Drivers reported as not signed on XP, 2003 and vista

NTDEV
1

We are having a problem with kernel mode drivers reported as not being
signed on XP and 2003, both 32 and 64 bit. If you open device manager
and display the property page of the driver, it reports that the
driver is not signed. Displaying the properties of the .sys and .cat
files does display the digital certificate. The driver and cat files
are signed with both Verisign and microsoft cross certs.

The problem is slightly different on vista. On vista the device
manager reports that the driver is signed when you click on the driver
tab, but if you look at the driver details, it reports that the driver
is not signed.

The drivers install correctly on Vista 32 and 64 bit and report as being signed.
steps used to sign driver package
stampinf file
create cat file
sign cat file
sign driver file

Has anyone seen this kind of behavior before?

2

[PCAUSA] Sign driver file before making cat file…

Thomas F. Divine

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-303661-
xxxxx@lists.osr.com] On Behalf Of david souza
Sent: Friday, October 19, 2007 10:42 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Drivers reported as not signed on XP, 2003 and vista

We are having a problem with kernel mode drivers reported as not being
signed on XP and 2003, both 32 and 64 bit. If you open device manager
and display the property page of the driver, it reports that the
driver is not signed. Displaying the properties of the .sys and .cat
files does display the digital certificate. The driver and cat files
are signed with both Verisign and microsoft cross certs.

The problem is slightly different on vista. On vista the device
manager reports that the driver is signed when you click on the driver
tab, but if you look at the driver details, it reports that the driver
is not signed.

The drivers install correctly on Vista 32 and 64 bit and report as
being signed.
steps used to sign driver package
stampinf file
create cat file
sign cat file
sign driver file

Has anyone seen this kind of behavior before?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

I know for W2k3, your drivers are not signed with a WHQL signature. These
older OS’s can’t use cross certs and any device in an install class that has
a WHQL signing program must use a WHQL signature. For devices in these
classes, there is no way to sign the driver yourself. At a minimum, you have
to do testing to pass the WHQL unclassified device category. For devices in
classes not WHQL signable (i.e. your custom device class), you can put an
Authenticode signature on the drivers, and install your Authenticode
signature in the correct certificate store, improving the install operation
over unsigned drivers.

The BIG improvement in Vista and W2k8, is you can sign the driver yourself
with an Authenticode certificate, put your certificate in the correct
certificate store, and tell the OS to trust your signature equally with an
WHQL signature.

I also concur with what Thomas said, if you sign the binaries after you
generate the .cat, you have just invalidated the hash stored in the .cat,
and it doesn’t matter if the .cat is signed.

Jan

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-303661-
xxxxx@lists.osr.com] On Behalf Of david souza
Sent: Friday, October 19, 2007 7:42 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Drivers reported as not signed on XP, 2003 and vista

We are having a problem with kernel mode drivers reported as not being
signed on XP and 2003, both 32 and 64 bit. If you open device manager
and display the property page of the driver, it reports that the
driver is not signed. Displaying the properties of the .sys and .cat
files does display the digital certificate. The driver and cat files
are signed with both Verisign and microsoft cross certs.

The problem is slightly different on vista. On vista the device
manager reports that the driver is signed when you click on the driver
tab, but if you look at the driver details, it reports that the driver
is not signed.

The drivers install correctly on Vista 32 and 64 bit and report as being
signed.
steps used to sign driver package
stampinf file
create cat file
sign cat file
sign driver file

Has anyone seen this kind of behavior before?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer