Hi experts,
I have a short question : does Windows XP 64 support test sign driver ?
i have created and signed my driver following the steps that the KMCS.doc described .
//i create cat to support XP 64 ,vista 64 ,win7 64
create cat :
Inf2cat.exe /driver:C:\workspace /os:XP_X64,Vista_x64
//signtool :
Signtool sign /v /s PrivateCertStore /n Contoso(Test) /t http://timestamp.verisign.com/scripts/timestamp.dll mydriver.cat
… also mydriver.sys and mydriver.dll
this driver package is installed in Vista and win7 successfully with the Digital signer = my company .
but installed this package in windows XP 64 professional x64 edition ,it shows that the driver package is not digital signed !!
Any clue would be greatful appreciated!
On 9/5/2011 11:12 AM, xxxxx@hotmail.com wrote:
but installed this package in windows XP 64 professional x64 edition
,it shows that the driver package is not digital signed !!
(a) Without “WHQL signature”, a driver is displayed as “not signed” in
Device Manager. It still installs and loads.
(b) If you want to test your Testsigning on another machine, you must
install your self-generated test certificate in the “trusted root” or
“trusted publisher” certificate store of the new machine.
(a) Without “WHQL signature”, a driver is displayed as “not signed” in
Device Manager. It still installs and loads.
> Yes ,It still load and work correctly, we need some integration test , and if in *clean* OS , the driver can not be auto installed ,as it’s not sign.
(b) If you want to test your Testsigning on another machine, you must
install your self-generated test certificate in the “trusted root” or
“trusted publisher” certificate store of the new machine.
>> I did do that, i install the certificate with certmgr.exe. the step is the same with Vista 64 except “test mode” ,as Win XP64 is not support bcdedit . and it is ok in vista shows the digital signer .
but it didn’t in XP64
On 9/6/2011 3:12 AM, xxxxx@hotmail.com wrote:
and it is ok in vista shows the digital signer but it didn’t in XP64
WHERE does it [not] show the signer?
- In “Device Manager”?
- In “Properties” from explorer.exe?
- In output from certmgr.exe?
- …?
If I recall correctly XP x64 is the equivalent code base of W2k3, and
that is off on its own with respect to driver signing. There are no
test signing options for boot. You cannot do the same thing one can do
on XP 32bit with installing a non-verisign test cert and then
installing your driver. You used to be able to get a WHQL test signing
signature for your package and install that - but I think that program
was discontinued a long time ago. You might be able to use a domain
cert, or a cert installed during sysprep.
Mark Roddy
On Tue, Sep 6, 2011 at 7:35 AM, Hagen Patzke wrote:
> On 9/6/2011 3:12 AM, xxxxx@hotmail.com wrote:
>> and it is ok in vista shows the digital signer but it didn’t in XP64
>
> WHERE does it [not] show the signer?
> - In “Device Manager”?
> - In “Properties” from explorer.exe?
> - In output from certmgr.exe?
> - …?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
When I last tried a non-WHQL signed PnP driver package on XP-64 I found that having a self-signed test certificate installed as Trusted Root and as Trusted Publisher worked (no prompts). The trick in XP and XP-64 seemed to be that the test certificate needed to be self-signed (a root cert). Maybe I was dreaming…
Good Luck,
Dave Cattley
Hello,
Yes, On Windows XP if you want to get an automatic installation you need to
get your driver signed by the WHQL. The “designed for Windows XP” program is
dead since long time but you still able to get a signed driver by the WHQL.
You have to test with WLK 1.6 for the class of your driver and submit result
to WHQL. They exist a class for driver that doesn’t match any other class, I
just did not remember the name. Because the programme is now dead, you will
not be allowed to put the “designed for Windows XP logo” on your product,
but you probably don’t care about that.
One good thing, this kind of signing for Windows XP is free. If they try to
charge you, just remember them that this is now a free service.
Martin
-----Message d’origine-----
De?: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] De la part de Mark Roddy
Envoy??: September-06-11 9:49 AM
??: Windows System Software Devs Interest List
Objet?: Re: [ntdev] Short quetions: does Win XP 64 support test sign driver
?
If I recall correctly XP x64 is the equivalent code base of W2k3, and that
is off on its own with respect to driver signing. There are no test signing
options for boot. You cannot do the same thing one can do on XP 32bit with
installing a non-verisign test cert and then installing your driver. You
used to be able to get a WHQL test signing signature for your package and
install that - but I think that program was discontinued a long time ago.
You might be able to use a domain cert, or a cert installed during sysprep.
Mark Roddy
On Tue, Sep 6, 2011 at 7:35 AM, Hagen Patzke wrote:
> On 9/6/2011 3:12 AM, xxxxx@hotmail.com wrote:
>> and it is ok in vista shows the digital signer but it didn’t in XP64
>
> WHERE does it [not] show the signer?
> - In “Device Manager”?
> - In “Properties” from explorer.exe?
> - In output from certmgr.exe?
> - …?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Martin Dubois wrote:
One good thing, this kind of signing for Windows XP is free. If they try to
charge you, just remember them that this is now a free service.
It’s not that easy. It’s true they don’t charge for the XP signature,
but you can only get the XP signature as part of another submission.
So, you have to submit your package for Windows 7 signature; when you do
that, you check the box saying you want XP as well. You cannot submit a
package for an XP signature by itself. In fact, I don’t think you can
even submit for Vista by itself.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Hi boys , Back to my question! I know the WHQL free for xp with other submission, i done that twice , i was just puzzled by SELF SIGN in XP 64 does not take effect , and the OS even can not recognize the sign in XP 64. In the XP , vista 32,64 ,win7 32,64 the test sign work fine .
My XP 64 OS is Windows XP professional x64 edition version 2003 SP2
WHERE does it [not] show the signer?
> In Device Manager , the properties of the device item . even i update driver in Device manager then selected the INF to be installed , there is no signed icon the the device list.
I generated the XP 64 CAT file by the command :
INF2CAT /driver: c:/ /os: XP_X64,Server2003_X64,Vista_X64
i check the inf and cat ,sys , it shows that the driver is signed
D:\WinDDK\7600.16385.1\bin\x86>Signtool verify /pa /v /c .cat .inf
Verifying: .inf
File is signed in catalog: .cat
Hash of file (sha1): AB22BFE4BDA08621B8744EE71D853F2746721B4F
Signing Certificate Chain:
Issued to: mykey
Issued by: mykey
Expires: Sun Jan 01 07:59:59 2040
SHA1 hash: E8F836C229E9E4FFEA0D46F3F2A862CFA823B61E
The signature is timestamped: Tue Sep 06 10:49:31 2011
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 07:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Wed Dec 04 07:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: Fri Jun 15 07:59:59 2012
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Successfully verified: .inf
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
>that the test certificate needed to be self-signed (a root cert).
Good to know this.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
>If I recall correctly XP x64 is the equivalent code base of W2k3, and
that is off on its own with respect to driver signing. There are no
test signing options for boot. You cannot do the same thing one can do
on XP 32bit with installing a non-verisign test cert and then
installing your driver.
I know that the XP 64 didn’t support “Test Mode” , but i doubt that XP64 would not support self sign.
that the test certificate needed to be self-signed (a root cert).
which root cert ? Are you suggesting me to sign my test certificate with root cert ? and that can make XP64 to recognize the self signature ?
About 6 mount ago, I got a free XP signature without creating a submission
for Vista or Windows 7. My customer is using self-signing driver for Windows
7 and Vista.
In order to remove the Warning message on Windows XP the problem is not the
root certificate but the purpose of the certificate. The certificate must be
created to sign component system. Each certificate include information about
the purpose it have been created for. The certificate you get from VerySign
is created to sign software. But, on Windows XP, the used certificate must
be created to sign system component. The only official certificate I never
saw with this purpose in the list are the WHQL certificate. I also
successfully generated a test certificate with this purpose using make cert
(I do not remember the swith or the trick) and my customer used it as “work
around” while waiting for the WHQL signing. This one must then be added to
the “Root” certificate store.
Martin
-----Message d’origine-----
De?: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] De la part de Tim Roberts
Envoy??: September-06-11 4:04 PM
??: Windows System Software Devs Interest List
Objet?: Re: [ntdev] Short quetions: does Win XP 64 support test sign driver
?
Martin Dubois wrote:
One good thing, this kind of signing for Windows XP is free. If they
try to charge you, just remember them that this is now a free service.
It’s not that easy. It’s true they don’t charge for the XP signature, but
you can only get the XP signature as part of another submission.
So, you have to submit your package for Windows 7 signature; when you do
that, you check the box saying you want XP as well. You cannot submit a
package for an XP signature by itself. In fact, I don’t think you can even
submit for Vista by itself.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Get message from Internet:
the Win2k3 is not support self signed, but support test signed from Microsoft that should install the root certificate testroot.cer.
the Win XP64 belong to Win2K3 family ,so i can not silent install driver in Win XP64 by my self sign . except i submit the test signature from MS .
I don’t think W2k3 supports selfsign either. In fact I am pretty sure
it doesn’t, at least not in the same way that XP 32bit does. Plus as I
said, XP64 and W2K3 are the same code base release and they likely
behave the same way.
I know from experimentation that an XP selfsign using a local cert
pre-installed to the appropriate places works like a charm on XP32 and
the same exact procedure doesn’t work at all on W2K3. I seem to
remember that you can pre-install a cert on sysprep for W2K3 and that
cert will work.
Mark Roddy
On Wed, Sep 7, 2011 at 5:23 AM, wrote:
>>If I recall correctly XP x64 is the equivalent code base of W2k3, and
>>that is off on its own with respect to driver signing. There are no
>>test signing options for boot. You cannot do the same thing one can do
>>on XP 32bit with installing a non-verisign test cert and then
>>installing your driver.
> I know that the XP 64 didn’t support “Test Mode” , but i doubt that XP64 would not support self sign.
>
>>that the test certificate needed to be self-signed (a root cert).
> which root cert ? Are you suggesting me to sign my test certificate with root cert ? and that can make XP64 to recognize the self signature ?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>