Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Windows 11 and alternative driver installation method in libwdi

Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 277

Ref: https://github.com/pbatard/libwdi/issues/155#issuecomment-918883668
It is mentioned by libwdi developer that "Microsoft is no longer trusting certificates that are installed in Trusted Publishers for the signing of driver packages" for Windows 11. Just want to know if this is really true or not.

Background: libwdi used to work up until latest version of Windows 10.

Quick explanation of how libwdi works by Tim Roberts
Ref: https://community.osr.com/discussion/271918/libwdi-and-windows-10

libwdi is an open source installer for USB drivers, designed specifically as a companion for the libusb generic USB library, which requires a kernel driver (either WinUSB or one of the alternatives that were created before WinUSB existed). They generate a new certificate for each run, then install that certificate in the "Trusted Certificate Store". By generating a new certificate each time, rather than using some common certificate, they are trying to maintain a semblance of security and accountability.
The scheme satisfies KMCS prior to Windows 8, and for the time being even works on Windows 10.

Comments

  • Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 277

    Tim's assertion is that the method was supposed not to work under Windows 10 if Secure Boot is ON, however, that is not true. It works under Windows 10 even if Secure Boot is ON.

    Ref: https://community.osr.com/discussion/293016/alternative-driver-signing-method-for-windows-10-using-libwdi-without-ev-certificate

    This method, of course, requires that the end user trust you enough to add a certificate to their "trusted store". In addition, this will only work pre-WIndows 10. If you have "secure boot" set with Windows 10, your driver binary must be signed by Microsoft.

  • AkeoAkeo Member Posts: 8

    For what is worth, this is an excerpt from setupapidev.log from trying to install a driver package on Windows 11 where the .cat signing certificate has been added to Trusted Publishers:

    +++  [Device Install (DiInstallDriver) - C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf]
    +++  Section start 2021/09/12 14:33:48.262
          cmd: "C:\Windows\System32\InfDefaultInstall.exe" "C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf"
         ndv: Flags: 0x00000000
         ndv: INF path: C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
         dvs: {DrvSetupInstallDriver - C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf}
         dvs:      Flags: 0x00000000
         dvs:      {Driver Setup Import Driver Package: C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf} 14:33:48.262
         sto:           {Copy Driver Package: C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf} 14:33:48.262
         sto:                Driver Package = C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
         sto:                Flags          = 0x00000007
         sto:                Destination    = C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}
         sto:                Copying driver package files to 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}'.
         flq:                {FILE_QUEUE_COMMIT} 14:33:48.278
         flq:                     Copying 'C:\Users\pete\usb_driver\amd64\WdfCoInstaller01011.dll' to 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\amd64\WdfCoInstaller01011.dll'.
         flq:                     Copying 'C:\Users\pete\usb_driver\amd64\WinUSBCoInstaller2.dll' to 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\amd64\WinUSBCoInstaller2.dll'.
         flq:                     Copying 'C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat' to 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat'.
         flq:                     Copying 'C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf' to 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf'.
         flq:                {FILE_QUEUE_COMMIT - exit(0x00000000)} 14:33:48.293
         sto:           {Copy Driver Package: exit(0x00000000)} 14:33:48.293
         ump:           Import flags: 0x00000000
         pol:           {Driver package policy check} 14:33:48.293
         pol:           {Driver package policy check - exit(0x00000000)} 14:33:48.293
         sto:           {Stage Driver Package: C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf} 14:33:48.293
         inf:                {Query Configurability: C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf} 14:33:48.293
         inf:                     Driver package uses WDF.
         inf:                     Driver package 'Yubikey_4_OTP+U2F+CCID_(Interface_2).inf' is configurable.
         inf:                {Query Configurability: exit(0x00000000)} 14:33:48.309
         flq:                {FILE_QUEUE_COMMIT} 14:33:48.309
         flq:                     Copying 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\amd64\WdfCoInstaller01011.dll' to 'C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\amd64\WdfCoInstaller01011.dll'.
         flq:                     Copying 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\amd64\WinUSBCoInstaller2.dll' to 'C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\amd64\WinUSBCoInstaller2.dll'.
         flq:                     Copying 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat' to 'C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat'.
         flq:                     Copying 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf' to 'C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf'.
         flq:                {FILE_QUEUE_COMMIT - exit(0x00000000)} 14:33:48.356
         sto:                {DRIVERSTORE IMPORT VALIDATE} 14:33:48.356
         sig:                     Driver package catalog is valid.
         sig:                     {_VERIFY_FILE_SIGNATURE} 14:33:48.372
         sig:                          Key      = Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
         sig:                          FilePath = C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
         sig:                          Catalog  = C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat
    !    sig:                          Verifying file against specific (valid) catalog failed.
    !    sig:                          Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
         sig:                     {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 14:33:48.372
         sig:                     {_VERIFY_FILE_SIGNATURE} 14:33:48.372
         sig:                          Key      = Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
         sig:                          FilePath = C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
         sig:                          Catalog  = C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat
    !    sig:                          Verifying file against specific Authenticode(tm) catalog failed.
    !    sig:                          Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
         sig:                     {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 14:33:48.372
    !!!  sig:                     Driver package catalog file certificate does not belong to Trusted Root Certificates, and Code Integrity is enforced.
    !!!  sig:                     Driver package failed signature validation. Error = 0x800B0109
         sto:                {DRIVERSTORE IMPORT VALIDATE: exit(0x800b0109)} 14:33:48.372
    !!!  sig:                Driver package failed signature verification. Error = 0x800B0109
    !!!  sto:                Failed to import driver package into Driver Store. Error = 0x800B0109
         sto:           {Stage Driver Package: exit(0x800b0109)} 14:33:48.387
         dvs:      {Driver Setup Import Driver Package - exit (0x800b0109)} 14:33:48.387
    !!!  dvs:      Failed to import driver packages under 'C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf'. Error = 0x800b0109
         dvs: {DrvSetupInstallDriver - exit(800b0109)}
    <<<  Section end 2021/09/12 14:33:48.419
    <<<  [Exit status: FAILURE(0x800b0109)]
    

    (NB: I had to replace the >>> at the beginning of the first two lines because it looks like OSR's markdown chokes on those in a code block).

    This is pretty much the same error you'd see on Windows 10 if the certificate that was used to sign the .cat was missing from Trusted Publishers, so it certainly looks like Windows 11 is no longer using a trust chain with certificates that users have access to, for driver package installation.

    Of course I validated that the relevant certificate was present in Trusted Publishers, and I also tried to copy it in virtually every other store, including Trusted Root, with no success.

    I suspect that one of driver isolation or device guard is being formally enforced on Windows 11, and that this is what is preventing the method, where you could just self sign a driver package and add the cert to Trusted Publishers, from working.

    And I also confirm that this method works just fine on a Windows 10 platform with Secure Boot enabled.

    Note that this method is not libwdi specific. You should easily be able to replicate these findings by generating self-signed credentials, signing a driver package with them, and installing the public cert into Trusted Publisher before trying to proceed to the driver installation.

  • AkeoAkeo Member Posts: 8
    edited September 2021

    Just going to add that I have also tested driver package installation using a .cat that was signed with an actual Authenticode certificate (of course with that certificate added to Trusted Publishers) and I got the same error as if one tries to install a driver package signed using a self signed cert:

    So Windows 11 has now rendered https://docs.microsoft.com/en-us/windows-hardware/drivers/install/trusted-publishers-certificate-store wrong, since the following is no longer valid:

    If a publisher's Authenticode certificate is in the Trusted Publishers certificate store, Windows installs a driver package that was digitally signed by the certificate without prompting the user (silent install). By installing the Authenticode certificates in the Trusted Publishers certificate store, you can automate the installation of your driver package on various systems that are used for internal testing and debugging.

    As a matter of fact, it is not even possible to install a driver package at all in this manner, let alone silently...

  • AkeoAkeo Member Posts: 8

    Another thing worth mentioning is that, in Windows 10, you also did get

    !    sig:    Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
    

    in setupapi.dev.log when installing a driver package signed with credentials whose certificate has been installed in Trusted Publishers. But this was treated as a silent warning rather than an error.

    So I guess the difference in Windows 11 is that they are now treating this warning as a full blown error, per:

    !!!  sig:    Driver package catalog file certificate does not belong to Trusted Root Certificates, and Code Integrity is enforced.
    

    In other words, the culprit appears to be the Code Integrity feature, but according to this, Code Integrity should be on when Secure Boot is enabled... Or maybe what Microsoft is referring to is HVCI, a.k.a. Device Guard, in which case it should be possible to replicate the issue with Windows 10 when HVCI is on.

    I'll try to test this to confirm.

  • AkeoAkeo Member Posts: 8
    edited September 2021

    Well, even with HVCI enabled, Windows 10 seems to be fine installing driver packages with self signed certs, even as we get the Error 0x800b0109 code:

    +++  [Device Install (UpdateDriverForPlugAndPlayDevices) - USB\VID_045E&PID_0289&REV_0121]
    +++  Section start 2021/09/29 12:01:07.785
         cmd: "C:\Users\pete\usb_driver\installer_x64.exe" "XBox_Controller.inf"
         ndv: INF path: C:\Users\pete\usb_driver\XBox_Controller.inf
         ndv: Install flags: 0x00000001
         ndv: {Update Device Driver - USB\VID_045E&PID_0289\21000040}
         ndv:      Search options: 0x00000080
         ndv:      Searching single INF 'C:\Users\pete\usb_driver\XBox_Controller.inf'
         dvi:      {Build Driver List} 12:01:07.863
         dvi:           Searching for hardware ID(s):
         dvi:                usb\vid_045e&pid_0289&rev_0121
         dvi:                usb\vid_045e&pid_0289
         dvi:           Searching for compatible ID(s):
         dvi:                usb\class_58&subclass_42&prot_00
         dvi:                usb\class_58&subclass_42
         dvi:                usb\class_58
         sig:           {_VERIFY_FILE_SIGNATURE} 12:01:07.941
         sig:                Key      = xbox_controller.inf
         sig:                FilePath = c:\users\pete\usb_driver\xbox_controller.inf
         sig:                Catalog  = c:\users\pete\usb_driver\XBox_Controller.cat
    !    sig:                Verifying file against specific (valid) catalog failed.
    !    sig:                Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
         sig:           {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 12:01:08.004
         sig:           {_VERIFY_FILE_SIGNATURE} 12:01:08.019
         sig:                Key      = xbox_controller.inf
         sig:                FilePath = c:\users\pete\usb_driver\xbox_controller.inf
         sig:                Catalog  = c:\users\pete\usb_driver\XBox_Controller.cat
         sig:                Success: File is signed in Authenticode(tm) catalog.
         sig:                Error 0xe0000241: The INF was signed with an Authenticode(tm) catalog from a trusted publisher.
         sig:           {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 12:01:08.066
         dvi:           Created Driver Node:
         dvi:                HardwareID   - USB\VID_045E&PID_0289
         dvi:                InfName      - c:\users\pete\usb_driver\xbox_controller.inf
         dvi:                DevDesc      - XBox Controller
         dvi:                Section      - USB_Install
         dvi:                Rank         - 0x00ff0001
         dvi:                Signer Score - Authenticode
         dvi:                DrvDate      - 06/02/2012
         dvi:                Version      - 6.1.7600.16385
         dvi:      {Build Driver List - exit(0x00000000)} 12:01:08.144
    
    (...)
    
         sto:                {DRIVERSTORE IMPORT VALIDATE} 12:01:08.488
         sig:                     Driver package catalog is valid.
         sig:                     {_VERIFY_FILE_SIGNATURE} 12:01:08.519
         sig:                          Key      = xbox_controller.inf
         sig:                          FilePath = C:\WINDOWS\System32\DriverStore\Temp\{1dac3046-a631-d64d-bda6-87331b29aa82}\xbox_controller.inf
         sig:                          Catalog  = C:\WINDOWS\System32\DriverStore\Temp\{1dac3046-a631-d64d-bda6-87331b29aa82}\XBox_Controller.cat
    !    sig:                          Verifying file against specific (valid) catalog failed.
    !    sig:                          Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
         sig:                     {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 12:01:08.519
         sig:                     {_VERIFY_FILE_SIGNATURE} 12:01:08.519
         sig:                          Key      = xbox_controller.inf
         sig:                          FilePath = C:\WINDOWS\System32\DriverStore\Temp\{1dac3046-a631-d64d-bda6-87331b29aa82}\xbox_controller.inf
         sig:                          Catalog  = C:\WINDOWS\System32\DriverStore\Temp\{1dac3046-a631-d64d-bda6-87331b29aa82}\XBox_Controller.cat
         sig:                          Success: File is signed in Authenticode(tm) catalog.
         sig:                          Error 0xe0000241: The INF was signed with an Authenticode(tm) catalog from a trusted publisher.
         sig:                     {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 12:01:08.535
         sto:                {DRIVERSTORE IMPORT VALIDATE: exit(0x00000000)} 12:01:08.566
         sig:                Signer Score  = 0x0F000000 (Authenticode)
         sig:                Signer Name   = USB\VID_045E&PID_0289 (libwdi autogenerated)
         sto:                {Core Driver Package Import: xbox_controller.inf_amd64_87b1fd6fde5ec133} 12:01:08.566
         sto:                     {DRIVERSTORE IMPORT BEGIN} 12:01:08.566
         sto:                     {DRIVERSTORE IMPORT BEGIN: exit(0x00000000)} 12:01:08.566
         cpy:                     {Copy Directory: C:\WINDOWS\System32\DriverStore\Temp\{1dac3046-a631-d64d-bda6-87331b29aa82}} 12:01:08.566
         cpy:                          Target Path = C:\WINDOWS\System32\DriverStore\FileRepository\xbox_controller.inf_amd64_87b1fd6fde5ec133
         cpy:                          {Copy Directory: C:\WINDOWS\System32\DriverStore\Temp\{1dac3046-a631-d64d-bda6-87331b29aa82}\amd64} 12:01:08.566
         cpy:                               Target Path = C:\WINDOWS\System32\DriverStore\FileRepository\xbox_controller.inf_amd64_87b1fd6fde5ec133\amd64
         cpy:                          {Copy Directory: exit(0x00000000)} 12:01:08.566
         cpy:                     {Copy Directory: exit(0x00000000)} 12:01:08.582
         idb:                     {Register Driver Package: C:\WINDOWS\System32\DriverStore\FileRepository\xbox_controller.inf_amd64_87b1fd6fde5ec133\xbox_controller.inf} 12:01:08.582
         idb:                          Created driver package object 'xbox_controller.inf_amd64_87b1fd6fde5ec133' in SYSTEM database node.
         idb:                          Created driver INF file object 'oem33.inf' in SYSTEM database node.
         idb:                          Registered driver package 'xbox_controller.inf_amd64_87b1fd6fde5ec133' with 'oem33.inf'.
         idb:                     {Register Driver Package: exit(0x00000000)} 12:01:08.582
         idb:                     {Publish Driver Package: C:\WINDOWS\System32\DriverStore\FileRepository\xbox_controller.inf_amd64_87b1fd6fde5ec133\xbox_controller.inf} 12:01:08.582
         idb:                          Activating driver package 'xbox_controller.inf_amd64_87b1fd6fde5ec133'.
         cpy:                          Published 'xbox_controller.inf_amd64_87b1fd6fde5ec133\xbox_controller.inf' to 'oem33.inf'.
         idb:                          Indexed 2 device IDs for 'xbox_controller.inf_amd64_87b1fd6fde5ec133'.
    !    sto:                          Ignoring changes to inbox device class {88bae032-5a81-49f0-bc3d-a4ff138216d6} through ClassInstall32 section.
         sto:                          Flushed driver database node 'SYSTEM'. Time = 16 ms
         idb:                     {Publish Driver Package: exit(0x00000000)} 12:01:08.597
         sto:                     {DRIVERSTORE IMPORT END} 12:01:08.597
         dvi:                          Flushed all driver package files to disk. Time = 0 ms
         sig:                          Installed catalog 'XBox_Controller.cat' as 'oem33.cat'.
         sto:                     {DRIVERSTORE IMPORT END: exit(0x00000000)} 12:01:08.613
         sto:                {Core Driver Package Import: exit(0x00000000)} 12:01:08.613
         sto:           {Stage Driver Package: exit(0x00000000)} 12:01:08.613
         sto:      {Setup Import Driver Package - exit (0x00000000)} 12:01:08.769
    
    (...)
    
