Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Signing errors in setupapidev.log

msrmsr Member Posts: 355
Hi

I get below errors in my 2 INF files (bus and protocol).
The install location has all the files required.
When I verify using signtool all of them come back properly verified as well.

Basically these show up as red signing errors during install.
Any ideas what to look for?




bus.inf
sig: {_VERIFY_FILE_SIGNATURE} 15:12:53.987
sig: Key = bus.inf
sig: FilePath = c:\bus.inf
sig: Catalog = c:\bus.cat
! sig: Verifying file against specific (valid) catalog failed! (0x00000057)
! sig: Error 87: The parameter is incorrect.
sig: {_VERIFY_FILE_SIGNATURE exit(0x00000057)} 15:12:53.987

[SourceDisksFiles]
bus.sys = 1,,
coinst.dll = 1 ;
msg.dll = 1,,



protocol.inf
inf: Opened INF: 'c:\prot.inf' ([strings])
inf: Installing catalog prot.cat as: oem28.CAT
! inf: Failed to install catalog - error ignored
! inf: Error 2: The system cannot find the file specified.
inf: OEM source media location: c:\
<<< Section end 2012/09/11 14:48:19.756

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,028
    [email protected] wrote:
    > I get below errors in my 2 INF files (bus and protocol).
    > The install location has all the files required.
    > When I verify using signtool all of them come back properly verified as well.
    >
    > Basically these show up as red signing errors during install.
    > Any ideas what to look for?

    This implies that one of the files in your CAT file changed after you
    created the CAT. Remember that the CAT file contains a checksum of all
    of the files referenced in the INF, at the time you ran inf2cat. You
    cannot change any of the files after that point, without recreating the CAT.

    --
    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • msrmsr Member Posts: 355
    Thanks, in that case wouldn't below cmds fail as well? They both return success.

    SignTool Verify /v /kp bus.sys
    signtool verify /kp /v /c bus.cat bus.sys


    I will check if my install process is muckin somethin.
    But all we do is copy all teh files referenced in CAT in to a temp folder and do below
    bus - UpdateDriverForPlugAndPlayDevices
    Protocol - SetupCopyOEMInf
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,028
    [email protected] wrote:
    > Thanks, in that case wouldn't below cmds fail as well? They both return success.
    >
    > SignTool Verify /v /kp bus.sys
    > signtool verify /kp /v /c bus.cat bus.sys

    No. Those check the signature. Signtool doesn't know anything about
    the internals of CAT files.


    > I will check if my install process is muckin somethin.
    > But all we do is copy all teh files referenced in CAT in to a temp folder and do below

    The question is, in what order do you do things to build your driver
    package?

    - build
    - sign sys file
    - inf2cat
    - sign cat file
    - copy

    Remember, ANY time you change the sys file, you must rebuild the cat.
    You can't just do a quick debug build and copy the sys file. Nor cat
    you build the cat file with the release build, and then copy the checked
    build for debugging.

    --
    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • David_R._CattleyDavid_R._Cattley Member - All Emails Posts: 2,115
    > SignTool Verify /v /kp bus.sys
    > signtool verify /kp /v /c bus.cat bus.sys
    You might also want to verify your INF signature in the CAT signtool verify /kp /v /c bus.cat bus.inf (or whatever you INF is named). Good Luck,Dave Cattley
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,028
    Dave Cattley wrote:
    > > SignTool Verify /v /kp bus.sys
    > > signtool verify /kp /v /c bus.cat bus.sys
    >
    > You might also want to verify your INF signature in the CAT
    >
    > signtool verify /kp /v /c bus.cat bus.inf

    What does that do? An INF can't be signed. I tried it, and I see that
    it says "successfully verified", but I don't know what that means.

    --
    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • msrmsr Member Posts: 355
    Yes I see the same results as Tim. Says success.
  • David_R._CattleyDavid_R._Cattley Member - All Emails Posts: 2,115
    > What does that do? An INF can't be signed. I tried it, and I see that
    > it says "successfully verified", but I don't know what that means.
    As I understand it, it verifies that the hash in the (signed) .CAT for the .INF proving that the 'signature' covering the .INF from the .CAT is valid and/or that the .INF is validly covered by the .CAT. I guess I have never tried the 'negative' test of damaging an INF and seeing what happens when this test runs. I just have this check in my build scripts to verify a driver package signature with SignTool. I check .CAT, the .SYS, and the .INF. Dave Cattley
  • David_R._CattleyDavid_R._Cattley Member - All Emails Posts: 2,115
    See the example at: http://msdn.microsoft.com/en-us/library/windows/desktop/aa388171(v=vs.85).aspx The following command verifies a system file that is signed in a catalog named MyCat.cat:SignTool verify /c MyCat.catMyFile.ini Dave Cattley
  • David_R._CattleyDavid_R._Cattley Member - All Emails Posts: 2,115
    I should point out that whether or not your .INF signature in the .CAT is valid would only effect uptake into the DriverStore or installation. What Tim said about the KMCS driver signature (e.g. get a certificate and sign the binary) is the solution to getting your driver to load. I was only noting that a what I think as a thorough verification of a driver package would include checking the .INF files as well. Dave Cattley
  • msrmsr Member Posts: 355
    > SignTool Verify /v /kp bus.sys
    > signtool verify /kp /v /c bus.cat bus.sys
    > signtool verify /kp /v /c bus.cat bus.inf

    1)
    All these comamnds succeed but I still get red signing errors? what does that mean?
    I am sure none of the INF referenced binaries are changed once they are CAT'ed.

    2)
    Also after I submit above package to WHQL and get MS WHQL Cats, these red-signs shoudl go away right?


    Basically I have these 3 INFs

    bus - bus.inf
    protocol - prot.inf
    storage - stor.inf

    **Bus.inf** has below references
    CopyFiles=CopyFiles_sysfiles, MessageDll_Files
    [CopyFiles_sysfiles]
    bus.sys,,,2

    [MessageDll_Files]
    Msg.dll,,,2

    [SourceDisksFiles]
    bus.sys = 1,,
    Msg.dll = 1,,

    [DestinationDirs]
    DefaultDestDir = 12
    MessageDll_Files = 11

    then prot and stor.inf just reference the above msg.dll for event logging i.e. all 3 INFs use the same msg.dll but only the bus.inf copies it.

    Additional error I see when installing bus.inf is below.
    Not sure if below is of interest (or is just a warning since we not yet whql'ed CAT)

    sig: {_VERIFY_FILE_SIGNATURE} 15:12:53.987
    sig: Key = bus.inf
    sig: FilePath = c:\bus.inf
    sig: Catalog = c:\bus.cat
    ! sig: Verifying file against specific Authenticode(tm) catalog failed! (0x80092003)
    ! sig: Error 0x80092003: An error occurred while reading or writing to a file.
    sig: {_VERIFY_FILE_SIGNATURE exit(0x80092003)} 15:12:53.987

    and below
    dvi: Created Driver Node:
    dvi: InfName - c:\bus.inf
    dvi: Rank - 0x80ff0000
    dvi: Signer - *****Not digitally signed
    dvi: Signer Score - ****Not digitally signed

    But I am digitally signed, that's whay inspite of these red-signs I load and driver is running (my driver is BOOT start)
  • msrmsr Member Posts: 355
    >>
    I guess I have never tried the
    'negative' test of damaging an INF and seeing what happens when this test runs.
    <<

    I did this negative test and this fails.

    When I run
    signtool verify /kp /v /c bus.cat <each file referenced by bus.INF>

    all return success.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 27 September 2021 Live, Online
Kernel Debugging 15 November 2021 Live, Online