I want to avoid the “unsigned driver” popup during installation of the user-mode driver.
Do I need to sign the driver package for example with VeriSign Code Signing Certificate?
Only this, and nothing more?
Thanks
Jewgeni Chygurynsky wrote:
I want to avoid the “unsigned driver” popup during installation of the user-mode driver.
Do I need to sign the driver package for example with VeriSign Code Signing Certificate?
Only this, and nothing more?
If you sign your driver package, the “unsigned driver” popup is replaced
by a “do you trust this publisher” popup.
To eliminate the popup altogether, you must submit your driver to WHQL
as part of the logo process.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thank you very much
> If you sign your driver package, the “unsigned driver” popup is replaced
by a “do you trust this publisher” popup.
You can avoid the “trust” popup if you pre-install the certificate by means of certmgr.exe with command line parameters (
http://msdn.microsoft.com/en-us/library/ms172241.aspx ).
Christiaan
----- Original Message -----
From: “Tim Roberts”
To: “Windows System Software Devs Interest List”
Sent: Monday, May 10, 2010 7:54 PM
Subject: Re: [ntdev] How to avoid the “unsigned driver” popup
> Jewgeni Chygurynsky wrote:
>> I want to avoid the “unsigned driver” popup during installation of the user-mode driver.
>> Do I need to sign the driver package for example with VeriSign Code Signing Certificate?
>> Only this, and nothing more?
>>
>
> If you sign your driver package, the “unsigned driver” popup is replaced
> by a “do you trust this publisher” popup.
>
> To eliminate the popup altogether, you must submit your driver to WHQL
> as part of the logo process.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Hallo Christiaan, thank you for this tip!
it’s also possible to install certificates by writing to registry - much
easier for an installer than launching an external program.
Our installer installs 3 certs by writing to registry. We just
installed the certs first on a test machine, and exported the keys. The
name of the reg keys for the certs are the thumbprints, so there’s
guaranteed no collisions (unless the target already has the cert
installed). Search in regedit for your thumbprint and you’ll get the
correct reg path for your os - be careful about x64 vs i386 though, as
there are effectively 2 sets of cert stores.
Cheers
Adrien
On 11/05/2010 6:17 a.m., Christiaan Ghijselinck wrote:
> If you sign your driver package, the “unsigned driver” popup is replaced
> by a “do you trust this publisher” popup.You can avoid the “trust” popup if you pre-install the certificate by
means of certmgr.exe with command line parameters (
http://msdn.microsoft.com/en-us/library/ms172241.aspx ).Christiaan
----- Original Message ----- From: “Tim Roberts”
> To: “Windows System Software Devs Interest List”
> Sent: Monday, May 10, 2010 7:54 PM
> Subject: Re: [ntdev] How to avoid the “unsigned driver” popup
>
>
>> Jewgeni Chygurynsky wrote:
>>> I want to avoid the “unsigned driver” popup during installation of
>>> the user-mode driver.
>>> Do I need to sign the driver package for example with VeriSign Code
>>> Signing Certificate?
>>> Only this, and nothing more?
>>>
>>
>> If you sign your driver package, the “unsigned driver” popup is replaced
>> by a “do you trust this publisher” popup.
>>
>> To eliminate the popup altogether, you must submit your driver to WHQL
>> as part of the logo process.
>>
>> –
>> Tim Roberts, xxxxx@probo.com
>> Providenza & Boekelheide, Inc.
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
It is also very useful, thank you very much!
> it’s also possible to install certificates by writing to registry - much
easier for an installer than launching an external program.
Well, what if Microsoft decides to move the certificate directory DB?
And rolls this change out with Windows Update?
=> It’s probably a better idea to use the API:
http://msdn.microsoft.com/en-us/library/aa380252(v=VS.85).aspx
CertAddSerializedElementToStore looks promising to me.
Comments?
>Do I need to sign the driver package for example with VeriSign Code Signing Certificate?
Either:
a) get the WHQL logo for the driver
or
b) sign with the Verisign cert, and ask the user to install the cert to Trusted Publishers. This will also be done if the user hits “Always trust software from this vendor” in a warning box.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
> You can avoid the “trust” popup if you pre-install the certificate by means of certmgr.exe with
command line parameters (
http://msdn.microsoft.com/en-us/library/ms172241.aspx ).
It is a bit hard to do with Srv2003, but possible, search the forum for “test signing on 2003” and you will see the exact description of how this can be done.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Thanks a lot for all your tips!
Sign the driver 
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntdev…
> Thanks a lot for all your tips!
>
>