If you are developing drivers for 64bit Vista or 2008, not only do you have to sign your driver with your company’s code signing certificate (sometimes referred to as a Software Publishing Certificate or SPC), you may also need to cross-sign your drivers so Windows does not complain and consequently reject loading your driver.
What is cross-signing (aka qualified subordination) exactly ? PGP users do it all the time when they sign another person’s PGP key, attesting to the fact that the key indeed belongs to the person (whose email address, photograph etc are on the key chain). Cross-signing is the exact same attestation in X.509 world except it is between Certification Authorities (CAs). A cross-signed driver establishes chain of trust to Microsoft’s CA whereas without cross-signing, the chain of trust is established with the CA that issued your company’s code signing certificate (Verisign, Thawte etc).
Depending on who your CA is, you can download the corresponding Microsoft cross-signing cert from here. Cross-signing is achieved by specifying signtool /ac (Additional Certificate) option on the command line along with the SPC certificate store and other parameters. This /ac option is supported only in signtool packaged with Vista WDK onwards.
The cross-signed driver signature does not look any different from non cross-signed driver in Windows Explorer (File->Properties->Digital Signatures tab). So it is kind of tricky to know whether cross signing worked fine or not. You can check whether a driver is a cross-signed driver by using signtool. If you have a driver with the signature embedded in it and signed by an SPC issued by Verisign you may see something like the following -
The second cert from top is the cross certificate that links the chain of trust to Microsoft Code Verification Root certificate. Note also that we do not see the Verisign root certificate in this chain. That chain still exists even though we do not see it here. The bottom line is as long as the top certificate shows up as Microsoft Code Verification Root, your driver has been successfully cross-signed.
If you are on a machine where signtool is not installed (for example a customer’s machine), a quick and dirty way to check for cross-signing is to look for a certain string in the driver like below
findstr /m “MicrosoftCodeVerifRoot” <yourdriver.sys>
This will not output anything if the driver is not cross-signed. If it is, findstr will echo back your driver name in output.
Happy signing !