How to make windows installer find the driver automatically

Hello

I create a child PDO from my virtual bus manager.
What steps my installer has to take during install to make windows installer find the driver for this dynamically created PDO automatically during run-time i.e without popping up msg box for the driver.

I guess same thing like how windows finds drivers for most of the devices after OS installation etc. i.e
What entries, where to copy what files that my installer has to do?

When msg box pops up I ofcourse point to the my dir where INF/.sys are located and it installs o.k.

–thanks

msr wrote:

What steps my installer has to take during install to make
windows installer find the driver for this dynamically created
PDO automatically during run-time i.e without popping up msg
box for the driver.

You need to preinstall the function drivers which will load on top of your PDO. And they need to be WHQL signed to install totally silently.

Chris

>You need to preinstall the function drivers which will load on top of your PDO.
How do I pre-install the func drvr for my PDO? I mean where do I copy my INF and .sys to.

Right now we are not yet whql’ed.
But non-whql should just pop up message saying these driver are not signed etc right.?

But my pop-up is that of looking for the driver itself i.e. It has not found the inf/.sys for my PDO.
I have to point to a dir where those are residing.

Assuming I have whql’ed drivers, what should my installer do for the windows installer later to find my inf/.sys automatically?

thanks

msr wrote:

How do I pre-install the func drvr for my PDO? I mean where do I copy
my INF and .sys to.

Look at SetupCopyOEMInf() or DriverPackagePreinstall(). *You* don’t copy your INF, .sys, and other files anywhere yourself.

Assuming I have whql’ed drivers, what should my installer do for the
windows installer later to find my inf/.sys automatically?

Same answer as before.

On Vista, preinstall works perfect with Authenticode signed drivers. It does not have to be WHQL.
Chances are that on W2K3 preinstall of Authenticode signed driver will work as well.

On XP, the support for Authenticode signature is only partial.
Preinstall won’t gain the desired effect of silent installation. You will successfully preinstall, but
when the PDO appears, the Found New Hardware will pop.

Cheers,
Alexey Polonsky

> On Vista, preinstall works perfect with Authenticode signed

drivers. It does not have to be WHQL.
Chances are that on W2K3 preinstall of Authenticode signed
driver will work as well.

It’s a little more complex than that.

Under Vista/W2K8, any device class can be signed with a non-WHQL signature
(not clear if a self-signed certificate works), AND Administrator has to
tell the OS to trust that certificate and than non-WHQL but signed drivers
should rank the same as WHQL signed drivers. I believe you can also control
the trust via group policy in a domain, so can essentially get domain
machines to silently install custom hardware.

For W2K3, ONLY devices in classes that have no WHQL signature program can
uses non-WHQL signature for silent install, and the signature has to be
Authenticode and added to the trusted certificate store. Devices that have
WHQL classes, will not be able to use Authenticode signatures to get silent
installs. The set of WHQL device classes was decided at OS release time, and
can’t be changed. Depending on your device functionality, you might be able
to put it in a custom class. Some devices types, like say network adapters,
use a large amount of class installer code, so you can’t just arbitrarily
make a nic device install as some other class.

Jan

Thanks all for suggestions above.

I am getting an error "“windows cannot verify the digital signature of this file” for my driver.
Not related to above, but asking anyway. Will have more info tmrow.

-thanks

xxxxx@yahoo.com wrote:

I am getting an error "“windows cannot verify the digital signature
of this file” for my driver.

On 64bit Vista/Server2008 only signed kernel drivers are allowed, if you
have such an error, get an SPC and sign your driver package.

Even with valid SPC signature for driver and package you will get a
warning (and an entry in driver manager “not signed”), for any driver
that is not WHQL-signed. For this signature, enter the Windows Logo program.

Hagen / Jan

Thx. I will use SPC/MCS procedures to get my production driver get signed.
Right now i am using test-signing process. Following are my steps.

1. Bld my binaries
   My driver is of class “system”.
   ?) Does “system” class has WHQL signature program on 2k3 server sp2? and 2k8 server?

-generate a self-signed cert.
Makecert -r -pe -ss my_cert -n “CN=my_cert” my_cert.cer
?) HOW DO I GET A SIGNATUE AUTHRNTICODED ? Can I get above self-signed cert authenticoded?
? ) Where do i find info on authenticode process ?

2. Generate cats
   Inf2cat.exe /driver:. /os:Server2003_X86,Server2003_X64,Vista_X86,Vista_X64

3. Sign cats
   SignTool sign /s my_cert /t http://timestamp.verisign.com/scripts/timestamp.dll my_drvr.cat
   ?) IS ABOVE STEP THE ONE WHOICH EMBEDS THE SIGNATURE IN TO THE SYS ??

4. Sign all my [sourcediskfiles]
   SignTool sign /s my_cert /t http://timestamp.verisign.com/scripts/timestamp.dll my_drvr.sys
   SignTool sign /s my_cert /t http://timestamp.verisign.com/scripts/timestamp.dll WdfCoInstaller01007_x64.dll

?) IS THE ABOVE O.K ? I.E I AM SIGNING/TIME-STAMPING/PACKAGING A KMDF CO-INSTALLER DLL WITH MY OWN OS/PLATFORM DESCRIPTIVE NAMe (WdfCoInstaller01007_x64.dll).
but in inf i copy to dir=11 WITH ORIGINAL NAME I.E WdfCoInstaller01007.dll

With the above steps during install (2k8-x64) I still got a pop-up.
My driver loads o.k
(I forgot to install the cert above on test system)
I guess INSTALL POP-UP is probably becuase my driver is not whql’ed yet ?
How do I get rid of thAT install pop-up ?

The output in verbose code_signing event_viwer is

Code Integrity started validating file hash of \Device\HarddiskVolume1\Windows\System32\drivers\My_drvr.sys file.
Code Integrity completed validating file hash. Status 0.

Does above mean my embedded signature is fine and tested?

–thanks

xxxxx@yahoo.com wrote:

Thx. I will use SPC/MCS procedures to get my production driver get
signed.

Please see
http://www.microsoft.com/whdc/winlogo/drvsign/kmsigning.mspx

Download kmsigning.doc, read and work through it.
It’s actually very good and explains the whole code signing process,
including cross-certificates, boot-time drivers, CATalogs, etc.

2. Generate cats
   > 3) Sign cats
   > 4) Sign all my [sourcediskfiles]
   > ?) IS THE ABOVE O.K ?

No, generating and signing first the CATalog file and then signing the
individual files can and will not work.

As soon as you sign the sys/dll files, information (the signature) will
be added that changes the files (and their cryptographic checksums).

The correct order is

• sign all individual files you want to sign
• generate CATalog file(s)
• sign the CATalog file(s)

I.E I AM SIGNING/TIME-STAMPING/PACKAGING A KMDF
> CO-INSTALLER DLL WITH MY OWN OS/PLATFORM DESCRIPTIVE NAMe

Not a good idea. You don’t need this, in fact it is probably bad.

You have to include the co-installer DLL in your (signed) catalog file.
But as the co-installers already have valid WHQL signatures, it is
neither necessary nor reasonable to sign them again.

Anyway, individual SYS file signatures are only required for kernel
drivers that have to be active at boot time on 64bit systems.

To get the driver loaded and active, it is enough to have the CATalog
file signed.

Where do i find info on authenticode process ?

Authenticode := Binary/CATalog signature done with an SPC.
SPC := Certificate valid to do code-signing.

Please see the link at the end of kmsigning.doc for more information.

With the above steps during install (2k8-x64) I still got a pop-up.
[…]
How do I get rid of thAT install pop-up ?

Get a valid WHQL signature from Microsoft.

Hagen

I am using following to sign the my .sys, but when I check the it against the cat, I get the following erroror? How do i fix it. I am following teh steps in selfsign_example.cmd in WDK.
Maybe I need to sign teh .sys before I sign the CATS I guess.
But the error looks more than that or possibly even different, it is looking for root andn end of certain_chain and its authenticity. These are all self-signed certs, so not sure what authentication it needs up to root CA etc.

Anyways will debug more.

>>>>>>>>>>>

signtool verify /kp /v /c ifcoevb.cat My_driver.sys

Verifying: My_driver.sys
File is signed in catalog: My.cat
SignTool Error: WinVerifyTrust returned error: 0x800B0109
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Signing Certificate Chain:
Issued to: my_cer
Issued by: my_cer
Expires: 12/31/2039 4:59:59 PM
SHA1 hash: 51058047502C98E642A65FC4D0E0093F24019AFC

File is not timestamped.
SignTool Error: File not valid: my_driver.sys
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Wednesday, May 07, 2008 10:15 AM
Subject: RE:[ntdev] How to make windows installer find the driver
automatically

> Hagen
>
> I am using following to sign the my .sys, but when I check the it against
> the cat, I get the following erroror? How do i fix it. I am following teh
> steps in selfsign_example.cmd in WDK.

your test certificate is not installed installed among the trusted
publishers of your machine. you don’t need to sign the sys file. signing the
cat is enough.
You install the test certificate among the trusted publishers using
certmgr.exe, the syntax is the following one:

certmgr.exe /add mycert.cer /s / r localMachine root
certmgr.exe /add mycert.cer /s / r localMachine trustedPublishers

Hope it helps
GV

–
Gianluca Varenni, Windows DDK MVP

CACE Technologies
http://www.cacetech.com

> Maybe I need to sign teh .sys before I sign the CATS I guess.
> But the error looks more than that or possibly even different, it is
> looking for root andn end of certain_chain and its authenticity. These are
> all self-signed certs, so not sure what authentication it needs up to root
> CA etc.
>
> Anyways will debug more.
>
>>>>>>>>>>>>>
>
> signtool verify /kp /v /c ifcoevb.cat My_driver.sys
>
> Verifying: My_driver.sys
> File is signed in catalog: My.cat
> SignTool Error: WinVerifyTrust returned error: 0x800B0109
> A certificate chain processed, but terminated in a root certificate
> which is not trusted by the trust provider.
> Signing Certificate Chain:
> Issued to: my_cer
> Issued by: my_cer
> Expires: 12/31/2039 4:59:59 PM
> SHA1 hash: 51058047502C98E642A65FC4D0E0093F24019AFC
>
> File is not timestamped.
> SignTool Error: File not valid: my_driver.sys
> Number of files successfully Verified: 0
> Number of warnings: 0
> Number of errors: 1
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

xxxxx@yahoo.com wrote:

I am using following to sign the my .sys, but when I check the it against the cat, I get the following erroror? How do i fix it. I am following teh steps in selfsign_example.cmd in WDK.

This is completely unrelated to your question, for which I apologize,
but it struck my funny bone.

I use Thunderbird for email. Thunderbird tries to present email replies
using pretty formatting, so that a reply paragraph is slightly shaded,
with “change bars” to make them obvious. Nested replies get
progressively darker shading. It uses leading “>” marks to locate replies.

Mr. MSudhakar used the notation “>>>>>>>>>>>>” to set off his console
session. Thunderbird interpreted that as a deeply-nested reply,
resulting in what I thought was a very interesting decoration to his
mail: http://www.probo.com/timr/PrettyMail.jpg.

Apropos of nothing, but it amused me.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

xxxxx@yahoo.com wrote:

Maybe I need to sign teh .sys before I sign the CATS I guess.

This comment shows me that you either did not read or did not understand
my last eMail or kmsigning.doc. This very question is answered there.

No offense, but it doesn’t make good use of my time to analyze any
output from any program you invoke before you have studied kmsigning.doc

(And yes, you guess right.)

Tim - yes that was funny decor -

>No offense, but it doesn’t make good use of my time
Hagen - yes I must have, doing that now. apolologies for the skip.

–thx

Following are my steps using a self-signed cert.
Individual signs on binaries and CATS came out o.k
But sign check when CAT VS Driver failed.
PS: I have to sign teh driver also becuase it is 2k8/x64 driver.
Anyways not signing teh driver and repeating this steps also gives the same result.

Let me knwo if I missed again something.

1. generate self signed cert?
   Makecert -r -pe -ss mycer -n “CN=mycer” mycer.cer

2)Installed this cer on ths same machine
certmgr.exe -add mycer.cer -s -r localMachine root
certmgr.exe -add mycer.cer -s -r localMachine trustedpublisher

Invoked certmgr and checked mycer was listed in ROOT and Trustedpublisher CAs’.

3. generate my binaries

4. sign my binaries with above generated and installed cert

SignTool sign /s mycer /t http://timestamp.verisign.com/scripts/timestamp.dll mysys.sys
outpuut:
Done Adding Additional Store
Successfully signed and timestamped:mycer.sys

– Not sure why it is adding additional store ?
Anyways successfully signed and timed.

5. generate catalogs
   Inf2cat.exe /driver:. /os:Server2003_X86,Server2003_X64,Vista_X86,Vista_X64

IS THE ABOVE SYNTAX FOR /DRIVER O.K?
ALL MY .SYS, .INF ARE IN pwd.
** also THERE ARE OTHER FILES AND SUB-DIRS NOT REFERENCED BY THE INF’S IN THIS DIR ***
** THERE ARE MULTIPLE INF’S IN THIS DIR ALSO ***

6. SIGN TEH cats too

SignTool sign /s mycer /t http://timestamp.verisign.com/scripts/timestamp.dll mycat.cat
Done Adding Additional Store
Successfully signed and timestamped: mycat.

7. verify signed driver - Went to file properties and says cert is o.k.

8. verify signed cats - Went to file properties and says cert is o.k.

9. verifying signed cats vs binaries
   signtool verify /kp /v /c mycat.cat mysys.sys

Verifying: mysys.sys
File is signed in catalog: mycat.cat
SignTool Error: WinVerifyTrust returned error: 0x800B0109
****
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
*****
>>>>>>>>>>>>
Above is the error

1. I am using self-signed cert which is installed root and trustedpublisher CA’s.
2. Not sure why there is a CA chain for my certificate above.
3. I tried not doing time-stamp, got same error.
   <<<<<<<<<<<<<<<
   Signing Certificate Chain:
   Issued to: mycer
   Issued by: mycer
   Expires: 12/31/2039 4:59:59 PM
   SHA1 hash: D575A14F73C939CCD7547C6F6CD6B0B5DC1C6BD1

The signature is timestamped: 5/7/2008 5:34:12 PM
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: 12/31/2020 4:59:59 PM
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: 12/3/2013 4:59:59 PM
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: 6/14/2012 4:59:59 PM
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

SignTool Error: File not valid: mysys.sys

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

Will debug more.

I think the problem is option /kp of “signtool verify”. /kp means that
signtool verifies the driver signature with the kernel-mode signing policy.
I might be totally wrong, but I think it tells you the signature is invalid
because it’s just a test signature (it’s not a case that in order to use
test signing, you need to use a test certificate *and* put the machine into
test mode).

Try to remove option /kp and see if it validates the binary. Also, you do
not need to test sign the binary *and* the binary. Just sign the CAT file.

Have a nice day
GV

–
Gianluca Varenni, Windows DDK MVP

CACE Technologies
http://www.cacetech.com

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Wednesday, May 07, 2008 5:54 PM
Subject: RE:[ntdev] How to make windows installer find the driver
automatically

> Following are my steps using a self-signed cert.
> Individual signs on binaries and CATS came out o.k
> But sign check when CAT VS Driver failed.
> PS: I have to sign teh driver also becuase it is 2k8/x64 driver.
> Anyways not signing teh driver and repeating this steps also gives the
> same result.
>
> Let me knwo if I missed again something.
>
>
> 1) generate self signed cert?
> Makecert -r -pe -ss mycer -n “CN=mycer” mycer.cer
>
> 2)Installed this cer on ths same machine
> certmgr.exe -add mycer.cer -s -r localMachine root
> certmgr.exe -add mycer.cer -s -r localMachine trustedpublisher
>
> Invoked certmgr and checked mycer was listed in ROOT and Trustedpublisher
> CAs’.
>
> 3) generate my binaries
>
> 4) sign my binaries with above generated and installed cert
>
> SignTool sign /s mycer /t
> http://timestamp.verisign.com/scripts/timestamp.dll mysys.sys
> outpuut:
> Done Adding Additional Store
> Successfully signed and timestamped:mycer.sys
>
> – Not sure why it is adding additional store ?
> Anyways successfully signed and timed.
>
> 5) generate catalogs
> Inf2cat.exe /driver:.
> /os:Server2003_X86,Server2003_X64,Vista_X86,Vista_X64
>
> IS THE ABOVE SYNTAX FOR /DRIVER O.K?
> ALL MY .SYS, .INF ARE IN pwd.
> also THERE ARE OTHER FILES AND SUB-DIRS NOT REFERENCED BY THE INF’S IN
> THIS DIR*
> THERE ARE MULTIPLE INF’S IN THIS DIR ALSO*
>
> 6) SIGN TEH cats too
>
> SignTool sign /s mycer /t
> http://timestamp.verisign.com/scripts/timestamp.dll mycat.cat
> Done Adding Additional Store
> Successfully signed and timestamped: mycat.
>
> 7) verify signed driver - Went to file properties and says cert is o.k.
> 8) verify signed cats - Went to file properties and says cert is o.k.
>
> 9) verifying signed cats vs binaries
> signtool verify /kp /v /c mycat.cat mysys.sys
>
> Verifying: mysys.sys
> File is signed in catalog: mycat.cat
> SignTool Error: WinVerifyTrust returned error: 0x800B0109
>
> A certificate chain processed, but terminated in a root certificate which
> is not trusted by the trust provider.
>*
> >>>>>>>>>>>>
> Above is the error
> 1) I am using self-signed cert which is installed root and
> trustedpublisher CA’s.
> 2) Not sure why there is a CA chain for my certificate above.
> 3) I tried not doing time-stamp, got same error.
> <<<<<<<<<<<<<<<
> Signing Certificate Chain:
> Issued to: mycer
> Issued by: mycer
> Expires: 12/31/2039 4:59:59 PM
> SHA1 hash: D575A14F73C939CCD7547C6F6CD6B0B5DC1C6BD1
>
> The signature is timestamped: 5/7/2008 5:34:12 PM
> Timestamp Verified by:
> Issued to: Thawte Timestamping CA
> Issued by: Thawte Timestamping CA
> Expires: 12/31/2020 4:59:59 PM
> SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
>
> Issued to: VeriSign Time Stamping Services CA
> Issued by: Thawte Timestamping CA
> Expires: 12/3/2013 4:59:59 PM
> SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
>
> Issued to: VeriSign Time Stamping Services Signer - G2
> Issued by: VeriSign Time Stamping Services CA
> Expires: 6/14/2012 4:59:59 PM
> SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
>
> SignTool Error: File not valid: mysys.sys
>
> Number of files successfully Verified: 0
> Number of warnings: 0
> Number of errors: 1
>
>
> Will debug more.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

GV

Thx very much !!! Indeed that was the issue. One more question:

1. Are INF’s also hashed in a CAT file.
   Becuase I changed the inf a bit and verified against it’s signed cat. It said it successfully verified.
   Wonder why it not detected that inf was changed.
   Anyways when i changed the binary it obviously complained .

>Also, you do not need to test sign the binary *and* the binary. Just sign the CAT file.
It’s just our company policy to sign all bins (.sys, .dlls, .exes etc).
Also this driver is for 2k8/x64 and is boot_start type, so requires embedded sign ?

> it’s not a case that in order to use test signing, you need to use a test certificate *and* put the machine into test mode).
I am not turning testsigning on etc on thsi machine. Will do that only on test machines.
Is that what you meant?
I put this machine in partial test mode (add test_Cert to CA’s etc) just to verify the signatures of bins/catalogs on this machine itself (my devel machine).

>>>>>>>>>>>>
signtool verify /v /o 2:6.0 /c mycat.cat mysys.sys

Verifying: mysys.sys
File is signed in catalog: mycat.cat
Signing Certificate Chain:
Issued to: mycer
Issued by: mycer
Expires: 12/31/2039 4:59:59 PM
SHA1 hash: D575A14F73C939CCD7547C6F6CD6B0B5DC1C6BD1

The signature is timestamped: 5/7/2008 5:34:07 PM
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: 12/31/2020 4:59:59 PM
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: 12/3/2013 4:59:59 PM
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: 6/14/2012 4:59:59 PM
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

Successfully verified: mysys.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
<<<<<<<<<<<<<

I found that if one just follows the procedures listed in the microsoft
kernel mode signing document noted upthread, everything more or less works.
The OP needs to just follow the recipe.

On Wed, May 7, 2008 at 9:05 PM, Gianluca Varenni
wrote:

> I think the problem is option /kp of “signtool verify”. /kp means that
> signtool verifies the driver signature with the kernel-mode signing policy.
> I might be totally wrong, but I think it tells you the signature is invalid
> because it’s just a test signature (it’s not a case that in order to use
> test signing, you need to use a test certificate and put the machine into
> test mode).
>
> Try to remove option /kp and see if it validates the binary. Also, you do
> not need to test sign the binary and the binary. Just sign the CAT file.
>
>
> Have a nice day
> GV
>
> –
> Gianluca Varenni, Windows DDK MVP
>
> CACE Technologies
> http://www.cacetech.com
>
>
>
> ----- Original Message ----- From:
> To: “Windows System Software Devs Interest List”
> Sent: Wednesday, May 07, 2008 5:54 PM
> Subject: RE:[ntdev] How to make windows installer find the driver
> automatically
>
>
> Following are my steps using a self-signed cert.
> > Individual signs on binaries and CATS came out o.k
> > But sign check when CAT VS Driver failed.
> > PS: I have to sign teh driver also becuase it is 2k8/x64 driver.
> > Anyways not signing teh driver and repeating this steps also gives the
> > same result.
> >
> > Let me knwo if I missed again something.
> >
> >
> > 1) generate self signed cert?
> > Makecert -r -pe -ss mycer -n “CN=mycer” mycer.cer
> >
> > 2)Installed this cer on ths same machine
> > certmgr.exe -add mycer.cer -s -r localMachine root
> > certmgr.exe -add mycer.cer -s -r localMachine trustedpublisher
> >
> > Invoked certmgr and checked mycer was listed in ROOT and
> > Trustedpublisher CAs’.
> >
> > 3) generate my binaries
> >
> > 4) sign my binaries with above generated and installed cert
> >
> > SignTool sign /s mycer /t
> > http://timestamp.verisign.com/scripts/timestamp.dll mysys.sys
> > outpuut:
> > Done Adding Additional Store
> > Successfully signed and timestamped:mycer.sys
> >
> > – Not sure why it is adding additional store ?
> > Anyways successfully signed and timed.
> >
> > 5) generate catalogs
> > Inf2cat.exe /driver:.
> > /os:Server2003_X86,Server2003_X64,Vista_X86,Vista_X64
> >
> > IS THE ABOVE SYNTAX FOR /DRIVER O.K?
> > ALL MY .SYS, .INF ARE IN pwd.
> > also THERE ARE OTHER FILES AND SUB-DIRS NOT REFERENCED BY THE INF’S
> > IN THIS DIR*
> > THERE ARE MULTIPLE INF’S IN THIS DIR ALSO*
> >
> > 6) SIGN TEH cats too
> >
> > SignTool sign /s mycer /t
> > http://timestamp.verisign.com/scripts/timestamp.dll mycat.cat
> > Done Adding Additional Store
> > Successfully signed and timestamped: mycat.
> >
> > 7) verify signed driver - Went to file properties and says cert is o.k.
> > 8) verify signed cats - Went to file properties and says cert is o.k.
> >
> > 9) verifying signed cats vs binaries
> > signtool verify /kp /v /c mycat.cat mysys.sys
> >
> > Verifying: mysys.sys
> > File is signed in catalog: mycat.cat
> > SignTool Error: WinVerifyTrust returned error: 0x800B0109
> >
> > A certificate chain processed, but terminated in a root certificate
> > which is not trusted by the trust provider.
> >*
> > >>>>>>>>>>>>
> > Above is the error
> > 1) I am using self-signed cert which is installed root and
> > trustedpublisher CA’s.
> > 2) Not sure why there is a CA chain for my certificate above.
> > 3) I tried not doing time-stamp, got same error.
> > <<<<<<<<<<<<<<<
> > Signing Certificate Chain:
> > Issued to: mycer
> > Issued by: mycer
> > Expires: 12/31/2039 4:59:59 PM
> > SHA1 hash: D575A14F73C939CCD7547C6F6CD6B0B5DC1C6BD1
> >
> > The signature is timestamped: 5/7/2008 5:34:12 PM
> > Timestamp Verified by:
> > Issued to: Thawte Timestamping CA
> > Issued by: Thawte Timestamping CA
> > Expires: 12/31/2020 4:59:59 PM
> > SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
> >
> > Issued to: VeriSign Time Stamping Services CA
> > Issued by: Thawte Timestamping CA
> > Expires: 12/3/2013 4:59:59 PM
> > SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
> >
> > Issued to: VeriSign Time Stamping Services Signer - G2
> > Issued by: VeriSign Time Stamping Services CA
> > Expires: 6/14/2012 4:59:59 PM
> > SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
> >
> > SignTool Error: File not valid: mysys.sys
> >
> > Number of files successfully Verified: 0
> > Number of warnings: 0
> > Number of errors: 1
> >
> >
> > Will debug more.
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–
Mark Roddy

> 1) Are INF’s also hashed in a CAT file.

Yes.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com