Signing errors in setupapidev.log

Hi

I get below errors in my 2 INF files (bus and protocol).
The install location has all the files required.
When I verify using signtool all of them come back properly verified as well.

Basically these show up as red signing errors during install.
Any ideas what to look for?

bus.inf
sig: {_VERIFY_FILE_SIGNATURE} 15:12:53.987
sig: Key = bus.inf
sig: FilePath = c:\bus.inf
sig: Catalog = c:\bus.cat
! sig: Verifying file against specific (valid) catalog failed! (0x00000057)
! sig: Error 87: The parameter is incorrect.
sig: {_VERIFY_FILE_SIGNATURE exit(0x00000057)} 15:12:53.987

[SourceDisksFiles]
bus.sys = 1,
coinst.dll = 1 ;
msg.dll = 1,

protocol.inf
inf: Opened INF: ‘c:\prot.inf’ ([strings])
inf: Installing catalog prot.cat as: oem28.CAT
! inf: Failed to install catalog - error ignored
! inf: Error 2: The system cannot find the file specified.
inf: OEM source media location: c:\
<<< Section end 2012/09/11 14:48:19.756

xxxxx@yahoo.com wrote:

I get below errors in my 2 INF files (bus and protocol).
The install location has all the files required.
When I verify using signtool all of them come back properly verified as well.

Basically these show up as red signing errors during install.
Any ideas what to look for?

This implies that one of the files in your CAT file changed after you
created the CAT. Remember that the CAT file contains a checksum of all
of the files referenced in the INF, at the time you ran inf2cat. You
cannot change any of the files after that point, without recreating the CAT.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks, in that case wouldn’t below cmds fail as well? They both return success.

SignTool Verify /v /kp bus.sys
signtool verify /kp /v /c bus.cat bus.sys

I will check if my install process is muckin somethin.
But all we do is copy all teh files referenced in CAT in to a temp folder and do below
bus - UpdateDriverForPlugAndPlayDevices
Protocol - SetupCopyOEMInf

xxxxx@yahoo.com wrote:

Thanks, in that case wouldn’t below cmds fail as well? They both return success.

SignTool Verify /v /kp bus.sys
signtool verify /kp /v /c bus.cat bus.sys

No. Those check the signature. Signtool doesn’t know anything about
the internals of CAT files.

I will check if my install process is muckin somethin.
But all we do is copy all teh files referenced in CAT in to a temp folder and do below

The question is, in what order do you do things to build your driver
package?

  • build
  • sign sys file
  • inf2cat
  • sign cat file
  • copy

Remember, ANY time you change the sys file, you must rebuild the cat.
You can’t just do a quick debug build and copy the sys file. Nor cat
you build the cat file with the release build, and then copy the checked
build for debugging.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> SignTool Verify /v /kp bus.sys

signtool verify /kp /v /c bus.cat bus.sys
You might also want to verify your INF signature in the CAT signtool verify /kp /v /c bus.cat bus.inf (or whatever you INF is named). Good Luck,Dave Cattley

Dave Cattley wrote:

> SignTool Verify /v /kp bus.sys
> signtool verify /kp /v /c bus.cat bus.sys

You might also want to verify your INF signature in the CAT

signtool verify /kp /v /c bus.cat bus.inf

What does that do? An INF can’t be signed. I tried it, and I see that
it says “successfully verified”, but I don’t know what that means.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Yes I see the same results as Tim. Says success.

> What does that do? An INF can’t be signed. I tried it, and I see that

it says “successfully verified”, but I don’t know what that means.
As I understand it, it verifies that the hash in the (signed) .CAT for the .INF proving that the ‘signature’ covering the .INF from the .CAT is valid and/or that the .INF is validly covered by the .CAT. I guess I have never tried the ‘negative’ test of damaging an INF and seeing what happens when this test runs. I just have this check in my build scripts to verify a driver package signature with SignTool. I check .CAT, the .SYS, and the .INF. Dave Cattley

See the example at: http://msdn.microsoft.com/en-us/library/windows/desktop/aa388171(v=vs.85).aspx [quote] The following command verifies a system file that is signed in a catalog named MyCat.cat:SignTool verify /c MyCat.catMyFile.ini [/quote] Dave Cattley

I should point out that whether or not your .INF signature in the .CAT is valid would only effect uptake into the DriverStore or installation. What Tim said about the KMCS driver signature (e.g. get a certificate and sign the binary) is the solution to getting your driver to load. I was only noting that a what I think as a thorough verification of a driver package would include checking the .INF files as well. Dave Cattley

> SignTool Verify /v /kp bus.sys

signtool verify /kp /v /c bus.cat bus.sys
signtool verify /kp /v /c bus.cat bus.inf

All these comamnds succeed but I still get red signing errors? what does that mean?
I am sure none of the INF referenced binaries are changed once they are CAT’ed.

Also after I submit above package to WHQL and get MS WHQL Cats, these red-signs shoudl go away right?

Basically I have these 3 INFs

bus - bus.inf
protocol - prot.inf
storage - stor.inf

**Bus.inf** has below references
CopyFiles=CopyFiles_sysfiles, MessageDll_Files
[CopyFiles_sysfiles]
bus.sys,2

[MessageDll_Files]
Msg.dll,2

[SourceDisksFiles]
bus.sys = 1,
Msg.dll = 1,

[DestinationDirs]
DefaultDestDir = 12
MessageDll_Files = 11

then prot and stor.inf just reference the above msg.dll for event logging i.e. all 3 INFs use the same msg.dll but only the bus.inf copies it.

Additional error I see when installing bus.inf is below.
Not sure if below is of interest (or is just a warning since we not yet whql’ed CAT)

sig: {_VERIFY_FILE_SIGNATURE} 15:12:53.987
sig: Key = bus.inf
sig: FilePath = c:\bus.inf
sig: Catalog = c:\bus.cat
! sig: Verifying file against specific Authenticode™ catalog failed! (0x80092003)
! sig: Error 0x80092003: An error occurred while reading or writing to a file.
sig: {_VERIFY_FILE_SIGNATURE exit(0x80092003)} 15:12:53.987

and below
dvi: Created Driver Node:
dvi: InfName - c:\bus.inf
dvi: Rank - 0x80ff0000
dvi: Signer - *****Not digitally signed
dvi: Signer Score - ****Not digitally signed

But I am digitally signed, that’s whay inspite of these red-signs I load and driver is running (my driver is BOOT start)

>>
I guess I have never tried the
‘negative’ test of damaging an INF and seeing what happens when this test runs.
<<

I did this negative test and this fails.

When I run
signtool verify /kp /v /c bus.cat

all return success.