         dvi:      {Build Driver List - exit(0x00000000)} 12:01:09.005
         dvi:      {DIF_SELECTBESTCOMPATDRV} 12:01:09.020
         dvi:           Default installer: Enter 12:01:09.020
         dvi:                {Select Best Driver}
         dvi:                     Class GUID of device changed to: {88bae032-5a81-49f0-bc3d-a4ff138216d6}.
         dvi:                     Selected Driver:
         dvi:                          Description - XBox Controller
         dvi:                          InfFile     - c:\users\pete\usb_driver\xbox_controller.inf
         dvi:                          Section     - USB_Install
         dvi:                {Select Best Driver - exit(0x00000000)}
         dvi:           Default installer: Exit
         dvi:      {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 12:01:09.067
         ndv:      Force Installing Driver:
         ndv:           Inf Name       - xbox_controller.inf
         ndv:           Driver Date    - 06/02/2012
         ndv:           Driver Version - 6.1.7600.16385
         ndv:      Driver package 'C:\WINDOWS\System32\DriverStore\FileRepository\xbox_controller.inf_amd64_87b1fd6fde5ec133\xbox_controller.inf' is already imported.
         sto:      {Setup Import Driver Package: c:\users\pete\usb_driver\xbox_controller.inf} 12:01:09.098
         sto:           Driver package already imported as 'oem33.inf'.
         sto:      {Setup Import Driver Package - exit (0x00000000)} 12:01:09.098
         dvi:      Searching for hardware ID(s):
         dvi:           usb\vid_045e&pid_0289&rev_0121
         dvi:           usb\vid_045e&pid_0289
         dvi:      Searching for compatible ID(s):
         dvi:           usb\class_58&subclass_42&prot_00
         dvi:           usb\class_58&subclass_42
         dvi:           usb\class_58
         dvi:      Class GUID of device changed to: {88bae032-5a81-49f0-bc3d-a4ff138216d6}.
         ump:      {Plug and Play Service: Device Install for USB\VID_045E&PID_0289\31000040}
         dvi:           {Core Device Install} 12:01:09.177
    
    (...)
    
         dvi:           {Core Device Install - exit(0x00000000)} 12:01:09.252
         ump:      {Plug and Play Service: Device Install exit(00000000)}
         ndv: {Update Device Driver - exit(00000000)}
         ndv: {Install Related Drivers} 12:01:09.268
         ndv: {Install Related Drivers: exit(0x00000000)} 12:01:09.284
    <ins>
    
    +++  [Device Installation Restrictions Policy Check]
    +++  Section start 2021/09/29 12:01:08.332
    <<<  Section end 2021/09/29 12:01:48.556
    <<<  [Exit status: SUCCESS]
    
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 9,133

    Just a side note (I have no experience to add about Win 11 and self-signed certs).

    It’s easy for a lot of us to ignore this method of signing as a bad work-around for avoiding getting a “real” signature. But there are a significant number of Enterprise-level ISVs and (particularly) IHVs who use this method of driver signing. So, if a self-signed certs placed in the trusted publisher store no longer work, there a “a lot” of folks who are gonna be surprised come release time.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • AkeoAkeo Member Posts: 8

    Agreed.

    I was still hoping that I had missed something (such as the properties of the autogenerated cert installed by libwdi not matching the properties of a real Authenticode cert, thus leading to the validation failure), but seeing that the test with an Authenticode signed package also failed means that, unless I screwed up something during that test, a lot of people are going to have a bad surprise indeed.

    I am however puzzled that nobody else seems to be reporting this change of behaviour, so I am planning to investigate this some more...

  • AkeoAkeo Member Posts: 8
    edited September 2021

    Of course the irony of it is that we aren't trying to "skirt the rules" or do anything that can be considered even remotely dodgy.

    We are following Microsoft's established rules (linked previously) exactly, with the main goal of installing a pure Microsoft driver (WinUSB), that is pretty much delivered by the system anyway.

    But the sad truth is that Windows was never designed to install the generic USB driver it provides against a device that the user wishes to access in a generic manner... which forces us to jump through hoops that people who produce drivers for specific devices are unlikely to ever require, but that end users actually very much want, on account that Microsoft failed to offer a proper solution for them (outside of WCID, but WCID requires the provider of the device to already have planned for its use with a generic USB driver).

  • AkeoAkeo Member Posts: 8

    So, the plot thickens.

    Further testing shows that it is actually possible to install non WinUSB drivers after singing the .cat with self-signed credentials and a certificate copied to Trusted Publishers (e.g. libusb0.sys or libusbK.sys, carried out against the exact same device and interface, and same Windows 11 machine as before).

