Avoiding "Windows Security" pop-up when installing a signed driver

Hello,

I’m trying to install a device driver using a signed cab file on a 32bit Windows 7. It’s part of a silent installation that should be possible without any user interventions. However, I’m still seeing a security popup:

This is the signature of the cab and the cert chain:

What am I missing to make it secure enough to avoid the warning popup?

Thank you!

You need to cross-sign this (/ac parameter) with a cross-certificate issued by Microsoft.
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing
However, unless I’ve forgotten, I believe the only way to get a truly silent install is to pass the WHQL tests and submit for Microsoft’s signature.

@Tim_Roberts said:
You need to cross-sign this (/ac parameter) with a cross-certificate issued by Microsoft.
Cross-Certificates for Kernel Mode Code Signing - Windows drivers | Microsoft Learn
However, unless I’ve forgotten, I believe the only way to get a truly silent install is to pass the WHQL tests and submit for Microsoft’s signature.

Thank you, Tim. The cat file’s been cross-signed using the /ac argument:

We had no issues with the self-signed packages in the past on Win7 and win10 (apart from secure boot mode).
I am aware of the latest MS requirement to be WHQL signed but this document mentions that this going to be enforced only from 2021 unless I’m misreading this: Deprecation of Software Publisher Certificates, Commercial Release and Test Certificates - Windows drivers | Microsoft Learn

I believe the only way to get a truly silent install is to pass the WHQL tests and submit for Microsoft’s signature.

That is my recollection as well. But who really knows how ANY of this works anymore?

Peter

1 Like

Uh no, ignoring the soon to be WHQL only mode of W10, if you pre-install
your public half of your signing cert before installing your driver then
there is no popup. So use an installer and stage the cert install before
the driver install.

Mark Roddy

@Mark_Roddy said:
Uh no, ignoring the soon to be WHQL only mode of W10, if you pre-install
your public half of your signing cert before installing your driver then
there is no popup. So use an installer and stage the cert install before
the driver install.

Thanks Mark but I’m not sure I can preinstall a public key for an EV certificate on a hardware token? I’ve tried to confirm with support of the issuing company and they confirmed this.

You use a non-ev cert. If you have an ev cert you just go get an
attestation signing from msft.

Mark Roddy

I personally hate installers that install new certificates into my trust. It is the list of certificates that I trust. Not the list of ones that you tell me that I should trust so that no security warning appears when I install your software. But I understand why it gets done

Sure, but the specific question was how to not have the security popup, and
that is the only way I know of to do that.

Mark Roddy