Because the leader is not knowledgeable, direct purchase of GlobalSign certificate, the result caused me this developer painful 2 weeks trip, say the general situation:
Purpose: To sign a purchased driver so that it can be installed and used in the case of Win x64
After downloading the Windows Kits installation, get the SignTool.exe tool and use it to sign.
The name of the company was soon signed, but the time stamp was not signed, a run on the SignTool collapse. But
https://support.globalsign.com/customer/en/portal/articles/1491089
SignTool sign/ac mscrosscert.crt/f codesign.pfx/p password1234/tr http://timestamp.globalsign.com/scripts/ Timestamp.dll Filter.sys
The example on the document clearly wrote an example, why am I not able to run?
At first I thought Timestamp.dll wrote wrong, should be timstamp.dll (less an E, the results of online search is less e), or not.
Finally had to ask for help globalsign after the sale, fully reported 5 sets of test commands and the operation of the whole situation. Results The bastard's globalsign not look at the content, directly to I have seen 10,000 times the two connections (the second link is also for outdated drivers):
https://support.globalsign.com/customer/en/portal/articles/1491089
https://support.globalsign.com/customer/portal/articles/1217485
This way to and fro, a full 13 emails, the problem is still not resolved. Finally I found one thing, they gave me the certificate is not in accordance with RFC 3161, so must use the/t parameter, not/tr. At the same time Timestamp.dll spelling with E or without E, are correct, but no one told me this thing ah, let me puzzled for a long time.
Time Stamp has, SignTool verify/v/KP also display correct, but my driver still can not use, a call on the crash, a little useful tips information are not, depressed ah ... Because it is impossible to determine the cause of the error, repeatedly testing themselves to call the driver's code, tried again and again, really feel that their code is not a problem, and is really the problem of the driver itself.
No way, can not let the driver itself delay development, first develop business processes it. So start Windows, press F8, and go to "Do not check signature" mode.
A few days later, all functions have been developed, in the "Do not check the signature mode" run well, so back to the issue of driver signature.
Windows Normal startup mode, die or die can not install the driver ah, not to mention I call those features.
I also put my own certificate, password, to sign the driver, I signed the driver, all sent to the GlobalSign, asked them to help me check the comparison, the problem exactly where, but they do not look at (later research results show that this certificate can not be used for signature driver, I don't want to try it for a simple result ... This service, absolutely bad comment.
Helpless Ah, only in the QQ group for help, because QQ group is the country-wide, the relevant master should be in it. As for the forum, although can also ask questions, but the real-time is too poor, but also to register the forum or something, give up.
Finally, a friend of VeriSign's warm-hearted help to solve the problem, on the spot using a variety of signature tools to help me in real-time testing, soon have the results. Then re-apply the kernel certificate to GlobalSign, the problem is all done. And according to the VeriSign friend, their certificates do not differentiate between the application level and the kernel level, in other words, the driver can be signed directly.
Here is the price of VeriSign:
Http://verisign.ert7.com/quotation.html
Another certificate small white people, want to save time and energy, reduce depressed, speed up project development, can contact me above mentioned two friends of VeriSign (QQ6220414 and QQ1125803355).
Heaven knows, I am not their support, they also so far did not charge me a penny (no need to buy 2 certificates in a year!) )。 But this attitude and "after-sale" really did not say, next year must buy their home certificate!
Excellent VeriSign and Bastard GlobalSign.