    When doing so, the double {_VERIFY_FILE_SIGNATURE} section becomes the same as what you'd see under Windows 10, with one initial validation failure due to the trust chain, followed with a validation success through the detection of an "Authenticode" (self-signed) cert in Trusted Publishers:

         sto:                {DRIVERSTORE IMPORT VALIDATE} 17:46:27.204
         sig:                     Driver package catalog is valid.
         sig:                     {_VERIFY_FILE_SIGNATURE} 17:46:27.220
         sig:                          Key      = yubikey_4_otp+u2f+ccid_(interface_2).inf
         sig:                          FilePath = C:\WINDOWS\System32\DriverStore\Temp\{05c136d1-c7d1-6549-91a1-ec77b1157d06}\yubikey_4_otp+u2f+ccid_(interface_2).inf
         sig:                          Catalog  = C:\WINDOWS\System32\DriverStore\Temp\{05c136d1-c7d1-6549-91a1-ec77b1157d06}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat
    !    sig:                          Verifying file against specific (valid) catalog failed.
    !    sig:                          Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
         sig:                     {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 17:46:27.220
         sig:                     {_VERIFY_FILE_SIGNATURE} 17:46:27.220
         sig:                          Key      = yubikey_4_otp+u2f+ccid_(interface_2).inf
         sig:                          FilePath = C:\WINDOWS\System32\DriverStore\Temp\{05c136d1-c7d1-6549-91a1-ec77b1157d06}\yubikey_4_otp+u2f+ccid_(interface_2).inf
         sig:                          Catalog  = C:\WINDOWS\System32\DriverStore\Temp\{05c136d1-c7d1-6549-91a1-ec77b1157d06}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat
         sig:                          Success: File is signed in Authenticode(tm) catalog.
         sig:                          Error 0xe0000241: The INF was signed with an Authenticode(tm) catalog from a trusted publisher.
         sig:                     {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 17:46:27.236
         sto:                {DRIVERSTORE IMPORT VALIDATE: exit(0x00000000)} 17:46:27.251
         sig:                Signer Score  = 0x0F000000 (Authenticode)
         sig:                Signer Name   = USB\VID_1050&PID_0407&MI_02 (libwdi autogenerated)
    

    In other words, for anything but the WinUSB driver on Windows 11, we get the expected:

         sig:                          Success: File is signed in Authenticode(tm) catalog.
         sig:                          Error 0xe0000241: The INF was signed with an Authenticode(tm) catalog from a trusted publisher.
    

    but for WinUSB installation, we get:

    !    sig:                          Verifying file against specific Authenticode(tm) catalog failed.
    !    sig:                          Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
    

    And the kicker is that, once you have installed a non WinUSB driver for the device, then you can replace it with the WinUSB driver, using the exact same method as the one that failed before, as it will work just fine this time around...

    And yes, I agree that the first line of inquiry is "Surely, you must be doing something different with that initial WinUSB installation compared to the subsequent non-WinUSB or working WinUSB ones", but I'm definitely not seeing anything in that vein so far though I am of course continuing to investigate the matter.

    At least, this provides us with one workaround to get WinUSB installed, and this tells us that the Trusted Publishers method of installation is still functional even with Windows 11, but this driver installation behaviour sure is weird, and I still don't have an explanation for it...

  • Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 277

    I have upgraded my new Acer Swift 3 laptop to Windows 11 offical release today and Zadig works fine. So I can not reproduce the issue.

  • Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 277

    I have upgraded my new Acer Swift 3 laptop to Windows 11 offical release today and Zadig works fine. So I can not reproduce the issue.

    Full debug log: https://github.com/pbatard/libwdi/issues/155

  • AkeoAkeo Member Posts: 8

    Yeah, I am also not seeing the previous behaviour on the final release that I was seeing with the Insider builds before that. In other words, unlike the Insider builds, Windows 11 release appears to behave in the same manner as Windows 10 when it comes to signing a driver package and adding its certificate to Trusted Publishers.

    From what I can see, it does look like Microsoft toned down some of the "improvements" they were planning to bring to the new Windows, at least for the time being.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 9,133

    it does look like Microsoft toned down some of the "improvements" they were planning

    If this is the case, it would not be the first time.

    I'll remind everyone that a Windows release isn't "complete" and "stable" until some months after the initial release. Things continue to change for "quite a while." It's not like the old days when they burned a zillion CDs, and sent them out, and THAT was the release. Now, the release changes, as critical fixes and updates are applied.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 13-17 May 2024 Live, Online
Developing Minifilters 1-5 Apr 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 26 Feb - 1 Mar 2024 Live, Online