Question about signing and trusted publishers

My driver packages consists of an .inf, .sys, .cat, and the wdfcoinstaller.

My build procedure happens in this order:

  • build the .sys
  • sign the .sys
  • verify the .sys
  • create the .cat from the .inf
  • sign the .cat
  • verify the .cat

(optionally)

  • create an .msi installer using the driver package
  • sign the .msi installer
  • verify the .msi

When I install my driver on Windows Server 2008R2 (x64) I get a message asking whether or not to trust the publisher, where the publisher is specified as the one in my code signing certificate.

This makes an automated installation say in our manufacturing processes difficult as I haven’t found a way to choose “Always trust software from ”.

I have tried importing our cert into the trusted publishers store, and that didn’t even seem to help.

I haven’t been targeting systems beyond Win XP until now, so some of these added security measures are new to me.

Any suggestions or information about what I “should” be doing would be appreciated.

Try this before you start the installation :

certmgr.exe -add <yourcertificate.cer> -c -s -r localMachine TrustedPublisher

The “certmgr.exe” that I use is 5.131.3668.0 , but it still works on even Windows 7 .

Regards ,

Christiaan

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Wednesday, November 18, 2009 8:28 PM
Subject: [ntdev] Question about signing and trusted publishers

> My driver packages consists of an .inf, .sys, .cat, and the wdfcoinstaller.
>
> My build procedure happens in this order:
> - build the .sys
> - sign the .sys
> - verify the .sys
> - create the .cat from the .inf
> - sign the .cat
> - verify the .cat
>
> (optionally)
> - create an .msi installer using the driver package
> - sign the .msi installer
> - verify the .msi
>
> When I install my driver on Windows Server 2008R2 (x64) I get a message asking whether or not to trust the publisher, where the
> publisher is specified as the one in my code signing certificate.
>
> This makes an automated installation say in our manufacturing processes difficult as I haven’t found a way to choose “Always trust
> software from ”.
>
> I have tried importing our cert into the trusted publishers store, and that didn’t even seem to help.
>
> I haven’t been targeting systems beyond Win XP until now, so some of these added security measures are new to me.
>
> Any suggestions or information about what I “should” be doing would be appreciated.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</yourcertificate.cer>

I didn’t use the certmgr application to add my cert to the “trusted publishers” store, but instead did it through Internet Explorer->Tools->Options->Content->Publishers and added it to trusted publishers. After doing this I can see the cert in the trusted publishers store using certmgr. The command line you gave for certmgr didn’t work for me, but it looks like you were trying to do what I had already done.

In any event, that does seem to solve the problem. Any other ideas?

I found a developers guide for trusted application deployment here:
http://msdn.microsoft.com/en-us/library/01daf08f.aspx

I followed it and exported my certificate as a base-64 encoded .cer rather than the .pfx and that didn’t work either.

I must be overlooking or missing something completely.

>I didn’t use the certmgr application to add my cert to the “trusted publishers” store, but instead did it through Internet

Explorer->Tools->Options->Content->Publishers and added it to trusted publishers. After doing this I can see the cert in the
trusted publishers store using certmgr. The command line you gave for certmgr didn’t work for me, but it looks like you were
trying to do what I had already done.

In any event, that does seem to solve the problem. Any other ideas?

I never had a problem when using certmgr.exe. Notice that the command parameters ‘localMachine TrustedPublisher’ must be entered
“case sensitive” ( respect upper en lower cases) . The .cer file is the export ( all keys ) of the key out of the .cat file itself.
You should also take a look into the certificate store via the Management Console snapin after you installed the driver and
accepted the certificate when “Always trust software from ” appeared and compare this with the status when you added the
certificate yourself via IE. Clicking on the .cer file allows you also to install the certificate ; do select “automatically select
the certificate store” and see what happens then.

/C

>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thanks for your help Christiaan.

It seems that the version of certmgr that was loaded on 2008r2 wasn’t adding the cert properly. I used the certmgr from the DDK \bin\amd64\Certmgr.exe and that seemed to work.

What I actually ended up doing though was using WiX to add the cert to the trustedpublisher store for me. With WiX I could actually add my pfx directly.

Thanks again, your help is definitely appreciated!