Ok, I’ve managed to reach a point where nobody in my company has any clue about a particular driver signing issue. I’m pretty sure this isn’t the place to ask, and I’ve dug around in the Microsoft TechNet forums and can’t seem to find a proper place to ask there.
Does anyone know of any good resources for 64-bit driver signing questions? The kind folks here have gotten me past 2 show-stoppers, but this last one is proving intractable.
FWIW, the issue: I have a driver that our diagnostic package is loading. It has a valid embedded signature from our OS department. It passes signtool verify /kp. But we’re still seeing a dialog asking “Would you like to install this driver software” despite my better efforts, and the folks on the factory floor won’t be happy having to click this for every machine…
I’m starting to wonder if it’s possible to get around this in 64-bit Windows for non-boot-start drivers.
Any pointers in the right direction or suggestions are welcome at this point. I’ve read every white paper and MSDN page I can find and, as far as I can tell, I’ve Done The Right Thing™.
What exactly is the dialog asking? AFAIK you still get a dialog with a
signed driver unless it is WHQL’d.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@woolyloach.com” wrote in message
news:xxxxx@ntdev:
> Ok, I’ve managed to reach a point where nobody in my company has any clue about a particular driver signing issue. I’m pretty sure this isn’t the place to ask, and I’ve dug around in the Microsoft TechNet forums and can’t seem to find a proper place to ask there.
>
> Does anyone know of any good resources for 64-bit driver signing questions? The kind folks here have gotten me past 2 show-stoppers, but this last one is proving intractable.
>
> FWIW, the issue: I have a driver that our diagnostic package is loading. It has a valid embedded signature from our OS department. It passes signtool verify /kp. But we’re still seeing a dialog asking “Would you like to install this driver software” despite my better efforts, and the folks on the factory floor won’t be happy having to click this for every machine…
>
> I’m starting to wonder if it’s possible to get around this in 64-bit Windows for non-boot-start drivers.
>
> Any pointers in the right direction or suggestions are welcome at this point. I’ve read every white paper and MSDN page I can find and, as far as I can tell, I’ve Done The Right Thing™.
Are you sure you’re not affected by this issue:
http://www.osronline.com/showthread.cfm?link=197762 ?
When did you get your certificate ? Is it 2011 or late 2010 ?
I’ve recently been through the same thing, except that we had renewed our
certificate and so I knew the signing process wasn’t broken…
Thanks,
Alex.
@Don: I’m getting a polite dialog (not the red-bordered scary ones you get if your driver package isn’t properly signed), it says:
“Woud you like to install this device softwsre?”
…then lists the driver name and our company, with a checkbox to always trust software from us, and the expected “Install” and “Don’t Install” buttons, and a little warning at the bottom about not installing stuff from folks you don’t know.
In theory, according to our OS folks, this is supposed to be a WHQL cert… but it could be suspect.
@Alex: yikes! Let me look into that, I’m not sure it’s our issue but that looks alarming.
Thanks to you both!
xxxxx@woolyloach.com wrote:
@Don: I’m getting a polite dialog (not the red-bordered scary ones you get if your driver package isn’t properly signed), it says:
“Woud you like to install this device softwsre?”
…then lists the driver name and our company, with a checkbox to always trust software from us, and the expected “Install” and “Don’t Install” buttons, and a little warning at the bottom about not installing stuff from folks you don’t know.
That’s exactly what one would expect. That says the package is signed
by a valid certificate from your company.
In theory, according to our OS folks, this is supposed to be a WHQL cert… but it could be suspect.
The only way to get a WHQL signature is to run the driver package
through the DTM test suite and submit the passing tests to WHQL. They
send you back a WHQL-signed CAT file, which you would then use in your
installation.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Ed,
What kind of driver is it? PNP? Filter? WFP? KMDF? WDM? These may be mixed and mashed, but may be significant in how and what needs to be signed.
Gary G. Little
----- Original Message -----
From: xxxxx@woolyloach.com
To: “Windows System Software Devs Interest List”
Sent: Monday, March 14, 2011 1:59:53 PM
Subject: [ntdev] Best place to ask driver signing questions?
Ok, I’ve managed to reach a point where nobody in my company has any clue about a particular driver signing issue. I’m pretty sure this isn’t the place to ask, and I’ve dug around in the Microsoft TechNet forums and can’t seem to find a proper place to ask there.
Does anyone know of any good resources for 64-bit driver signing questions? The kind folks here have gotten me past 2 show-stoppers, but this last one is proving intractable.
FWIW, the issue: I have a driver that our diagnostic package is loading. It has a valid embedded signature from our OS department. It passes signtool verify /kp. But we’re still seeing a dialog asking “Would you like to install this driver software” despite my better efforts, and the folks on the factory floor won’t be happy having to click this for every machine…
I’m starting to wonder if it’s possible to get around this in 64-bit Windows for non-boot-start drivers.
Any pointers in the right direction or suggestions are welcome at this point. I’ve read every white paper and MSDN page I can find and, as far as I can tell, I’ve Done The Right Thing™.
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Sorry about the late response, got sucked into a meeting, then had to run for the bus!
@Gary - it’s a PnP KMDF 1.9 driver that provides app-level access to USB self-test functionality.
I suspect we might be taking the wrong path here - this is kind of a legacy driver that’s been ported to KMDF, but I think we *might* be able to get away with a UMDF filter driver - more research is needed on my end. I think the signing requirements for non-kernel drivers are less stringent in 64-bit Windows (not sure).