driver signing troubles

Maybe I’ve overseen something “trivial” however I’m not able to follow
the instructions in the SelfSign subdirectory of the WinDDK.
I have

  1. the certificate
  2. registered the certificates
  3. the catalog was build by signatiblity tool
  4. I signed the cat with the signtool
  5. here’s the output frome the verification step

H:\vista_dev\new_system\Driver>signtool verify /pa /v safefaxvista.cat

Verifying: safefaxvista.cat
SHA1 hash of file: F64A95680CBF848F2527493D4FC28BB813AC3808
Signing Certificate Chain:
Issued to: Joe’s-Software-Emporium
Issued by: Joe’s-Software-Emporium
Expires: 01.01.2040 00:59:59
SHA1 hash: 800576D6B331AA8D6E07E2E810E89218B782ACE4

File is not timestamped.
Successfully verified: safefaxvista.cat

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

H:\vista_dev\new_system\Driver>

Now if I try to install this I got the encouriging message in the
printer installation wizzard:
This driver is not digitally signed.

How can that be? The test passes but it’s not recognized as signed
driver.

Any hints how to solve this are very welcome

Regards
Friedrich

Examine the setup logs in the Vista \Windows\Inf folder.

I am sure your INF file includes the CatalogFile entry. Right?

Can you install your driver (with standard complaints…) if the CatalogFile
entry is commented out? If so, then that would confirm my understanding that
Self-Sign only works for devices that do not have a WHQL signing test. If
the device does have a WHQL test, then only a WHQL submission and WHQL
signature will be an acceptable signature.

I’m not an expert on this, so if someone has information to the contrary,
please chime in.

Thomas F. Divine

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-273297-
xxxxx@lists.osr.com] On Behalf Of Friedrich Dominicus
Sent: Sunday, December 17, 2006 2:11 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] driver signing troubles

Maybe I’ve overseen something “trivial” however I’m not able to follow
the instructions in the SelfSign subdirectory of the WinDDK.
I have

  1. the certificate
  2. registered the certificates
  3. the catalog was build by signatiblity tool
  4. I signed the cat with the signtool
  5. here’s the output frome the verification step

H:\vista_dev\new_system\Driver>signtool verify /pa /v safefaxvista.cat

Verifying: safefaxvista.cat
SHA1 hash of file: F64A95680CBF848F2527493D4FC28BB813AC3808
Signing Certificate Chain:
Issued to: Joe’s-Software-Emporium
Issued by: Joe’s-Software-Emporium
Expires: 01.01.2040 00:59:59
SHA1 hash: 800576D6B331AA8D6E07E2E810E89218B782ACE4

File is not timestamped.
Successfully verified: safefaxvista.cat

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

H:\vista_dev\new_system\Driver>

Now if I try to install this I got the encouriging message in the
printer installation wizzard:
This driver is not digitally signed.

How can that be? The test passes but it’s not recognized as signed
driver.

Any hints how to solve this are very welcome

Regards
Friedrich


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Thanks I’ll try the suggestions.

Regards
Friedrich

Just to clarify, it seems I missed that.
I can install the driver with the usual complains, that there wasn’t a
signature and the like. So the driver can be installed. I just wanted
to have a smooth installation without any warning that some things are
not signed etc. I have found a step-by-step guide and now at least the
catalog can get signed and it recogniced as beeing signed but now
while trying to install I got the message that the issuer could not be
checked…

Regards
Friedrich

Is your certificate generated from a known authority ( Verisign , etc … ) or did
you made it yourself with means of makecrt ? From my own experience , I know
that signed drivers with a home made “makecert” certificate get installed as signed
on Xp and Sever 2003 ( 32 bit ) but not on Vista 32bit.

Christiaan

----- Original Message -----
From: “Friedrich Dominicus”
To: “Windows System Software Devs Interest List”
Sent: Sunday, December 17, 2006 11:48 AM
Subject: Re: [ntdev] driver signing troubles

> Just to clarify, it seems I missed that.
> I can install the driver with the usual complains, that there wasn’t a
> signature and the like. So the driver can be installed. I just wanted
> to have a smooth installation without any warning that some things are
> not signed etc. I have found a step-by-step guide and now at least the
> catalog can get signed and it recogniced as beeing signed but now
> while trying to install I got the message that the issuer could not be
> checked…
>
> Regards
> Friedrich
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

“Christiaan Ghijselinck” writes:

> Is your certificate generated from a known authority ( Verisign , etc
> … ) or did you made it yourself with means of makecrt ? From my own
> experience , I know
> that signed drivers with a home made “makecert” certificate get
> installed as signed on Xp and Sever 2003 ( 32 bit ) but not on Vista
> 32bit.
Well I’ve worked for it quite some time now and found how to get that
installed the only problem still existing is that while adding the
driver to the store shows an error message that the “issuer could not
be verified” or the like. But if it’s in the Store it will get
installed as “signed” driver. I had to dig through the following
papers to get there:
http://technet2.microsoft.com/WindowsVista/en/library/4bbbeaa0-f7d6-4816-8a3a-43242d71d5361033.mspx?mfr=true

Installing Printer Drivers Microsoft Vista

and all I could find in DDK_HOME\bin\SelfSign

Thanks for all you hints

Regards
Friedrich

Thomas Divine wrote:

Can you install your driver (with standard complaints…) if the
CatalogFile entry is commented out? If so, then that would
confirm my understanding that Self-Sign only works for devices
that do not have a WHQL signing test. If the device does have
a WHQL test, then only a WHQL submission and WHQL signature
will be an acceptable signature.

We regularly self-sign drivers (to load on our DTM clients) that are of class Modem and Ports. However, our certificate is “real” (i.e. is from Verisign). However, assuming you import your own root certificate (or however that goes), I don’t see why this would change anything.

We do have to issue both bcdedit /set testsigning on and bcdedit /set nointegritychecks on before the driver will load.