╔═══════════════════════════════════════ ║ PKI - Catalog - Create ┌─────────────────────────────────────── │ References • MakeCat · Learn / Windows / Apps / Win32 / Desktop Technologies / Security and Identity / Cryptography · https://learn.microsoft.com/en-us/windows/win32/seccrypto/makecat • Using MakeCat to Create a Catalog File · Learn / Windows / Windows Drivers · https://learn.microsoft.com/en-us/windows-hardware/drivers/install/using-makecat-to-create-a-catalog-file ┌─────────────────────────────────────── │ Notes • Certificate Utilities · The certificate utilities 'makecat.exe' and 'signtool.exe' are installed with the Windows SDK. · Usually: C:\Program Files (x86)\Windows Kits\x\bin\x.x.x.x\x64 ┌─────────────────────────────────────── │ Create Catalog Definition File - .cdf • File Format [CatalogHeader] Name=<catalogFileName>.cat PublicVersion=0x0000001 EncodingType=0x00010001 CATATTR1=0x10010001:OSAttr:2:6.0 [CatalogFiles] <HASH><1stUnqualifiedFileName.exe>=1stFile.exe <HASH><2ndUnqualifiedFileName.exe>=\folder\2ndFile.exe <HASH><3rdUnqualifiedFileName.exe>=Enter Command:\3rdFile.exe <HASH><4thUnqualifiedFileName.exe>=\\localhost\x$\folder\4thFile.exe <HASH><5thUnqualifiedFileName.exe>=\\?\Enter Command:\5thFile.exe <HASH><6thUnqualifiedFileName.exe>=\\?\UNC\localhost\x$\folder\6thFile.exe <HASH><7thUnqualifiedFileName.exe>=\\.\Enter Command:\7thFile.exe • Notes · The literal string '<HASH>' precedes each [CatalogFiles] file entry, verbatim. · <HASH> is not a variable or placeholder. · The placeholder <XthUnqualifiedFileName.exe> is replaced with the unqualified (i.e. pathless) filename. · e.g.: someExecutable.exe · Valid pathname format descriptions: · Unqualified: e.g. 1stFile.exe · Relative: e.g. \folder\2ndFile.exe · Fully-Qualified: e.g. Enter Command:\3rdFile.exe · UNC: e.g. \\localhost\x$\folder\4thFile.exe · Win32 File Namespace local: e.g. \\?\Enter Command:\5thFile.exe · Win32 File Namespace UNC: e.g. \\?\UNC\localhost\x$\folder\6thFile.exe · Win32 Device Namespace: e.g. \\.\Enter Command:\7thFile.exe · Invalid pathname format descriptions: · DosDevices Namespace: e.g. \??\Enter Command:\8thFile.exe · From the Learn document: The last entry in the .cdf file must always have an explicit newline character at the end of the line. · The literal character 'CR' might be sufficient per the Learn document (untested), but so is the default, Windows-standard 'CRLF'. ┌─────────────────────────────────────── │ Create Catalog - makecat.exe • Command ┌── Enter Command: └── makecat.exe <catCdfName>.cdf Succeeded ┌─────────────────────────────────────── │ Sign Catalog - signtool.exe • Command ┌── Enter Command: └── signtool.exe sign /v /fd SHA512 /s My /n "<codeSigningCertificateSubjectCN>" /t http://timestamp.digicert.com <catName>.cat The following certificate was selected: Issued to: <codeSigningCertificateSubjectCN> Issued by: <caCertificateSubjectCN> Expires: Dayname Month DD HH:MM:SS YYYY SHA1 hash: <Hash> Done Adding Additional Store Successfully signed: <catName>.cat Number of files successfully Signed: 1 Number of warnings: 0 Number of errors: 0 • Notes · This example functions when the certificate is in the executing user's Personal certificate store. · If the certificate is in the SYSTEM account's Personal certificate store then this additional switch is required: /sm ┌─────────────────────────────────────── │ Install Catalog - signtool.exe • Command ┌── Enter Command: └── signtool.exe catdb /v <catName>.cat Adding Catalog: <catName>.cat Catalog added successfully: <catName>.cat Number of catalog files successfully Added: 1 Number of errors: 0 • Notes · If a guaranteed-unique Catalog filename within the Catalog database (preventing unintended overwrites) is desired then this additional switch is required: /u ┌─────────────────────────────────────── │ Uninstall Catalog - signtool.exe • Command ┌── Enter Command: └── signtool.exe catdb /r <catName>.cat Catalog removed successfully: <catName>.cat