Test WHQL signing DOES work. You need to:
- generate a valid .cat file with like inf2cat.exe
- package the .cat file(s) in a .cab file with any of the .cab tools
(cabarc, makecab)
- upload the .cab and wait for the winqual site to process it (NO tests
need to be run)
- download and replace your unsigned .cat with the test signed one
- add the whql test root certificate to the correct certificate store on
the test system (the test root file used to be really hard to find a copy
of)
- reboot
- you can tell the test root is correctly installed by a banner showing up
on the bottom right of the screen that says something like “for testing
purposes only”
- your driver now acts just like a whql signed one, except you can’t
legally give it to customers
Unclassified whql signatures (which can be shipped to customers) can be
given to drivers that pass the dtm unclassified tests. The unclassified
tests are significantly easier to pass than full device class tests. An
unclassified signature allows W2K3 to technically function with a whql
signed driver (i.e. server side silent install works for all device classes)
but you can’t claim to be whql certified in any marketing, and I don’t
believe it qualifies for OS support (MSFT will not give support guarantees
for systems running non-WHQL certified drivers). I thought you can’t put an
unclassified signed driver on Windows update, although someone here though
that was not true. The process is just like normal WHQL certification,
except you select the unclassified device class in dtm. I assume the costs
are also the same for unclassified signatures. Last I knew, ANY device class
can be signed in the unclassified category, even if it normally would fit in
a more stringently tested device class.
Vista/W2K8 are more flexible about driver signing, and you can use a self
signed certificate if you install it and tell the OS to give equal weight to
non-WHQL signatures.
I’ve only worked on server OS’s for a while, so am not sure what XP signing
requirements are. I believe a little less stringent than W2K3, but not as
flexible as Vista/W2K8. There used to be an obscure Microsoft document that
spelled out in explicit detail what each OS version’s driver signing
policies were.
Jan
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ashish Purkar
Sent: Tuesday, February 24, 2009 10:57 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] self-signed NIC coinstaller prevent the nic being
disabled?
I got simillar experience with coisntaller on win2k3.
I tried to use test-sign facility on winqual site and they demand “cabbed
cat files” to upload. What is that exactly?
For try, I used makecab to create cab file of our cat file and uploaded, but
winqual is showing failed status.
What is unclassified signature?
Thanks,
Ashish
On Wed, Feb 25, 2009 at 7:42 AM, Jan Bottorff wrote:
> So my question is: do I have to get WHQL sign of the driver
> package to get rid of this issue or self-sign/test-sign
> should be fine and their might be some problem with my
> coinstaller? My coinstaller is not called during the
> disable. If anybody on the list have the similar experience,
> I would appreciate it if you could share it with me.
For W2K3, an Authenticode certificate will not work for a device that has a
WHQL signature class, like a NIC.
You will have to get a real WHQL signature, although an unclassified
signature will do the trick.
For testing use only (you can’t ship to customers), you can get a WHQL test
signature (no tests required) from the winqual site and install the test
root (this is not a self signature like Vista/W2K8 test signatures).
Jan
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
–
Ashish Purkar
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer