Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.Avoiding "Windows Security" pop-up when installing a signed driver
Ivan_Popov
Member Posts: 23
Hello,
I'm trying to install a device driver using a signed cab file on a 32bit Windows 7. It's part of a silent installation that should be possible without any user interventions. However, I'm still seeing a security popup:
This is the signature of the cab and the cert chain:
What am I missing to make it secure enough to avoid the warning popup?
Thank you!
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Developing Minifilters | 24 May 2021 | Live, Online |
| Writing WDF Drivers | 14 June 2021 | Live, Online |
| Internals & Software Drivers | 2 August 2021 | Live, Online |
| Kernel Debugging | 27 Sept 2021 | Live, Online |
Comments
You need to cross-sign this (/ac parameter) with a cross-certificate issued by Microsoft.
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing
However, unless I've forgotten, I believe the only way to get a truly silent install is to pass the WHQL tests and submit for Microsoft's signature.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Thank you, Tim. The cat file's been cross-signed using the /ac argument:
We had no issues with the self-signed packages in the past on Win7 and win10 (apart from secure boot mode).
I am aware of the latest MS requirement to be WHQL signed but this document mentions that this going to be enforced only from 2021 unless I'm misreading this: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates
That is my recollection as well. But who really knows how ANY of this works anymore?
Peter
Peter Viscarola
OSR
@OSRDrivers
your public half of your signing cert before installing your driver then
there is no popup. So use an installer and stage the cert install before
the driver install.
Mark Roddy
Thanks Mark but I'm not sure I can preinstall a public key for an EV certificate on a hardware token? I've tried to confirm with support of the issuing company and they confirmed this.
attestation signing from msft.
Mark Roddy
I personally hate installers that install new certificates into my trust. It is the list of certificates that I trust. Not the list of ones that you tell me that I should trust so that no security warning appears when I install your software. But I understand why it gets done
that is the only way I know of to do that.
Mark Roddy