Windows 11 and alternative driver installation method in libwdi

Ref: https://github.com/pbatard/libwdi/issues/155#issuecomment-918883668
It is mentioned by libwdi developer that “Microsoft is no longer trusting certificates that are installed in Trusted Publishers for the signing of driver packages” for Windows 11. Just want to know if this is really true or not.

Background: libwdi used to work up until latest version of Windows 10.

Quick explanation of how libwdi works by Tim Roberts
Ref: https://community.osr.com/discussion/271918/libwdi-and-windows-10

libwdi is an open source installer for USB drivers, designed specifically as a companion for the libusb generic USB library, which requires a kernel driver (either WinUSB or one of the alternatives that were created before WinUSB existed). They generate a new certificate for each run, then install that certificate in the “Trusted Certificate Store”. By generating a new certificate each time, rather than using some common certificate, they are trying to maintain a semblance of security and accountability.
The scheme satisfies KMCS prior to Windows 8, and for the time being even works on Windows 10.

Tim’s assertion is that the method was supposed not to work under Windows 10 if Secure Boot is ON, however, that is not true. It works under Windows 10 even if Secure Boot is ON.

Ref: https://community.osr.com/discussion/293016/alternative-driver-signing-method-for-windows-10-using-libwdi-without-ev-certificate

This method, of course, requires that the end user trust you enough to add a certificate to their “trusted store”. In addition, this will only work pre-WIndows 10. If you have “secure boot” set with Windows 10, your driver binary must be signed by Microsoft.

For what is worth, this is an excerpt from setupapidev.log from trying to install a driver package on Windows 11 where the .cat signing certificate has been added to Trusted Publishers:

+++  [Device Install (DiInstallDriver) - C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf]
+++  Section start 2021/09/12 14:33:48.262
      cmd: "C:\Windows\System32\InfDefaultInstall.exe" "C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf"
     ndv: Flags: 0x00000000
     ndv: INF path: C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
     dvs: {DrvSetupInstallDriver - C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf}
     dvs:      Flags: 0x00000000
     dvs:      {Driver Setup Import Driver Package: C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf} 14:33:48.262
     sto:           {Copy Driver Package: C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf} 14:33:48.262
     sto:                Driver Package = C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
     sto:                Flags          = 0x00000007
     sto:                Destination    = C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}
     sto:                Copying driver package files to 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}'.
     flq:                {FILE_QUEUE_COMMIT} 14:33:48.278
     flq:                     Copying 'C:\Users\pete\usb_driver\amd64\WdfCoInstaller01011.dll' to 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\amd64\WdfCoInstaller01011.dll'.
     flq:                     Copying 'C:\Users\pete\usb_driver\amd64\WinUSBCoInstaller2.dll' to 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\amd64\WinUSBCoInstaller2.dll'.
     flq:                     Copying 'C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat' to 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat'.
     flq:                     Copying 'C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf' to 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf'.
     flq:                {FILE_QUEUE_COMMIT - exit(0x00000000)} 14:33:48.293
     sto:           {Copy Driver Package: exit(0x00000000)} 14:33:48.293
     ump:           Import flags: 0x00000000
     pol:           {Driver package policy check} 14:33:48.293
     pol:           {Driver package policy check - exit(0x00000000)} 14:33:48.293
     sto:           {Stage Driver Package: C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf} 14:33:48.293
     inf:                {Query Configurability: C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf} 14:33:48.293
     inf:                     Driver package uses WDF.
     inf:                     Driver package 'Yubikey_4_OTP+U2F+CCID_(Interface_2).inf' is configurable.
     inf:                {Query Configurability: exit(0x00000000)} 14:33:48.309
     flq:                {FILE_QUEUE_COMMIT} 14:33:48.309
     flq:                     Copying 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\amd64\WdfCoInstaller01011.dll' to 'C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\amd64\WdfCoInstaller01011.dll'.
     flq:                     Copying 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\amd64\WinUSBCoInstaller2.dll' to 'C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\amd64\WinUSBCoInstaller2.dll'.
     flq:                     Copying 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat' to 'C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat'.
     flq:                     Copying 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf' to 'C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf'.
     flq:                {FILE_QUEUE_COMMIT - exit(0x00000000)} 14:33:48.356
     sto:                {DRIVERSTORE IMPORT VALIDATE} 14:33:48.356
     sig:                     Driver package catalog is valid.
     sig:                     {_VERIFY_FILE_SIGNATURE} 14:33:48.372
     sig:                          Key      = Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
     sig:                          FilePath = C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
     sig:                          Catalog  = C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat
!    sig:                          Verifying file against specific (valid) catalog failed.
!    sig:                          Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
     sig:                     {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 14:33:48.372
     sig:                     {_VERIFY_FILE_SIGNATURE} 14:33:48.372
     sig:                          Key      = Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
     sig:                          FilePath = C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
     sig:                          Catalog  = C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat
!    sig:                          Verifying file against specific Authenticode(tm) catalog failed.
!    sig:                          Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
     sig:                     {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 14:33:48.372
!!!  sig:                     Driver package catalog file certificate does not belong to Trusted Root Certificates, and Code Integrity is enforced.
!!!  sig:                     Driver package failed signature validation. Error = 0x800B0109
     sto:                {DRIVERSTORE IMPORT VALIDATE: exit(0x800b0109)} 14:33:48.372
!!!  sig:                Driver package failed signature verification. Error = 0x800B0109
!!!  sto:                Failed to import driver package into Driver Store. Error = 0x800B0109
     sto:           {Stage Driver Package: exit(0x800b0109)} 14:33:48.387
     dvs:      {Driver Setup Import Driver Package - exit (0x800b0109)} 14:33:48.387
!!!  dvs:      Failed to import driver packages under 'C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf'. Error = 0x800b0109
     dvs: {DrvSetupInstallDriver - exit(800b0109)}
<<<  Section end 2021/09/12 14:33:48.419
<<<  [Exit status: FAILURE(0x800b0109)]

(NB: I had to replace the >>> at the beginning of the first two lines because it looks like OSR’s markdown chokes on those in a code block).

This is pretty much the same error you’d see on Windows 10 if the certificate that was used to sign the .cat was missing from Trusted Publishers, so it certainly looks like Windows 11 is no longer using a trust chain with certificates that users have access to, for driver package installation.

Of course I validated that the relevant certificate was present in Trusted Publishers, and I also tried to copy it in virtually every other store, including Trusted Root, with no success.

I suspect that one of driver isolation or device guard is being formally enforced on Windows 11, and that this is what is preventing the method, where you could just self sign a driver package and add the cert to Trusted Publishers, from working.

And I also confirm that this method works just fine on a Windows 10 platform with Secure Boot enabled.

Note that this method is not libwdi specific. You should easily be able to replicate these findings by generating self-signed credentials, signing a driver package with them, and installing the public cert into Trusted Publisher before trying to proceed to the driver installation.

Just going to add that I have also tested driver package installation using a .cat that was signed with an actual Authenticode certificate (of course with that certificate added to Trusted Publishers) and I got the same error as if one tries to install a driver package signed using a self signed cert:

So Windows 11 has now rendered https://docs.microsoft.com/en-us/windows-hardware/drivers/install/trusted-publishers-certificate-store wrong, since the following is no longer valid:

If a publisher’s Authenticode certificate is in the Trusted Publishers certificate store, Windows installs a driver package that was digitally signed by the certificate without prompting the user (silent install). By installing the Authenticode certificates in the Trusted Publishers certificate store, you can automate the installation of your driver package on various systems that are used for internal testing and debugging.

As a matter of fact, it is not even possible to install a driver package at all in this manner, let alone silently…

Another thing worth mentioning is that, in Windows 10, you also did get

!    sig:    Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

in setupapi.dev.log when installing a driver package signed with credentials whose certificate has been installed in Trusted Publishers. But this was treated as a silent warning rather than an error.

So I guess the difference in Windows 11 is that they are now treating this warning as a full blown error, per:

!!!  sig:    Driver package catalog file certificate does not belong to Trusted Root Certificates, and Code Integrity is enforced.

In other words, the culprit appears to be the Code Integrity feature, but according to this, Code Integrity should be on when Secure Boot is enabled… Or maybe what Microsoft is referring to is HVCI, a.k.a. Device Guard, in which case it should be possible to replicate the issue with Windows 10 when HVCI is on.

I’ll try to test this to confirm.

Well, even with HVCI enabled, Windows 10 seems to be fine installing driver packages with self signed certs, even as we get the Error 0x800b0109 code:

+++  [Device Install (UpdateDriverForPlugAndPlayDevices) - USB\VID_045E&PID_0289&REV_0121]
+++  Section start 2021/09/29 12:01:07.785
     cmd: "C:\Users\pete\usb_driver\installer_x64.exe" "XBox_Controller.inf"
     ndv: INF path: C:\Users\pete\usb_driver\XBox_Controller.inf
     ndv: Install flags: 0x00000001
     ndv: {Update Device Driver - USB\VID_045E&PID_0289\21000040}
     ndv:      Search options: 0x00000080
     ndv:      Searching single INF 'C:\Users\pete\usb_driver\XBox_Controller.inf'
     dvi:      {Build Driver List} 12:01:07.863
     dvi:           Searching for hardware ID(s):
     dvi:                usb\vid_045e&pid_0289&rev_0121
     dvi:                usb\vid_045e&pid_0289
     dvi:           Searching for compatible ID(s):
     dvi:                usb\class_58&subclass_42&prot_00
     dvi:                usb\class_58&subclass_42
     dvi:                usb\class_58
     sig:           {_VERIFY_FILE_SIGNATURE} 12:01:07.941
     sig:                Key      = xbox_controller.inf
     sig:                FilePath = c:\users\pete\usb_driver\xbox_controller.inf
     sig:                Catalog  = c:\users\pete\usb_driver\XBox_Controller.cat
!    sig:                Verifying file against specific (valid) catalog failed.
!    sig:                Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
     sig:           {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 12:01:08.004
     sig:           {_VERIFY_FILE_SIGNATURE} 12:01:08.019
     sig:                Key      = xbox_controller.inf
     sig:                FilePath = c:\users\pete\usb_driver\xbox_controller.inf
     sig:                Catalog  = c:\users\pete\usb_driver\XBox_Controller.cat
     sig:                Success: File is signed in Authenticode(tm) catalog.
     sig:                Error 0xe0000241: The INF was signed with an Authenticode(tm) catalog from a trusted publisher.
     sig:           {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 12:01:08.066
     dvi:           Created Driver Node:
     dvi:                HardwareID   - USB\VID_045E&PID_0289
     dvi:                InfName      - c:\users\pete\usb_driver\xbox_controller.inf
     dvi:                DevDesc      - XBox Controller
     dvi:                Section      - USB_Install
     dvi:                Rank         - 0x00ff0001
     dvi:                Signer Score - Authenticode
     dvi:                DrvDate      - 06/02/2012
     dvi:                Version      - 6.1.7600.16385
     dvi:      {Build Driver List - exit(0x00000000)} 12:01:08.144

(...)

     sto:                {DRIVERSTORE IMPORT VALIDATE} 12:01:08.488
     sig:                     Driver package catalog is valid.
     sig:                     {_VERIFY_FILE_SIGNATURE} 12:01:08.519
     sig:                          Key      = xbox_controller.inf
     sig:                          FilePath = C:\WINDOWS\System32\DriverStore\Temp\{1dac3046-a631-d64d-bda6-87331b29aa82}\xbox_controller.inf
     sig:                          Catalog  = C:\WINDOWS\System32\DriverStore\Temp\{1dac3046-a631-d64d-bda6-87331b29aa82}\XBox_Controller.cat
!    sig:                          Verifying file against specific (valid) catalog failed.
!    sig:                          Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
     sig:                     {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 12:01:08.519
     sig:                     {_VERIFY_FILE_SIGNATURE} 12:01:08.519
     sig:                          Key      = xbox_controller.inf
     sig:                          FilePath = C:\WINDOWS\System32\DriverStore\Temp\{1dac3046-a631-d64d-bda6-87331b29aa82}\xbox_controller.inf
     sig:                          Catalog  = C:\WINDOWS\System32\DriverStore\Temp\{1dac3046-a631-d64d-bda6-87331b29aa82}\XBox_Controller.cat
     sig:                          Success: File is signed in Authenticode(tm) catalog.
     sig:                          Error 0xe0000241: The INF was signed with an Authenticode(tm) catalog from a trusted publisher.
     sig:                     {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 12:01:08.535
     sto:                {DRIVERSTORE IMPORT VALIDATE: exit(0x00000000)} 12:01:08.566
     sig:                Signer Score  = 0x0F000000 (Authenticode)
     sig:                Signer Name   = USB\VID_045E&PID_0289 (libwdi autogenerated)
     sto:                {Core Driver Package Import: xbox_controller.inf_amd64_87b1fd6fde5ec133} 12:01:08.566
     sto:                     {DRIVERSTORE IMPORT BEGIN} 12:01:08.566
     sto:                     {DRIVERSTORE IMPORT BEGIN: exit(0x00000000)} 12:01:08.566
     cpy:                     {Copy Directory: C:\WINDOWS\System32\DriverStore\Temp\{1dac3046-a631-d64d-bda6-87331b29aa82}} 12:01:08.566
     cpy:                          Target Path = C:\WINDOWS\System32\DriverStore\FileRepository\xbox_controller.inf_amd64_87b1fd6fde5ec133
     cpy:                          {Copy Directory: C:\WINDOWS\System32\DriverStore\Temp\{1dac3046-a631-d64d-bda6-87331b29aa82}\amd64} 12:01:08.566
     cpy:                               Target Path = C:\WINDOWS\System32\DriverStore\FileRepository\xbox_controller.inf_amd64_87b1fd6fde5ec133\amd64
     cpy:                          {Copy Directory: exit(0x00000000)} 12:01:08.566
     cpy:                     {Copy Directory: exit(0x00000000)} 12:01:08.582
     idb:                     {Register Driver Package: C:\WINDOWS\System32\DriverStore\FileRepository\xbox_controller.inf_amd64_87b1fd6fde5ec133\xbox_controller.inf} 12:01:08.582
     idb:                          Created driver package object 'xbox_controller.inf_amd64_87b1fd6fde5ec133' in SYSTEM database node.
     idb:                          Created driver INF file object 'oem33.inf' in SYSTEM database node.
     idb:                          Registered driver package 'xbox_controller.inf_amd64_87b1fd6fde5ec133' with 'oem33.inf'.
     idb:                     {Register Driver Package: exit(0x00000000)} 12:01:08.582
     idb:                     {Publish Driver Package: C:\WINDOWS\System32\DriverStore\FileRepository\xbox_controller.inf_amd64_87b1fd6fde5ec133\xbox_controller.inf} 12:01:08.582
     idb:                          Activating driver package 'xbox_controller.inf_amd64_87b1fd6fde5ec133'.
     cpy:                          Published 'xbox_controller.inf_amd64_87b1fd6fde5ec133\xbox_controller.inf' to 'oem33.inf'.
     idb:                          Indexed 2 device IDs for 'xbox_controller.inf_amd64_87b1fd6fde5ec133'.
!    sto:                          Ignoring changes to inbox device class {88bae032-5a81-49f0-bc3d-a4ff138216d6} through ClassInstall32 section.
     sto:                          Flushed driver database node 'SYSTEM'. Time = 16 ms
     idb:                     {Publish Driver Package: exit(0x00000000)} 12:01:08.597
     sto:                     {DRIVERSTORE IMPORT END} 12:01:08.597
     dvi:                          Flushed all driver package files to disk. Time = 0 ms
     sig:                          Installed catalog 'XBox_Controller.cat' as 'oem33.cat'.
     sto:                     {DRIVERSTORE IMPORT END: exit(0x00000000)} 12:01:08.613
     sto:                {Core Driver Package Import: exit(0x00000000)} 12:01:08.613
     sto:           {Stage Driver Package: exit(0x00000000)} 12:01:08.613
     sto:      {Setup Import Driver Package - exit (0x00000000)} 12:01:08.769
 
(...)

     dvi:      {Build Driver List - exit(0x00000000)} 12:01:09.005
     dvi:      {DIF_SELECTBESTCOMPATDRV} 12:01:09.020
     dvi:           Default installer: Enter 12:01:09.020
     dvi:                {Select Best Driver}
     dvi:                     Class GUID of device changed to: {88bae032-5a81-49f0-bc3d-a4ff138216d6}.
     dvi:                     Selected Driver:
     dvi:                          Description - XBox Controller
     dvi:                          InfFile     - c:\users\pete\usb_driver\xbox_controller.inf
     dvi:                          Section     - USB_Install
     dvi:                {Select Best Driver - exit(0x00000000)}
     dvi:           Default installer: Exit
     dvi:      {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 12:01:09.067
     ndv:      Force Installing Driver:
     ndv:           Inf Name       - xbox_controller.inf
     ndv:           Driver Date    - 06/02/2012
     ndv:           Driver Version - 6.1.7600.16385
     ndv:      Driver package 'C:\WINDOWS\System32\DriverStore\FileRepository\xbox_controller.inf_amd64_87b1fd6fde5ec133\xbox_controller.inf' is already imported.
     sto:      {Setup Import Driver Package: c:\users\pete\usb_driver\xbox_controller.inf} 12:01:09.098
     sto:           Driver package already imported as 'oem33.inf'.
     sto:      {Setup Import Driver Package - exit (0x00000000)} 12:01:09.098
     dvi:      Searching for hardware ID(s):
     dvi:           usb\vid_045e&pid_0289&rev_0121
     dvi:           usb\vid_045e&pid_0289
     dvi:      Searching for compatible ID(s):
     dvi:           usb\class_58&subclass_42&prot_00
     dvi:           usb\class_58&subclass_42
     dvi:           usb\class_58
     dvi:      Class GUID of device changed to: {88bae032-5a81-49f0-bc3d-a4ff138216d6}.
     ump:      {Plug and Play Service: Device Install for USB\VID_045E&PID_0289\31000040}
     dvi:           {Core Device Install} 12:01:09.177

(...)

     dvi:           {Core Device Install - exit(0x00000000)} 12:01:09.252
     ump:      {Plug and Play Service: Device Install exit(00000000)}
     ndv: {Update Device Driver - exit(00000000)}
     ndv: {Install Related Drivers} 12:01:09.268
     ndv: {Install Related Drivers: exit(0x00000000)} 12:01:09.284
<ins>

+++  [Device Installation Restrictions Policy Check]
+++  Section start 2021/09/29 12:01:08.332
<<<  Section end 2021/09/29 12:01:48.556
<<<  [Exit status: SUCCESS]

Just a side note (I have no experience to add about Win 11 and self-signed certs).

It’s easy for a lot of us to ignore this method of signing as a bad work-around for avoiding getting a “real” signature. But there are a significant number of Enterprise-level ISVs and (particularly) IHVs who use this method of driver signing. So, if a self-signed certs placed in the trusted publisher store no longer work, there a “a lot” of folks who are gonna be surprised come release time.

Peter

1 Like

Agreed.

I was still hoping that I had missed something (such as the properties of the autogenerated cert installed by libwdi not matching the properties of a real Authenticode cert, thus leading to the validation failure), but seeing that the test with an Authenticode signed package also failed means that, unless I screwed up something during that test, a lot of people are going to have a bad surprise indeed.

I am however puzzled that nobody else seems to be reporting this change of behaviour, so I am planning to investigate this some more…

What you’re doing isn’t commonly done… you don’t see it much outside the enterprise setting and, aside from that, is mostly used by those who are trying to “skirt the rules”… so, we don’t see a ton of these complaints here.

Peter

Of course the irony of it is that we aren’t trying to “skirt the rules” or do anything that can be considered even remotely dodgy.

We are following Microsoft’s established rules (linked previously) exactly, with the main goal of installing a pure Microsoft driver (WinUSB), that is pretty much delivered by the system anyway.

But the sad truth is that Windows was never designed to install the generic USB driver it provides against a device that the user wishes to access in a generic manner… which forces us to jump through hoops that people who produce drivers for specific devices are unlikely to ever require, but that end users actually very much want, on account that Microsoft failed to offer a proper solution for them (outside of WCID, but WCID requires the provider of the device to already have planned for its use with a generic USB driver).

1 Like

So, the plot thickens.

Further testing shows that it is actually possible to install non WinUSB drivers after singing the .cat with self-signed credentials and a certificate copied to Trusted Publishers (e.g. libusb0.sys or libusbK.sys, carried out against the exact same device and interface, and same Windows 11 machine as before).

When doing so, the double {_VERIFY_FILE_SIGNATURE} section becomes the same as what you’d see under Windows 10, with one initial validation failure due to the trust chain, followed with a validation success through the detection of an “Authenticode” (self-signed) cert in Trusted Publishers:

     sto:                {DRIVERSTORE IMPORT VALIDATE} 17:46:27.204
     sig:                     Driver package catalog is valid.
     sig:                     {_VERIFY_FILE_SIGNATURE} 17:46:27.220
     sig:                          Key      = yubikey_4_otp+u2f+ccid_(interface_2).inf
     sig:                          FilePath = C:\WINDOWS\System32\DriverStore\Temp\{05c136d1-c7d1-6549-91a1-ec77b1157d06}\yubikey_4_otp+u2f+ccid_(interface_2).inf
     sig:                          Catalog  = C:\WINDOWS\System32\DriverStore\Temp\{05c136d1-c7d1-6549-91a1-ec77b1157d06}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat
!    sig:                          Verifying file against specific (valid) catalog failed.
!    sig:                          Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
     sig:                     {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 17:46:27.220
     sig:                     {_VERIFY_FILE_SIGNATURE} 17:46:27.220
     sig:                          Key      = yubikey_4_otp+u2f+ccid_(interface_2).inf
     sig:                          FilePath = C:\WINDOWS\System32\DriverStore\Temp\{05c136d1-c7d1-6549-91a1-ec77b1157d06}\yubikey_4_otp+u2f+ccid_(interface_2).inf
     sig:                          Catalog  = C:\WINDOWS\System32\DriverStore\Temp\{05c136d1-c7d1-6549-91a1-ec77b1157d06}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat
     sig:                          Success: File is signed in Authenticode(tm) catalog.
     sig:                          Error 0xe0000241: The INF was signed with an Authenticode(tm) catalog from a trusted publisher.
     sig:                     {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 17:46:27.236
     sto:                {DRIVERSTORE IMPORT VALIDATE: exit(0x00000000)} 17:46:27.251
     sig:                Signer Score  = 0x0F000000 (Authenticode)
     sig:                Signer Name   = USB\VID_1050&PID_0407&MI_02 (libwdi autogenerated)

In other words, for anything but the WinUSB driver on Windows 11, we get the expected:

     sig:                          Success: File is signed in Authenticode(tm) catalog.
     sig:                          Error 0xe0000241: The INF was signed with an Authenticode(tm) catalog from a trusted publisher.

but for WinUSB installation, we get:

!    sig:                          Verifying file against specific Authenticode(tm) catalog failed.
!    sig:                          Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

And the kicker is that, once you have installed a non WinUSB driver for the device, then you can replace it with the WinUSB driver, using the exact same method as the one that failed before, as it will work just fine this time around…

And yes, I agree that the first line of inquiry is “Surely, you must be doing something different with that initial WinUSB installation compared to the subsequent non-WinUSB or working WinUSB ones”, but I’m definitely not seeing anything in that vein so far though I am of course continuing to investigate the matter.

At least, this provides us with one workaround to get WinUSB installed, and this tells us that the Trusted Publishers method of installation is still functional even with Windows 11, but this driver installation behaviour sure is weird, and I still don’t have an explanation for it…

I have upgraded my new Acer Swift 3 laptop to Windows 11 offical release today and Zadig works fine. So I can not reproduce the issue.

I have upgraded my new Acer Swift 3 laptop to Windows 11 offical release today and Zadig works fine. So I can not reproduce the issue.

Full debug log: https://github.com/pbatard/libwdi/issues/155

Yeah, I am also not seeing the previous behaviour on the final release that I was seeing with the Insider builds before that. In other words, unlike the Insider builds, Windows 11 release appears to behave in the same manner as Windows 10 when it comes to signing a driver package and adding its certificate to Trusted Publishers.

From what I can see, it does look like Microsoft toned down some of the “improvements” they were planning to bring to the new Windows, at least for the time being.

it does look like Microsoft toned down some of the “improvements” they were planning

If this is the case, it would not be the first time.

I’ll remind everyone that a Windows release isn’t “complete” and “stable” until some months after the initial release. Things continue to change for “quite a while.” It’s not like the old days when they burned a zillion CDs, and sent them out, and THAT was the release. Now, the release changes, as critical fixes and updates are applied.

Peter

1 Like