in a separate subfolder.
.Set DestinationDir=Echo
;Specify files to be included in cab file
C:\Echo\Echo.Inf
C:\Echo\Echo.Sys

注意CAB 中的所有驱动程序文件夹必须支持同一组体系结构,例如,所有驱动程序必须为 x86、所有驱动程序必须为 x64 或所有驱动程序必须同时支持 x86 和 x64。Note All driver folders in your cab must support the same set of architectures, for example, all drivers must be x86 or all drivers must be x64, or all drivers must support both x86 and x64.

  1. 调用 makecab 实用工具,并使用 /f 选项将 ddf 文件作为输入提供。Call the makecab utility and provide the ddf file as input using the /f option.
C:\Echo> MakeCab /f "C:\Echo\Echo.ddf

makecab 的输出应该显示示例 2 中创建的 Cabinet 中的文件数。The output of makecab should display the number of files in the created cabinet, in our example 2.

C:\Echo> MakeCab /f Echo.ddf
Cabinet Maker - Lossless Data Compression Tool

17,682 bytes in 2 files
Total files:              2
Bytes before:        17,682
Bytes after:          7,374
After/Before:            41.70% compression
Time:                     0.20 seconds ( 0 hr  0 min  0.20 sec)
Throughput:              86.77 Kb/second
  1. 在 Disk1 子目录中找到 cab 文件。Locate the cab file in the Disk1 subdirectory. 可以在文件资源管理器中单击 cab 文件,以验证它是否包含预期的文件。You can click the cab file in File Explorer to verify that it contains the expected files.

使用 EV 证书对提交 Cab 文件签名Sign the Submission Cab File with your EV Cert

  1. 使用 EV 证书提供商推荐的过程通过 EV 证书对 cab 文件进行签名。Use the process recommended by the EV cert provider to sign the cab file with your EV cert. 例如,可以使用 signtool,如果使用的是 Verisign,则可以指定其时间戳服务器。For example, you might use the signtool and if you are using Verisign, you might specify their timestamp server.
C:\Echo> SignTool sign /v /ac "C:\MyEVCert.cer" /s MY /n "Company Name" /t http://timestamp.verisign.com/scripts/timstamp.dll "C:\Echo\Disk1\Echo.cab"

注意使用行业最佳做法管理 EV 证书签名过程的安全性。Note Use industry best practices to manage the security of the EV cert signing process.

使用硬件开发人员中心 (Sysdev) 仪表板提交 EV 签名的 Cab 文件Submit the EV signed Cab file using the Hardware Dev Center (Sysdev) dashboard

  1. 使用硬件开发人员中心 (Sysdev) 仪表板提交 EV 签名的 Cab 文件。有关详细信息,请参阅驱动程序签名属性文件签名服务Submit the EV signed Cab file using the Hardware Dev Center (Sysdev) dashboard For more information see Driver Signing Properties and File Signing Services.

作为提交过程的一部分,你将指出提交中的所有驱动程序支持哪些体系结构。As part of the submission process you will indicate what architectures all of the drivers in the submission support. 使用复选框提供了三个选项。Three options are available using the check boxes.

  • x86x86
  • x64x64
  • x86 和 x64x86 and x64

CAB 中的所有驱动程序文件夹必须支持同一组体系结构,例如,所有驱动程序必须为 x86、所有驱动程序必须为 x64 或同时支持 x86 和 x64。All driver folders in your cab must support the same set of architectures, for example, all drivers must be x86 or all drivers must be x64 or support both x86 and x64. 如果具有支持不同体系结构组合的驱动程序,请创建单独的提交。If you have drivers that support different combinations of architectures, create separate submissions.

还需要表明是否要提交通用驱动程序。You will also indicate if you are submitting universal drivers. 有关详细信息,请参阅通用 Windows 驱动程序入门For more information see, Getting Started with Universal Windows drivers.

以下屏幕截图显示了用于提交回显驱动程序进行签名的选项。The following screen shot shows the options for submitting the echo driver for signing.

显示用于提交回显驱动程序进行签名的选项的屏幕截图

  1. 签名过程完成后,请从 Sysdev 仪表板下载已签名的驱动程序。When the signing process is complete, download your signed driver from the Sysdev dashboard. ## 验证驱动程序是否已正确签名Validate that the driver was properly signed

完成以下步骤以验证驱动程序是否已正确签名Complete the following steps to validate that the driver was properly signed.

  1. 下载提交文件后,提取驱动程序文件。After you have downloaded the submission file, extract the driver file.

