So, the plot thickens.
Further testing shows that it is actually possible to install non WinUSB drivers after singing the .cat
with self-signed credentials and a certificate copied to Trusted Publishers (e.g. libusb0.sys
or libusbK.sys
, carried out against the exact same device and interface, and same Windows 11 machine as before).
When doing so, the double {_VERIFY_FILE_SIGNATURE}
section becomes the same as what you’d see under Windows 10, with one initial validation failure due to the trust chain, followed with a validation success through the detection of an “Authenticode” (self-signed) cert in Trusted Publishers:
sto: {DRIVERSTORE IMPORT VALIDATE} 17:46:27.204
sig: Driver package catalog is valid.
sig: {_VERIFY_FILE_SIGNATURE} 17:46:27.220
sig: Key = yubikey_4_otp+u2f+ccid_(interface_2).inf
sig: FilePath = C:\WINDOWS\System32\DriverStore\Temp\{05c136d1-c7d1-6549-91a1-ec77b1157d06}\yubikey_4_otp+u2f+ccid_(interface_2).inf
sig: Catalog = C:\WINDOWS\System32\DriverStore\Temp\{05c136d1-c7d1-6549-91a1-ec77b1157d06}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat
! sig: Verifying file against specific (valid) catalog failed.
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 17:46:27.220
sig: {_VERIFY_FILE_SIGNATURE} 17:46:27.220
sig: Key = yubikey_4_otp+u2f+ccid_(interface_2).inf
sig: FilePath = C:\WINDOWS\System32\DriverStore\Temp\{05c136d1-c7d1-6549-91a1-ec77b1157d06}\yubikey_4_otp+u2f+ccid_(interface_2).inf
sig: Catalog = C:\WINDOWS\System32\DriverStore\Temp\{05c136d1-c7d1-6549-91a1-ec77b1157d06}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat
sig: Success: File is signed in Authenticode(tm) catalog.
sig: Error 0xe0000241: The INF was signed with an Authenticode(tm) catalog from a trusted publisher.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 17:46:27.236
sto: {DRIVERSTORE IMPORT VALIDATE: exit(0x00000000)} 17:46:27.251
sig: Signer Score = 0x0F000000 (Authenticode)
sig: Signer Name = USB\VID_1050&PID_0407&MI_02 (libwdi autogenerated)
In other words, for anything but the WinUSB driver on Windows 11, we get the expected:
sig: Success: File is signed in Authenticode(tm) catalog.
sig: Error 0xe0000241: The INF was signed with an Authenticode(tm) catalog from a trusted publisher.
but for WinUSB installation, we get:
! sig: Verifying file against specific Authenticode(tm) catalog failed.
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
And the kicker is that, once you have installed a non WinUSB driver for the device, then you can replace it with the WinUSB driver, using the exact same method as the one that failed before, as it will work just fine this time around…
And yes, I agree that the first line of inquiry is “Surely, you must be doing something different with that initial WinUSB installation compared to the subsequent non-WinUSB or working WinUSB ones”, but I’m definitely not seeing anything in that vein so far though I am of course continuing to investigate the matter.
At least, this provides us with one workaround to get WinUSB installed, and this tells us that the Trusted Publishers method of installation is still functional even with Windows 11, but this driver installation behaviour sure is weird, and I still don’t have an explanation for it…