Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Microsoft signature *not* required for driver package catalog in AU?

Gabe_JonesGabe_Jones Member Posts: 69
The original Q&A with James Murray (https://www.osr.com/blog/2015/07/24/questions-answers-windows-10-driver-signing/) states regarding the new requirement that all drivers have Microsoft signatures:

"The requirement will be enforced at both install and load times."

This is consistent with our experience in Insider Preview 14295. I installed the x64 Enterprise edition cleanly with Secure Boot enabled. Our driver installer (containing drivers that were only signed by our current certificate, issued after July 29, 2015, and not signed by MS) failed with the following:

"!!! sig: An unexpected error occurred while validating driver package. Catalog = NIDSA.cat, Error = 0x800B0110
!!! sig: Driver package is considered unsigned, and Code Integrity is enforced.
!!! sig: Driver package failed signature validation. Error = 0xE0000247
sto: {DRIVERSTORE IMPORT VALIDATE: exit(0xe0000247)} 09:22:26.596
!!! sig: Driver package failed signature verification. Error = 0xE0000247
!!! sto: Failed to import driver package into Driver Store. Error = 0xE0000247"

The same installer in the same scenario (clean install of Enterprise version of the OS with Secure Boot on) does not fail on either Insider Preview 14372 or the released Anniversary Update. The relevant snippets:

" sig: {_VERIFY_FILE_SIGNATURE} 02:34:56.800
sig: Key = NIDSAwv.inf
sig: FilePath = C:\WINDOWS\System32\DriverStore\Temp\{b1bcfc61-a836-3848-814d-e6562ab944b3}\NIDSAwv.inf
sig: Catalog = C:\WINDOWS\System32\DriverStore\Temp\{b1bcfc61-a836-3848-814d-e6562ab944b3}\NIDSA.cat
sig: Success: File is signed in Authenticode(tm) catalog.
sig: Error 0xe0000241: The INF was signed with an Authenticode(tm) catalog from a trusted publisher.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 02:34:56.831
sto: {DRIVERSTORE IMPORT VALIDATE: exit(0x00000000)} 02:34:56.831
sig: Signer Score = 0x0F000000
sig: Signer Name = National Instruments Corporation"

Subsequently attempting to load the drivers does fail with signature verification errors.

Was there any announcement of the removal of this requirement? Was this an intentional change, or is it a bug? This would be very useful for us, as we are currently required to have two catalog files: an attested-signed catalog for Windows 10 and a catalog with our company's signature for all other OS versions. A single catalog file with only our company's signature, if possible, would simplify our product & installer build & test processes.

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,796
    <quote>
    Was there any announcement of the removal of this requirement?
    </quote>

    For SURE, not that I'm aware of.

    ENTERPRISE edition... Hmmm.... I wonder....

    Peter
    OSR
    @OSRDrivers

    Peter Viscarola
    OSR
    @OSRDrivers

  • Gabe_JonesGabe_Jones Member Posts: 69
    > ENTERPRISE edition... Hmmm.... I wonder....

    Interesting. Windows 10 Pro (both Insider Preview 14295 and AU 1607) exhibits the same behavior as its Enterprise counterparts (14925 failed install, AU succeeded but failed to load drivers), with the added wrinkle that in the case of Pro 1607, I received the "A digitally signed driver is required" floating dialog for each non-Microsoft-signed PNP driver that the installer installed. The installer continued working despite the pop-ups and completed, with the drivers obviously failing to load.

    --
    Gabe
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA