Signing a driver and installing it silently

Signing the driver(s)

Sometimes we are in the unpleasant situation of having to install silently a driver that is unsigned (or the certificate used has expired). If we use DpInst, then the solution is to sign it ourselves.

How do we do that?

1. First, we need the Windows Driver Kit. If you don’t have it already, check this article.

2. Start the X86 Free Build Environment. You can find a shortcut under (All) Programs\Windows Driver Kits\Build Environments\Windows XP\

3. If we don’t have a certificate file (.cer) already, then we need to create one now.

3.1. Run: makecert.exe -r -pe -ss PrivateCertStore -n CN=FQDN_here Your_Certificate_Name.cer

More info on FQDN

3.2. Copy the newly created .cer file to the folder containing the .inf (the drivers) that needs to be signed

3.3 Change directory to the same folder in the console.

4. Run: stampinf.exe -f Inf_Name_here -d * -v Inf_Version_here

5. Run: inf2cat.exe /driver:.\ /os:XP_X86,Server2003_X86,7_X86

6. Run: signtool.exe sign /v /s PrivateCertStore /n FQDN_here /t

Be aware that the signtool command line might fail if you use a proxy that blocks the reply from the timestamp server.

Installing the custom signed driver

We will install the newly signed driver with DpInst.

1. We need a tool called CertMgr.exe. It’s part of Windows SDK, which can be downloaded from here. This executable should be included in your future package and it is used to import certificates (among other operations).

2. In a normal console, run: certmgr.exe /add Your_Certificate_Here.cer /s /r localMachine root

and certmgr.exe /add Your_Certificate_Here.cer /s /r localMachine trustedpublisher

These will import the certificate and add you to the trusted publishers. Local admin permissions needed.

3. Run dpinst.exe /sa /se /sw 

4. Check the exit code and the log file C:\windows\dpinst.log to see if the installation was successful.

More info on how to use DpInst and its exit codes you can find here.