Sign binaries and packages
This topic provides guidance about signing binaries by using the sign.cmd tool, signing packages, and troubleshooting signing issues.
Using sign.cmd to sign binaries
To sign binaries, use the sign.cmd script located in %WPDKCONTENTROOT%\tools\bin\i386. Before you can sign binaries, you must first install the test OEM certificates by following the steps in Set up the signing environment.
This following table lists the sign.cmd options.
Type | Example |
---|---|
Drivers (including boot-critical drivers), services EXEs and DLLs, and other OEM general-purpose signing |
|
HAL extensions provided by the SoC vendor. |
|
OEM preloaded applications. |
|
Warning
The signing options must match the type of binary that is being signed.
Time stamping of signatures for OEM binaries
Time stamping of signatures for OEM binaries can be disabled by setting the following environment variable, before using sign.cmd.
set SIGN_WITH_TIMESTAMP=0
Time stamps are not required for the retail signing of OEM binaries by Microsoft using the ingestion client, or for local testing of packages and images.
Embedded signing a boot-critical driver
To embedded sign a boot-critical driver:
set SIGN_OEM=1
sign.cmd BootCriticalDriver.dll
This should generate output similar to the following.
signtool.exe sign /v /s my /i "Windows Phone Intermediate 2013" /n "Windows Phone OEM Test Cert 2013 (TEST ONLY)" /fd SHA256 /t http://timestamp.verisign.com/scripts/timestamp.dll "BootCriticalDriver.dll"
The following certificate was selected:
Issued to: Windows Phone OEM Test Cert 2013 (TEST ONLY)
Issued by: Windows Phone Intermediate 2013 (TEST ONLY)
Expires: Mon Apr 09 14:17:24 2018
SHA1 hash: 27CC4E1323C08A5BA2A62DC7F154C8AF017C488F
Done Adding Additional Store
Successfully signed: BootCriticalDriver.dll
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
signed: "BootCriticalDriver.dll"
Sign.Cmd RC=0
Package signing
For package signing, set the environment variable SIGN_OEM to "1" and the SIGN_WITH_TIMESTAMP to "0" before using the package generation tools.
set SIGN_OEM=1
set SIGN_WITH_TIMESTAMP=0
Package signing occurs automatically during the package generation process. For more info on packaging, see Creating packages.
Confirming the EKU of a signed binary
To confirm the EKU of a signed binary:
Open Windows Explorer and locate the binary file.
Right-click the file and select Properties.
On the Digital Signatures tab, select the listed item in the Signature list.
Select the Details button, and then select View Certificate.
On the Details tab, select the Enhanced Key Usage field.
The following information should be displayed for a boot-critical driver. See Code signing for other EKUs that are used.
Code Signing (1.3.6.1.5.5.7.3.3) WP OEM (1.3.6.1.4.1.311.76.5.40)
Troubleshooting signing errors
You can use SignTool to see how a binary file was signed. For example, to check the code signing for BootCriticalDriver.dll, open a command prompt and type the following.
signtool verify BootCriticalDriver.dll
To list additional information and have signtool verify all signatures in a file with multiple signatures, type the following.
signtool verify /pa /ph /v /d BootCriticalDriver.dll
Output similar to the following should appear.
Verifying: BootCriticalDriver.dll
Signature Index: 0 (Primary Signature)
Hash of file (sha256): 0829CF677B3831904AB1AFC9BF45C6B7E0F0368786378DE6D0FBEBAA8
8C0632F
Signing Certificate Chain:
Issued to: Windows Phone OEM Root 2013 (TEST ONLY)
Issued by: Windows Phone OEM Root 2013 (TEST ONLY)
Expires: Mon Apr 09 14:17:13 2018
SHA1 hash: 53671A6DE6E8D9FA0D610EC563F10F2C8539EBEE
Issued to: Windows Phone Intermediate 2013 (TEST ONLY)
Issued by: Windows Phone OEM Root 2013 (TEST ONLY)
Expires: Mon Apr 09 14:17:22 2018
SHA1 hash: B63C71861C0880E2D0F121A7120C98DC67F14548
Issued to: Windows Phone OEM Test Cert 2013 (TEST ONLY)
Issued by: Windows Phone Intermediate 2013 (TEST ONLY)
Expires: Mon Apr 09 14:17:24 2018
SHA1 hash: 27CC4E1323C08A5BA2A62DC7F154C8AF017C488F
The signature is timestamped: Mon Aug 05 16:50:55 2013
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 16:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Wed Dec 30 16:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Tue Dec 29 16:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
SignTool Warning: No page hashes are present.
Successfully verified: BootCriticalDriver.dll
Number of files successfully Verified: 1
Number of warnings: 1
Number of errors: 0
To display the command-line help for the SignTool verify option, type the following.
signtool verify /?
For more info on SignTool, see SignTool on MSDN.