Ok, I need to get my KMDF driver to load silently on Win 7/64 bit. I’ve gotten a certificate, gotten the Microsoft cross-certificate, created a CAT file with the .sys file in it, signed and verified the CAT file, signed and verified the SYS file, and…
…I still get a “do you want to install this driver?” dialog. If I say yes, great, the driver installs and my hardware test app runs fine (which it didn’t before I discovered I needed the Microsoft cross-certificate).
So, my question is: since the CAT and SYS files are signed and verified (and yes, I used the /kp switch), why on Earth am I getting the nasty warning dialog?
My suspicion is, and I’m hoping someone here can either verify or correct me, is that because the INF file isn’t in the CAT file (we create a machine-unique INF during test), Windows pops the dialog up.
I’m working on getting a version of the test app that doesn’t create a unique INF so that I can see if that’s the problem, but it could take a while, so I figured I’d drop the question in here and see if I’m totally off-base or not.
By the way, if you have insomnia, reading any of the Microsoft white papers on digital signatures and Windows will eventually put you to sleep. I’m averaging one grande latte’ per white paper the past 2 days. 
xxxxx@woolyloach.com wrote:
Ok, I need to get my KMDF driver to load silently on Win 7/64 bit. I’ve gotten a certificate, gotten the Microsoft cross-certificate, created a CAT file with the .sys file in it, signed and verified the CAT file, signed and verified the SYS file, and…
…I still get a “do you want to install this driver?” dialog. If I say yes, great, the driver installs and my hardware test app runs fine (which it didn’t before I discovered I needed the Microsoft cross-certificate).
Are you sure that’s what it says? Or does it say “Do you trust this
publisher?” If it says that, then you have done everything correctly.
So, my question is: since the CAT and SYS files are signed and verified (and yes, I used the /kp switch), why on Earth am I getting the nasty warning dialog?
Because your CAT file was not signed by WHQL.
My suspicion is, and I’m hoping someone here can either verify or correct me, is that because the INF file isn’t in the CAT file (we create a machine-unique INF during test), Windows pops the dialog up.
Ah! You can’t do that. The CAT file contains a checksum of all of the
files in the driver package (usually the INF and the SYS). If the
checksums don’t match, then the CAT file is discarded and your driver
package is considered to be unsigned. The driver now LOADS because the
SYS file itself is signed, but your CAT file is nothing but decoration.
By the way, if you have insomnia, reading any of the Microsoft white papers on digital signatures and Windows will eventually put you to sleep. I’m averaging one grande latte’ per white paper the past 2 days.
I agree, but sooner or later it sinks in. Once you get the recipe, the
rest is gravy.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Ok, thanks! I had a bad feeling about this from the beginning… also got confirmation from our Microsoft contact (who doesn’t usually work Fridays) that if the INF file isn’t in the CAT, it’s going to complain.
Time to think up a Plan B, maybe there’s a finite list of the devices we have to deal with… have to talk to our manufacturing people now. Urgh.
Thanks again for the quick response! 
xxxxx@woolyloach.com wrote:
Ok, thanks! I had a bad feeling about this from the beginning… also got confirmation from our Microsoft contact (who doesn’t usually work Fridays) that if the INF file isn’t in the CAT, it’s going to complain.
Time to think up a Plan B, maybe there’s a finite list of the devices we have to deal with… have to talk to our manufacturing people now. Urgh.
Well, what do you need, exactly? If you know in advance what the INF
has to look like, you can certainly generate your unique INF, run
INF2CAT, and sign each custom package. It doesn’t cost any extra to run
INF2CAT again.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Sorry about the delay, was involved in meetings about meetings about meetings.
The issue is: we have a customer that is manufacturing machines and pre-loading a 64-bit version of Windows. They want to run our diags on their product, on their factory floor, unattended. Each machine will have varying diagnostic-capable parts, so we have no a-priori knowledge of which machine has which configuration - this is why we were generating the INF on the fly.
A factory floor is not a place I want a digital certificate floating around, it’s not that secure.
Amazingly, I managed to (with a static INF and CAT) get to the point where the Big Mean Red Dialog doesn’t come up, it just asks “Would you like to install this device software” in a relatively non-threating dialog. That’s my next hurdle, other than not ripping my remaining 3 hairs out.
I’m still convinced the solution is a single INF encompassing all the manufacturers testable devices, and we simply build a new CAT file each time a new device is made available. Or find a way to get the customer to run the tests from a WinPE boot, which is non-problematic (and probably unlikely).
It’s a very corner-case issue, but I get all the weird problems!
Thanks again for your help, you’ve been a HUGE assistance through all this.