On ARM Win 11 pro version, when we trying to upload the INF File, we are not able to install the user mode driver as we are facing the issue "Error 0xe0000242: The publisher of an Authenticode(tm) signed catalog has not yet been established as trusted.".
would appreciate if you could help us in resolving this issue.
Can you provide more details? How is this driver signed? What is the scenario you're trying to do here?
We have an old Unidrv printer driver that we migrated forward to VS2022 in order to try working as a native ARM64 driver to use on the Surface Pro Windows 11 Operating system. We have the migrated driver installing and working as expected on Windows x64 platforms and installing and working under Test Signing mode on the Windows ARM64 platform. We are using a Sectigo EV Code signing certificate that we have been using for several years on Windows x64 without any problems.
The issue we are facing is that in Regular Mode on Windows ARM64 it will not let us install the driver and exits with the "Printer driver was not installed" Error. The "publisher of an Authenticode signed catalog has not yet been established as trusted" message.
On Windows x64 we get the 'Publisher not trusted. Do you still want to install?' dialog displayed and allows the user to say "Yes" to complete the driver install successfully. Are we missing some setting that is needed on the ARM 64 for signing, might there be a Group Policy that needs to be set or is there something else we missed?.
We are aware of the Protected Print Mode that Windows is moving towards and tried Enabling then Disabling it to see if that might kick something loose, but it only prevented selecting a driver with Have a Disk.
We are also aware of the suggestion of getting a WHQL signed certificate, however Windows End of Servicing plan for legacy third party printer drivers, that is going to disappear in the next few months and is not a viable option.
We are using the Manual "Add a Printer" process that Windows has gone back to and when the printer driver selection dialog is displayed it shows our driver has a valid Authenticode signature.
As explained earlier when we click Next on Windows x64 the 'Not trusted …Do you still want to install?' dialog is displayed for the User. However, on Windows ARM64, instead of the 'Do you still want to Install" dialog, we immediately get the following " Printer driver was not installed message:"
We have got an Error message as "Printer Driver was not Installed" and " Error 0xe0000242: The publisher of an Authenticode(tm) signed catalog has not yet been established as trusted"
Below is the Windows x64 SetupAPI.dev.log sections showing the 'signed in Authenticode', then 'untrusted publisher' that leads to the 'Do you still want to install…?', followed by the successful install>
{FILE_QUEUE_COMMIT - exit(0x00000000)} 02:22:50.867
** sto: {DRIVERSTORE IMPORT VALIDATE} 02:22:50.867**
** sig: Driver package catalog is valid.**
** sig: {_VERIFY_FILE_SIGNATURE} 02:22:50.867**
** sig: Key = xxx.inf**
** sig: FilePath = C:\WINDOWS\System32\DriverStore\Temp{a075b6b7-b224-6a4d-96e2-72f2aae21fb7}\xxx.inf**
** sig: Catalog = C:\WINDOWS\System32\DriverStore\Temp{a075b6b7-b224-6a4d-96e2-72f2aae21fb7}\xxx64.cat**
! sig: Verifying file against specific (valid) catalog failed.
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
** sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 02:22:50.899**
** sig: {_VERIFY_FILE_SIGNATURE} 02:22:50.899**
** sig: Key = xxx.inf**
** sig: FilePath = C:\WINDOWS\System32\DriverStore\Temp{a075b6b7-b224-6a4d-96e2-72f2aae21fb7}\xxx.inf**
** sig: Catalog = C:\WINDOWS\System32\DriverStore\Temp{a075b6b7-b224-6a4d-96e2-72f2aae21fb7}\xxx64.cat**
** sig: Success: File is signed in Authenticode(tm) catalog.**
** sig: Error 0xe0000242: The publisher of an Authenticode(tm) signed catalog has not yet been established as trusted.**
** sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000242)} 02:22:50.930**
! sig: Driver package signer is unknown, but user trusts signer.
** sig: Driver package certificate was successfully installed.**
Below is the Log of the same Windows ARM64 SetupAPI.dev.log sections showing the 'signed in Authenticode', then 'untrusted publisher' that results in the "Driver package signer is unknown, and Code Integrity is enforced" and failure to install.
flq: {FILE_QUEUE_COMMIT - exit(0x00000000)} 22:54:51.910
sto: {DRIVERSTORE IMPORT VALIDATE} 22:54:51.910
sig: Driver package catalog is valid.
sig: {_VERIFY_FILE_SIGNATURE} 22:54:51.923
sig: Key = xxxx.inf
sig: FilePath = C:\Windows\System32\DriverStore\Temp{7e98b93f-2b8c-1844-9ab3-1a3b58ca013b}\xxx.inf
sig: Catalog = C:\Windows\System32\DriverStore\Temp{7e98b93f-2b8c-1844-9ab3-1a3b58ca013b}\xxxARM64.cat
! sig: Verifying file against specific (valid) catalog failed.
! sig: Error 0x800b0109: A certificate chain processed but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 22:54:51.965
sig: {_VERIFY_FILE_SIGNATURE} 22:54:51.965
sig: Key = xxx.inf
sig: FilePath = C:\Windows\System32\DriverStore\Temp{7e98b93f-2b8c-1844-9ab3-1a3b58ca013b}\xxx.inf
sig: Catalog = C:\Windows\System32\DriverStore\Temp{7e98b93f-2b8c-1844-9ab3-1a3b58ca013b}\xxxARM64.cat
sig: Success: File is signed in Authenticode(tm) catalog.
sig: Error 0xe0000242: The publisher of an Authenticode(tm) signed catalog has not yet been established as trusted.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000242)} 22:54:52.006
!!! sig: Driver package signer is unknown, and Code Integrity is enforced.
!!! sig: Driver package failed signature validation. Error = 0xE0000242
sto: {DRIVERSTORE IMPORT VALIDATE: exit(0xe0000242)} 22:54:52.006
!!! sig: Driver package failed signature verification. Error = 0xE0000242
!!! sto: Failed to import driver package into Driver Store. Error = 0xE0000242
sto: {Stage Driver Package: exit(0xe0000242)} 22:54:52.010
<<< Section end 2025/02/23 22:54:52.014
<<< [Exit status: FAILURE(0xe0000242)]
We tried looking at the Code Integrity event log, but do not see anything related to the printer driver installation.
If it is of any help here is the specific target platform we are using in development:
Device Name: DESKTOP - 8571g7;
PROCESSOR : Snapdragon(R) X 10-core X1P64100 @ 340 GHx 342 GHz
Installed RAM : 16.0 GB
System Type: 64 Bit Operating system ARM Based Processor
Edition: Windows 11 Pro with Version as 24H2.
We appreciate your patience wading through all the details. Does anyone have any guidance or suggestions about what we might look at next?
Thanks.
Unless you are in "test" mode, or have the kernel debugger attached, all drivers must be signed by Microsoft. Self-signing is no longer possible.
You'll need a Windows Hardware Dashboard account so you can submit for attestation signing.
User mode is different. I just tested this out on win11 x64, and an EV cert signing works fine, although you have to ack it. Like release signing in the better old days, you can likely just install the cert in trusted certs and avoid the popup. I haven't tested self sign certs without being in test mode, but I suspect they will also work. The MSFT docs are ambiguous. They also do not say anything at all about ARM64.
ARM64 is more strict and does not allow you to use your own cert unless you're in test mode
So... Zadig is broken for ARM? Oh no.