  2. 以管理员身份打开命令提示符窗口。Open a Command Prompt window as Administrator. 然后,输入以下命令来验证驱动程序是否已按预期签名。Then enter the following command to verify that the driver was signed as expected.

C:\Echo> SignTool verify Echo.Sys

3. 若要列出附加信息,并使 signtool 验证包含多个签名的文件中的所有签名,请键入以下命令。3.To list additional information and have signtool verify all signatures in a file with multiple signatures, type the following.

C:\Echo> SignTool verify /pa /ph /v /d Echo.Sys
  1. 若要确认驱动程序的 EKU,请完成以下步骤。To confirm the EKUs of the driver complete the following steps. a.a. 打开 Windows 资源管理器并找到二进制文件。Open Windows Explorer and locate the binary file. 右键单击该文件并选择“属性”*Right-click the file and select *Properties. b.b. 在“数字签名”*选项卡上,选择“签名列表”中列出的项。On the *Digital Signatures tab, select the listed item in the Signature list. c.c. 选择“详细信息”*按钮,然后选择“查看证书”Select the **Details* button, and then select View Certificate. d.d. 在“详细信息”*选项卡上,选择“增强型密钥用法”字段。On the **Details* tab, select the Enhanced Key Usage field. 当驱动程序由仪表板重新签名时,使用以下过程。When the driver is resigned by the dashboard the following process is used.
  • 附加 Microsoft SHA2 嵌入式签名。Appends a Microsoft SHA2 embedded signature.
  • 如果客户使用自己的证书对驱动程序二进制文件进行嵌入式签名,将不会覆盖这些签名。If the driver binaries are embedded signed by the customer with their own certificates, those signatures will not be overwritten.
  • 创建新的目录文件并使用 SHA2 Microsoft 证书对该目录文件签名。Creates and signs a new catalog file with a SHA2 Microsoft certificate. 该目录会替换客户提供的任何现有目录。This catalog replaces any existing catalog provided by the customer.

在 Windows 10 桌面版上测试驱动程序Test your driver on Windows 10 for Desktop

使用以下说明安装示例驱动程序。Use the following instructions to install the sample driver.

  1. 打开设备管理器、右键单击计算机图标,然后选择“添加过时硬件”。Open Device Manager, right click on the computer icon and select "Add legacy Hardware". 按照提示完成驱动程序的安装。Follow the prompts to complete the install of the driver.

  2. 或者,以管理员身份打开“命令提示符”窗口并使用 devcon 安装驱动程序。Alternatively, open a Command Prompt window as Administrator and use devcon to install the driver. 导航到你的驱动程序包文件夹,然后输入以下命令。Navigate to your driver package folder, and enter the following command.

C:\Echo> devcon install echo.inf root\ECHO
  1. 确认驱动程序安装过程不会显示“Windows 无法验证该驱动程序软件的发布者。”Confirm that the driver install process does not display the "Windows can't verify the publisher of this driver software." “Windows 安全”对话框。Windows security dialog box.

创建多个驱动程序提交Create a Multiple Driver Submission

若要同时提交多个驱动程序,请为每个驱动程序创建一个子目录,如下所示。To submit multiple drivers at the same time create a sub directory for each driver as shown below.

准备将引用子目录的 cab 文件 DDF 输入文件。Prepare a cab file DDF input file that references the subdirectories. 它可能如下所示。It might look something like this.

;*** Submission.ddf multiple driver example
;
.OPTION EXPLICIT     ; Generate errors
.Set CabinetFileCountThreshold=0
.Set FolderFileCountThreshold=0
.Set FolderSizeThreshold=0
.Set MaxCabinetSize=0
.Set MaxDiskFileCount=0
.Set MaxDiskSize=0
.Set CompressionType=MSZIP
.Set Cabinet=on
.Set Compress=on
;Specify file name for new cab file
.Set CabinetNameTemplate=Echo.cab
;Specify files to be included in cab file
; First Driver
.Set DestinationDir=DriverPackage1
C:\DriverFiles\DriverPackage1\Driver1.sys
C:\DriverFiles\DriverPackage1\Driver1.inf
; Second driver
.Set DestinationDir=DriverPackage2
C:\DriverFiles\DriverPackage2\Driver2.sys
C:\DriverFiles\DriverPackage2\Driver2.inf

若要签名、提交和测试驱动程序文件,请按照上述步骤操作。Follow the steps previously described to sign, submit and test the driver files.

向 Microsoft 发送有关此主题的评论Send comments about this topic to Microsoft