unable to sign xp driver with "official certificate"

Dan_Murphey · March 1, 2007, 9:42am

I am developing a Windows XP USB driver. I have followed the example in the WinDDK 6000 “selfsign_example.cmd”. Using a test certificate, my driver was signed without a problem (as viewed in DeviceManager). Next I purchased a Verisign Class 3 Code Signing certificate. The selfsign_example.cmd script executes properly, signs the driver and catalog file with an authentic certificate and installs the certificate. My driver executes without a problem. However when I view the driver via DeviceManager, it shows as unsigned.

In setupapi.log, all goes well until the final few lines during my driver’s installation:

@ 16:31:43.080 #V155 Executing default installer.
@ 16:31:43.112 #T200 Install Device: Begin.
@ 16:31:43.128 #V124 Doing copy-only install of “USB\VID_0A28&PID_0001\5&B791E26&0&2”.
@ 16:31:43.159 #V005 Opened the PNF file of “c:\windows\inf\oem4.inf” (Language = 0409).
@ 16:31:43.175 #V011 Installing section [XylocUSB.INSTALL.NT] from “c:\windows\inf\oem4.inf”.
@ 16:31:43.191 #T203 Install Device: Queuing files from INF(s).
@ 16:31:43.207 #V005 Opened the PNF file of “C:\WINDOWS\INF\drvindex.inf” (Language = 0409).
@ 16:31:43.239 #V094 Queued copy from section [XylocUSB.CopyFiles] in “c:\windows\inf\oem4.inf”: “XylocUSB.sys” to “XylocUSB.sys” with flags 0x00000024, target directory is “C:\WINDOWS\system32\drivers”.
@ 16:31:43.255 #V095 Source in section [sourcedisksfiles] in “c:\windows\inf\oem4.inf”; Media=1 Description=“XylocUSB Installation Diskette” Tag=“” Path=“”.
@ 16:31:43.287 #T204 Install Device: Queuing coinstaller files from INF(s).
@ 16:31:43.318 #V005 Opened the PNF file of “c:\windows\inf\oem4.inf” (Language = 0409).
#-046 Processing Coinstaller registration section [XylocUSB.INSTALL.NT.CoInstallers].
@ 16:31:43.382 #V056 Coinstallers registered.
@ 16:31:43.398 #V011 Installing section [XylocUSB.INSTALL.NT.Interfaces] from “c:\windows\inf\oem4.inf”.
@ 16:31:43.414 #V054 Interfaces installed.
@ 16:31:43.446 #V121 Device install of “USB\VID_0A28&PID_0001\5&B791E26&0&2” finished successfully.
@ 16:31:43.462 #T201 Install Device: End.
@ 16:31:43.493 #V156 Completed default installer.
@ 16:31:43.509 #T185 Pruning Files: Verifying catalogs/INFs.
@ 16:31:43.541 #I180 Verifying file “c:\windows\inf\oem4.inf” (key “xylocusb.inf”) against catalog “oem4.CAT” failed. Error 1168: Element not found.
@ 16:31:43.557 #I180 Verifying file “c:\windows\inf\oem4.inf” (key “xylocusb.inf”) against catalog “oem4.CAT” failed. Error 1168: Element not found.
@ 16:31:43.589 #T186 Pruning Files: Verifying catalogs/INFs completed.
@ 16:31:43.621 #I180 Verifying file “C:\WINDOWS\system32\DRIVERS\XylocUSB.sys” (key “XylocUSB.sys”) against catalog “C:\WINDOWS\system32\CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\xylocusb.cat” failed. Error 0x800b0110: The certificate is not valid for the requested usage.
@ 16:31:43.668 #V330 Verifying file “C:\WINDOWS\system32\DRIVERS\XylocUSB.sys” (key “XylocUSB.sys”) as self-signed failed. Error 0x800b0110: The certificate is not valid for the requested usage.

Might anyone shed some light on my error and advise me as to corrective actions?

OSR_Community_User · March 14, 2007, 10:51am

xxxxx@ensuretech.com wrote:

However when I view the driver via DeviceManager, it shows as unsigned. […]
> Might anyone shed some light on my error and advise me as to
corrective actions?

Only drivers signed with a WHQL release signature do not show up as
“unsigned” in DeviceManager.

WDK Help “Signing Drivers for Public Release”:
“Signing a driver with a WHQL release signature verifies the
authenticity, the integrity, and the reliability of a driver.”

WDK Help “WHQL Release Signature”:
“Driver packages that pass Windows Hardware Quality Labs (WHQL) testing
can be digitally signed by WHQL. If your driver package is digitally
signed by WHQL, it can be distributed through the Windows Update program
or other Microsoft-supported distribution mechanisms.”

WDK Help “Signature Score (Windows Server 2003, Windows XP, and Windows
2000)”
“Beginning with Windows 2000, a driver is considered signed if it has a
WHQL signature. Beginning with Windows Server 2003, a driver is
considered signed if it has a WHQL signature or an Authenticode signature.”

On Win2003Server if you have a signed driver (no WHQL) you get a nice
box “Authenticode signature” (etc. etc.).
Nervertheless a user still has to agree explicitly to the install.

(Yes, I was surprised, too - my SYS file and CAT file both signed, the
thing still shows as “unsigned”. But a quick search helped.)