我已经在 Hardware Lab Kit 中完成了 USB 设备的所有测试,现在可以准备 .hlkx 驱动程序包以在 Microsoft 网站上提交。
问题是Windows 10驱动程序需要EV证书。 EV 证书是通过 Safenet USB 令牌提供的,并且该 USB 令牌距离安装了 Hardware Lab Kit 的计算机很远,因此我无法自动签署 Hardware Lab Kit 中的 .hlkx 包。
问题是如何对我的 Windows 10 USB 驱动程序进行签名?我有未签名的驱动程序(sys、cab、inf ... 文件),并且有来自 Hardware Lab Kit 的未签名的 .hlkx 驱动程序包。我可以在不提交到 Microsoft 网站的情况下签署我的驱动程序吗?
你可以
Alexey 提供的答案对我不起作用,我最终使用了此页面的源代码:
我必须做一些额外的调整:
使用此功能之前,请确保 EV 证书位于您的个人证书存储中。在 USB 令牌工具中,您应该能够打开证书并选择“安装证书”。
在 Visual Studio 中创建一个新的控制台应用程序并将此源代码粘贴到其中。 安装块包“WindowsBase”以获取 System.IO.Packaging 命名空间。
通过一些额外的源代码,我们可以让它工作:
class Program
{
static void Main(string[] args)
{
X509Store store = new X509Store("My");
store.Open(OpenFlags.ReadOnly);
X509Certificate2 evCert = null;
foreach (X509Certificate2 mCert in store.Certificates)
{
if (mCert.Thumbprint == "3DF652D7EyourThumbprintF")
{
evCert = mCert;
}
}
Sign(@"C:\Path\To\Your\HLKXFile.hlkx", evCert);
}
public static void Sign(string package, X509Certificate2 certificate)
{
// Open the package to sign it
Package packageToSign = Package.Open(package);
// Specify that the digital signature should exist
// embedded in the signature part
PackageDigitalSignatureManager signatureManager = new PackageDigitalSignatureManager(packageToSign);
signatureManager.CertificateOption = CertificateEmbeddingOption.InCertificatePart;
// We want to sign every part in the package
List<Uri> partsToSign = new List<Uri>();
foreach (PackagePart part in packageToSign.GetParts())
{
partsToSign.Add(part.Uri);
}
// We will sign every relationship by type
// This will mean the signature is invalidated if *anything* is modified in //the package post-signing
List<PackageRelationshipSelector> relationshipSelectors = new List<PackageRelationshipSelector>();
foreach (PackageRelationship relationship in packageToSign.GetRelationships())
{
relationshipSelectors.Add(new PackageRelationshipSelector(relationship.SourceUri, PackageRelationshipSelectorType.Type, relationship.RelationshipType));
}
try
{
signatureManager.Sign(partsToSign, certificate, relationshipSelectors);
}
finally
{
packageToSign.Close();
}
}
}
将指纹替换为您的 EV 证书 SHA1。
DigiCert Keylocker 不允许使用 SHA1 签名,因此我使用以下 C# 使用 SHA256 签名:
using System.IO.Packaging;
using System.Collections.Generic;
class HLKSigner {
static void Main(string[] args) {
var signer = new HLKSigner();
signer.sign(args[0]);
}
void sign(string file) {
var package_to_sign = Package.Open(file);
var signature_manager = new PackageDigitalSignatureManager(package_to_sign);
if (signature_manager.IsSigned)
throw new System.Exception("file is already signed");
signature_manager.CertificateOption = CertificateEmbeddingOption.InCertificatePart;
signature_manager.HashAlgorithm = System.Security.Cryptography.Xml.SignedXml.XmlDsigSHA256Url;
var parts_to_sign = new List<System.Uri>();
foreach (var part in package_to_sign.GetParts())
parts_to_sign.Add(part.Uri);
signature_manager.Sign(parts_to_sign);
}
}