Reputation: 443
Can I sign .hlkx file manually using EV certificate to submit on the Microsoft website
I have completed all the tests with my usb device in Hardware Lab Kit and now can prepare the .hlkx driver package to submit on the Microsoft website.
The problem is EV certificate is required for Windows 10 driver. EV certificate is provided with Safenet USB token and this USB token is located far away from computer with Hardware Lab Kit installed, so I can't sign .hlkx package in Hardware Lab Kit automatically.
The question is how can I get my Windows 10 usb drivers signed? I have the unsigned driver (sys, cab, inf ... files) and I have unsigned .hlkx driver package from Hardware Lab Kit. Can I sign my driver without submitting to the Microsoft website?
Upvotes: 2
Views: 4394
Answers (3)
Reputation: 1581
DigiCert Keylocker doesn't allow signing with SHA1 so I used the following C# to sign with SHA256:
using System.IO.Packaging;
using System.Collections.Generic;
class HLKSigner {
static void Main(string[] args) {
var signer = new HLKSigner();
signer.sign(args[0]);
}
void sign(string file) {
using (var package_to_sign = Package.Open(file)) {
var signature_manager = new PackageDigitalSignatureManager(package_to_sign);
if (signature_manager.IsSigned)
throw new System.Exception("file is already signed");
signature_manager.CertificateOption = CertificateEmbeddingOption.InCertificatePart;
signature_manager.HashAlgorithm = System.Security.Cryptography.Xml.SignedXml.XmlDsigSHA256Url;
var parts_to_sign = new List<System.Uri>();
foreach (var part in package_to_sign.GetParts())
parts_to_sign.Add(part.Uri);
signature_manager.Sign(parts_to_sign);
}
}
}
Upvotes: 0
Reputation: 10321
Answer provided by Alexey didn't work for me, I eventually used the source code from this page:
I had to do some additional tweaking:
Before using this, make sure the EV certificate is in your personal certificate store. Within the tool you have for your USB token you should be able to open the certificate and choose to “Install certificate”.
Create a new console application in visual studio and paste this source code in. Install the nugget package “WindowsBase” to get System.IO.Packaging namespace.
With some additional source code, we can have this working:
class Program
{
static void Main(string[] args)
{
X509Store store = new X509Store("My");
store.Open(OpenFlags.ReadOnly);
X509Certificate2 evCert = null;
foreach (X509Certificate2 mCert in store.Certificates)
{
if (mCert.Thumbprint == "3DF652D7EyourThumbprintF")
{
evCert = mCert;
}
}
Sign(@"C:\Path\To\Your\HLKXFile.hlkx", evCert);
}
public static void Sign(string package, X509Certificate2 certificate)
{
// Open the package to sign it
Package packageToSign = Package.Open(package);
// Specify that the digital signature should exist
// embedded in the signature part
PackageDigitalSignatureManager signatureManager = new PackageDigitalSignatureManager(packageToSign);
signatureManager.CertificateOption = CertificateEmbeddingOption.InCertificatePart;
// We want to sign every part in the package
List<Uri> partsToSign = new List<Uri>();
foreach (PackagePart part in packageToSign.GetParts())
{
partsToSign.Add(part.Uri);
}
// We will sign every relationship by type
// This will mean the signature is invalidated if *anything* is modified in //the package post-signing
List<PackageRelationshipSelector> relationshipSelectors = new List<PackageRelationshipSelector>();
foreach (PackageRelationship relationship in packageToSign.GetRelationships())
{
relationshipSelectors.Add(new PackageRelationshipSelector(relationship.SourceUri, PackageRelationshipSelectorType.Type, relationship.RelationshipType));
}
try
{
signatureManager.Sign(partsToSign, certificate, relationshipSelectors);
}
finally
{
packageToSign.Close();
}
}
}
Replace the Thumbprint with your EV certificate SHA1.
Upvotes: 0
Reputation: 39
You can
- Install HLK Studio to the computer where EV token is plugged in;
- Copy unsigned .hlkx file to the computer with EV token;
- When you will launch HLK Studio from pt1, it will promt to open .hlkx file, specify it;
- On Package tab of HLK Studio do Create Package as usual.
Upvotes: 1
Related Questions
- How to install WinUSB driver through customized inf file on Windows 10?
- In Windows 8, will third-party INF driver files require a signature?
- How to get WHQL certification for a file driver for multiple Windows versions?
- How to get sign my mini-filter driver for Windows 10 from Microsoft
- Could not load the Inf file XXX.inf due to Incorrect driver version in version section of the inf
- MS Windows 10 and Boot Security option in BIOS
- Sign custom *.cat file that uses WinUSB driver in Windows 10
- How to elminate "unsigned driver" install error for RNDIS driver on WInXP?