Authenticode or WHQL driver signing?

NTDEV
1

Hello,
My problem is simple: i’ve got NDIS IM driver (based on passthru sample)
and i’d like to install it silently on Windows 2000 and newer Windows
systems. “Silently” means without any annoying system message boxes
telling user that the driver is not digitally signed.
To achieve this, i’ve purchased (my company) authenticode digital
signature certificate from one of the existing CAs. I’ve used it to
digitally sign my driver (2 .cat files and .sys file).
This driver installation package works silently (as expected) only on
Vista and newer systems. On W2K or WXP it continues to display those
infamous message boxes, which say that the driver is not digitally
signed by WHQL.
I’d like to know why this happens only on W2K and WXP? Do these systems
only support WHQL driver signing? Why they don’t care about my
Authenticode digital signature?
I’ve read several documents and discussions on this subject and i’m
still quite confused. Could someone make it clear for me? Is it possible
to get rid off those messages without WHQL signature?

Thanks!

Regards,
Jan

2

I’m not sure why, and I’m 100% sure that this is correct, but I believe that the answer is that on these platforms, unless your stuff is signed by msft, there’s nothing you can do about this, at least in the case of a specific driver. It may be possible to disable the whole thing for all drivers with gpedit.msc; I don’t know that either, but it would decidedly not be a charitable thing to do regardless.

As I said, this is really not my thing, but as it’s Sunday, I thought I’d throw it out there, and if I’m wrong, I’m sure that someone will correct me tomorrow, if not sooner.

Good luck,

mm

3

That is correct. Selfsigned drivers are a vista and later feature.

On Sunday, May 31, 2009, wrote:
> I’m not sure why, and I’m 100% sure that this is correct, but I believe that the answer is that on these platforms, unless your stuff is signed by msft, there’s nothing you can do about this, at least in the case of a specific driver. ?It may be possible to disable the whole thing for all drivers with gpedit.msc; I don’t know that either, but it would decidedly not be a charitable thing to do regardless.
>
> As I said, this is really not my thing, but as it’s Sunday, I thought I’d throw it out there, and if I’m wrong, I’m sure that someone will correct me tomorrow, if not sooner.
>
> Good luck,
>
> mm
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>


Mark Roddy

4

So there’s really no way how to install Authenticode signed NDIS driver
(network class) on WinXP without bothering user? Is that correct?

Regards,
Jan

Mark Roddy wrote:

That is correct. Selfsigned drivers are a vista and later feature.

On Sunday, May 31, 2009, wrote:
>
>> I’m not sure why, and I’m 100% sure that this is correct, but I believe that the answer is that on these platforms, unless your stuff is signed by msft, there’s nothing you can do about this, at least in the case of a specific driver. It may be possible to disable the whole thing for all drivers with gpedit.msc; I don’t know that either, but it would decidedly not be a charitable thing to do regardless.
>>
>> As I said, this is really not my thing, but as it’s Sunday, I thought I’d throw it out there, and if I’m wrong, I’m sure that someone will correct me tomorrow, if not sooner.
>>
>> Good luck,
>>
>> mm
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>
>

5

Jan,

Getting an “Unclassified” signature from WHQL for an IM driver is not
exactly difficult. IM drivers are now signed under “Unclassified” and not
under a Network category (like the older HCT based tests).

Other than the acknowledged PITA that setup and operation of DTM and the
cost of submission, is there some other reason you are avoiding a signature
from WHQL?

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jan Bilek
Sent: Monday, June 01, 2009 8:43 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Authenticode or WHQL driver signing?

So there’s really no way how to install Authenticode signed NDIS driver
(network class) on WinXP without bothering user? Is that correct?

Regards,
Jan

Mark Roddy wrote:

That is correct. Selfsigned drivers are a vista and later feature.

On Sunday, May 31, 2009, wrote:
>
>> I’m not sure why, and I’m 100% sure that this is correct, but I believe
that the answer is that on these platforms, unless your stuff is signed by
msft, there’s nothing you can do about this, at least in the case of a
specific driver. It may be possible to disable the whole thing for all
drivers with gpedit.msc; I don’t know that either, but it would decidedly
not be a charitable thing to do regardless.
>>
>> As I said, this is really not my thing, but as it’s Sunday, I thought I’d
throw it out there, and if I’m wrong, I’m sure that someone will correct me
tomorrow, if not sooner.
>>
>> Good luck,
>>
>> mm
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>
>


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

6

Hello David,
The main reason we want to avoid WHQL tests is our frustration of this
whole “signing” process. It took a lot of time to make it work with
authenticode and after all that desperate stuff we finally realized that
our signature is useless on XP and lower. I’d like to break it! I don’t
wanna go thru this hell again! Hope you understand…
Now i’m going to cool myself and then i will visit WHQL site to find out
what they offer. Do you have any quick tips how to lubricate and speed
up this task?

Thanks for any reply.

Kind regards,
Jan

David R. Cattley wrote:

Jan,

Getting an “Unclassified” signature from WHQL for an IM driver is not
exactly difficult. IM drivers are now signed under “Unclassified” and not
under a Network category (like the older HCT based tests).

Other than the acknowledged PITA that setup and operation of DTM and the
cost of submission, is there some other reason you are avoiding a signature
from WHQL?

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jan Bilek
Sent: Monday, June 01, 2009 8:43 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Authenticode or WHQL driver signing?

So there’s really no way how to install Authenticode signed NDIS driver
(network class) on WinXP without bothering user? Is that correct?

Regards,
Jan

Mark Roddy wrote:

> That is correct. Selfsigned drivers are a vista and later feature.
>
> On Sunday, May 31, 2009, wrote:
>>
>>
>>> I’m not sure why, and I’m 100% sure that this is correct, but I believe
>>>
> that the answer is that on these platforms, unless your stuff is signed by
> msft, there’s nothing you can do about this, at least in the case of a
> specific driver. It may be possible to disable the whole thing for all
> drivers with gpedit.msc; I don’t know that either, but it would decidedly
> not be a charitable thing to do regardless.
>
>>> As I said, this is really not my thing, but as it’s Sunday, I thought I’d
>>>
> throw it out there, and if I’m wrong, I’m sure that someone will correct me
> tomorrow, if not sooner.
>
>>> Good luck,
>>>
>>> mm
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>>
> http://www.osronline.com/page.cfm?name=ListServer
>
>>>
>>>
>>
>>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

7


Do you have any quick tips how to lubricate and speed up this task?

Sorry, no quick tips.

There is a public MSFT newsgroup dedicated to the DTM. I have found
searching that to be helpful when I have an issue to understand (with the
testing process).

The materials on the WHDC/WHQL sites on how to setup the DTM and operate
tests (I think there is still a ‘walk-through’) have been my guide.

I have always had the best luck with ‘thinking small’ when it came to the
DTM. I use the workgroup configuration (not joined to a domain) with
stand-alone test systems.

I always ‘test’ the DTM before ‘testing’ a driver - usually by testing an
inbox driver.

I have a completely virtual DTM setup (controller & test machines) running
in a big-iron server as a place to ‘test’ DTM patches and new releases
because I can revert stuff that goes horribly wrong easily until I get it
right. No submissions come off of that setup, however, it is just an
experimentation & training tool for me.

Good Luck,
-dave

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jan Bilek
Sent: Monday, June 01, 2009 9:32 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Authenticode or WHQL driver signing?

Hello David,
The main reason we want to avoid WHQL tests is our frustration of this
whole “signing” process. It took a lot of time to make it work with
authenticode and after all that desperate stuff we finally realized that
our signature is useless on XP and lower. I’d like to break it! I don’t
wanna go thru this hell again! Hope you understand…
Now i’m going to cool myself and then i will visit WHQL site to find out
what they offer. Do you have any quick tips how to lubricate and speed
up this task?

Thanks for any reply.

Kind regards,
Jan

David R. Cattley wrote:

Jan,

Getting an “Unclassified” signature from WHQL for an IM driver is not
exactly difficult. IM drivers are now signed under “Unclassified” and not
under a Network category (like the older HCT based tests).

Other than the acknowledged PITA that setup and operation of DTM and the
cost of submission, is there some other reason you are avoiding a
signature
from WHQL?

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jan Bilek
Sent: Monday, June 01, 2009 8:43 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Authenticode or WHQL driver signing?

So there’s really no way how to install Authenticode signed NDIS driver
(network class) on WinXP without bothering user? Is that correct?

Regards,
Jan

Mark Roddy wrote:

> That is correct. Selfsigned drivers are a vista and later feature.
>
> On Sunday, May 31, 2009, wrote:
>>
>>
>>> I’m not sure why, and I’m 100% sure that this is correct, but I believe
>>>
> that the answer is that on these platforms, unless your stuff is signed by
> msft, there’s nothing you can do about this, at least in the case of a
> specific driver. It may be possible to disable the whole thing for all
> drivers with gpedit.msc; I don’t know that either, but it would decidedly
> not be a charitable thing to do regardless.
>
>>> As I said, this is really not my thing, but as it’s Sunday, I thought
I’d
>>>
> throw it out there, and if I’m wrong, I’m sure that someone will correct
me
> tomorrow, if not sooner.
>
>>> Good luck,
>>>
>>> mm
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>>
> http://www.osronline.com/page.cfm?name=ListServer
>
>>>
>>>
>>
>>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer