[Mono-list] signing drivers under Linux

Wed Nov 11 09:29:41 EST 2009

On Wed, Nov 11, 2009 at 08:27, Sebastien Pouliot wrote:
> On Tue, 2009-11-10 at 22:27 -0500, Mike Frysinger wrote:
>> i have an open source package that can be entirely cross-compiled and
>> packaged up for Windows, all from under Linux.  i'm trying to now
>> integrate some drivers and the last step is the code signing.  this
>> isnt strictly mono related, but some of the aspects are integrated
>> into mono, so here i am.
>>
>> this process can be broken down into two steps:
>>  - inf2cat: create .cat file from .inf and executable files
>>  - signtool: sign the .cat and executable files (authenticode)
>>
>> while the signtool step was easy to convert via the signcode tool (and
>> working around ASN limitations and verisign #316337), the inf2cat step
>> isnt falling into place.  the WDK version is a .NET program, so i
>> figured it'd be easy to run through mono.
>>
>> after manually forcing all paths to lowercase, i ended up with:
>> $ mono inf2cat.exe /driver:drivers/ /os:XP_X86,XP_X64
>> ...............................................................
>> Signability test complete.
>>
>> Errors:
>> None
>>
>> Warnings:
>> None
>>
>> wintrust.dll
>> Signability test failed.
>>
>> stracing this shows that the host library paths are searched like so:
>> ./
>> /lib/
>> /usr/lib/
>> and it looks for {lib,}wintrust.{dll,so,la} ... maybe it's using
>> libltdl ?  at any rate, even after getting this file from a Windows
>> system and sticking it into /usr/lib64/ temporarily, it still fails
>> the same way (the strace output shows that it found & opened the dll
>> in question).  i'm not sure getting this tool to work isnt going to
>> happen ...
>
> Likely not. It's a .NET application but it pinvokes into wintrust.dll
> where most of authenticode resides on Windows. You can use MoMA to
> detect such things (and other stuff that will affect Mono
> compatibility).

oh, i get it now.  the "wintrust.dll" line is actually an error from
mono internals saying that the dll was required but no suitable
version was found.  copying it from windows wont work because it is
native code and not a .net assembly that mono can handle.

perhaps the error message should be improved ?  the current terse
output made me think that it was inf2cat looking for the dll to verify
its hashes or something.

>> has anyone else tried to do this kind of thing ?  perhaps there is
>> some util out there to create a .cat file easily ... but googling for
>> things like "cat" or "inf" or "mono" doesnt really yield anything
>> useful.
>
> Both tools were not required for mono - so I never made managed
> alternatives to them. I'm not aware of any either but if you find some
> please email the list with them (it could prove useful to others too)

i'm probably just going to give up on it now.  maybe i'll try running
things through wine, but i'm not sure that's worth the hassle (since
it too doesnt appear to have a complete wintrust implementation).

if i do someday stumble across something, i'll post it here.
-mike