WHQL New Driver Submission results in "file you selected is not a valid format for su

Alert me | Edit | Delete | Change type
Question
You cannot vote on your own post
0
When I attempt to submit my HLKX via https://developer.microsoft.com/en-us/dashboard/hardware/driver/New I see


The file you selected is not a valid format for submission. Verify your selection and, if needed, recreate your submission package and try again.


With no additional information.

I installed HLK 10.1.16.299.15 on a controller, added a client (after installing my cross signed WFP driver upon it) and ran the HyperVisor Code Integrity Readiness Test. I added the driver folder and the symbols folder (which both were the same as they were sitting in the same folder). I check the box by my driver and set the locales to US. Upon “Create Package”, I attempted to sign the HLKX package but the tool didn’t accept my cert when provided or when sought in the store.

I do not know why the Microsoft site fails on the format of the HLKX and see no useful information.

Please let me know if you have any clues.

Eva

xxxxx@gmail.com wrote:


The file you selected is not a valid format for submission. Verify your selection and, if needed, recreate your submission package and try again.

With no additional information.

I installed HLK 10.1.16.299.15 on a controller, added a client (after installing my cross signed WFP driver upon it) and ran the HyperVisor Code Integrity Readiness Test. I added the driver folder and the symbols folder (which both were the same as they were sitting in the same folder).

Shouldn’t be.  The “driver” folder means the one with your CAT, your
INF, and your SYS – essentially, your driver package.  This is what
they will sign.

I check the box by my driver and set the locales to US. Upon “Create Package”, I attempted to sign the HLKX package but the tool didn’t accept my cert when provided or when sought in the store.

You have to sign the HLKX with one of the certificates registered with
your dashboard account.  That’s required.  What did the signing process
tell you?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks. So, we sign the driver as a part of our jenkins job with a cert from dig cert prior to running the HLK. I tried moving the hlkx file to that system and running a sign but sign tool didn’t recognize it as a signable file. It sounds like I need to register that cert with our account. Perhaps that is the step I missed.

I’ll split the signed files up and generate a new pacakage then verify our cert is associated with the account before moving forward. I thought we had done that part already when we signed the singable file and added it back to the account.

Our other problem is that while we have a sha2 cert we sign with a sha1 has due to a problem with signtool interaction with the CSP/KSP/CNG to our HSM. I hope that’s not a problem as well because after three weeks work with the vendor we are still stuck with KSP/CNG access for the sha2 process.

Hi Tim,

I verified that the sginature on the cat/syc signed files matches that of the one registered without account. I repackaged to ensure the driver folder contained just inf/cat/sys and symbols folder just the pdb. I gather I need to select cert when creating the package even though the files are already signed. So, now I need to determine why the cert file which would with signtool isn’t viable for HLK

Any ideas what might be getting in the way there?

> I tried moving the hlkx file to that system and running a sign but sign tool didn’t recognize

it as a signable file.

This is normal. You need to use HLK Studio to sign the HLKX package, so you’ll have to figure out why HLK Studio is balking at your cert. What did it tell you when signing failed?

Once you get it working, if you ultimately want a more scriptable experience you’ll need to investigate the HLK APIs. (e.g., https://docs.microsoft.com/en-us/windows-hardware/test/hlk/api/packagemanagersign-method)

Hi Tim,

Do you know how to specify CSP for the studio sign of a package?

Ah, I had a crt not a cer. I converted via https://www.sonicwall.com/en-us/support/knowledge-base/170504597576961 and now studio cannot use my cert"No certificate available meets the application criteria". I suspect that this is caused by the need to integrate with my HSM. For sign tool, I can provide the appropriate CSP provider and container name, but I see no option for this in the studio application.

ok, I got it. My signatures are no good because I can only use /fd sha1 due to the HSM issues. So, I’m blocked until I dance with the HSM vendor and solve that problem.

https://blogs.msdn.microsoft.com/windows_hardware_certification/2017/11/13/starting-in-february-2018-packages-signed-using-a-sha-1-digest-algorithm-and-certificate-chain-will-no-longer-be-accepted/

It could have been great if MS provided a more detailed error as it is possible that the blog artifact above isn’t the real problem, just a problem.

Gabe,

Thanks for the link. So after “Unable to use the selected certificate to sign the package” I see Could not create submission package - Cannot locate the selected digital certificate. I suspect it is not using the HSM which means using the UI for proof of concept may not be a viable approach and I’ll need to use the link you said to use the API.

My other problem is that the HSM is only in a secured VPC so I’d prefer to transfer the unsigned HLKX package to a system there and then sign it.

Is that scenario supported or must the signing of HLKX package be done upon the Controller?

Eva