Lert me ask a few questions. Are you signing the .sys binary or the .cat
fle? Or both? They are totally different signatures.
During driver installation, you need the .cat signed. On Vista/W2K8 x64, you
also need the binary signed.
On Vista x64 the expected behaivor would be: the first time you install a
driver with your Authenticode signature a dialog will come up, and it will
have an option to “always trust drivers from xxx”. To prevent this, you need
either a) a WHQL signature, b) the the Authenticode cerificate already
installed as I believe a trusted publisher. I belive you can get option B to
happen via a network doman group policy, so all machines that are domain
members will trust drivers from that company.You also can add the publisher
certificate on first install, and then laters installs of that device should
be silent.
I’d have to verify if GlobalSign is a valid Authenticode certificate
provider, with installed roots.
On W2K3, there is no way to make an Authenticode signature work like a WHQL
signature, although maybe on devices in a custom device class you can.
Jan
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jonah Peskin
Sent: Monday, March 16, 2009 9:47 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Vista 64-bit code signing: “windows can’t verify the
publisher of this driver”
This has come up before on NTDEV and other newsgroups, but the answers are
conflicting. I’m hoping for a more authoritative answer.
I have obtained an SPC from GlobalSign and am attempting to sign a KMDF
driver by following the MSFT “Kernel-Mode Code Signing Walkthrough”, using
inf2cat and signtool exactly as specified in the example. All procedures
succeed, and I am able to “signtool verify” successfully.
Installation on the Target machine goes fine, but during installation there
is a popup dialog “Windows can’t verify the publisher of this driver”. And
looking at the Driver tab under Device Manager shows “Not digitally signed”
for the driver (as well as for each file under “Driver Details”).
Curiously, even the WdfCoInstaller says it is Not Signed, although I would
have expected MSFT to sign the binary itself.
Some prior posts on NTDEV suggest that unless you go through Winqual and get
a signature from MSFT, then these messages will always popup. However,
other posts suggest that some people have managed to not get this particular
popup after signing drivers (or some claim a popup at least shows the
correct Publisher name, which I have not seen with my signed drivers)
So is there mistake in my signing process? Or is it always normal for Vista
64 to raise this dialog on even signed drivers, if they do not have a
Winqual signature?
Thanks,
Jonah
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer