Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Microsoft signature *not* required for driver package catalog in AU?

Gabe_JonesGabe_Jones Member Posts: 58
The original Q&A with James Murray (https://www.osr.com/blog/2015/07/24/questions-answers-windows-10-driver-signing/) states regarding the new requirement that all drivers have Microsoft signatures:

"The requirement will be enforced at both install and load times."

This is consistent with our experience in Insider Preview 14295. I installed the x64 Enterprise edition cleanly with Secure Boot enabled. Our driver installer (containing drivers that were only signed by our current certificate, issued after July 29, 2015, and not signed by MS) failed with the following:

"!!! sig: An unexpected error occurred while validating driver package. Catalog = NIDSA.cat, Error = 0x800B0110
!!! sig: Driver package is considered unsigned, and Code Integrity is enforced.
!!! sig: Driver package failed signature validation. Error = 0xE0000247
sto: {DRIVERSTORE IMPORT VALIDATE: exit(0xe0000247)} 09:22:26.596
!!! sig: Driver package failed signature verification. Error = 0xE0000247
!!! sto: Failed to import driver package into Driver Store. Error = 0xE0000247"

The same installer in the same scenario (clean install of Enterprise version of the OS with Secure Boot on) does not fail on either Insider Preview 14372 or the released Anniversary Update. The relevant snippets:

" sig: {_VERIFY_FILE_SIGNATURE} 02:34:56.800
sig: Key = NIDSAwv.inf
sig: FilePath = C:\WINDOWS\System32\DriverStore\Temp\{b1bcfc61-a836-3848-814d-e6562ab944b3}\NIDSAwv.inf
sig: Catalog = C:\WINDOWS\System32\DriverStore\Temp\{b1bcfc61-a836-3848-814d-e6562ab944b3}\NIDSA.cat
sig: Success: File is signed in Authenticode(tm) catalog.
sig: Error 0xe0000241: The INF was signed with an Authenticode(tm) catalog from a trusted publisher.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 02:34:56.831
sto: {DRIVERSTORE IMPORT VALIDATE: exit(0x00000000)} 02:34:56.831
sig: Signer Score = 0x0F000000
sig: Signer Name = National Instruments Corporation"

Subsequently attempting to load the drivers does fail with signature verification errors.

Was there any announcement of the removal of this requirement? Was this an intentional change, or is it a bug? This would be very useful for us, as we are currently required to have two catalog files: an attested-signed catalog for Windows 10 and a catalog with our company's signature for all other OS versions. A single catalog file with only our company's signature, if possible, would simplify our product & installer build & test processes.

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,443
    <quote>
    Was there any announcement of the removal of this requirement?
    </quote>

    For SURE, not that I'm aware of.

    ENTERPRISE edition... Hmmm.... I wonder....

    Peter
    OSR
    @OSRDrivers

    Peter Viscarola
    OSR
    @OSRDrivers

  • Gabe_JonesGabe_Jones Member Posts: 58
    > ENTERPRISE edition... Hmmm.... I wonder....

    Interesting. Windows 10 Pro (both Insider Preview 14295 and AU 1607) exhibits the same behavior as its Enterprise counterparts (14925 failed install, AU succeeded but failed to load drivers), with the added wrinkle that in the case of Pro 1607, I received the "A digitally signed driver is required" floating dialog for each non-Microsoft-signed PNP driver that the installer installed. The installer continued working despite the pop-ups and completed, with the drivers obviously failing to load.

    --
    Gabe
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE