Vista x86 test signing

[i’ll try again with a new thread…]

Hi all.

Is the procedure to test-sign a Vista x64 driver described in the link below
valid for Vista x86?

http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx

Having a test-signed driver for Vista and XP 32bit has become really
discouraging. I need to have a test-signed driver to test the dynamic
installation of a driver for 32bit systems and I need to be sure that no
dialog “driver no certified…” is shown, noone seems to be able to give a
final answer to this.

I asked winqual, they test-signed my CAT files, from what I read on the
internet I need the testroot.cer file to use them. I asked them, I asked
this mailing list about this file. Nothing.

How should I proceed?
Has anyone used test-signing for 32bit on XP/Vista?

GV

Hmmmm… I’m not sure what to answer, cuz I’m not sure what you’re asking.

You don’t NEED to sign 32-bit drivers on x86. Just x64. I guess you COULD sign then for x86, I don’t think it’d HURT anything, but I don’t think anything checks the signatures for 32-bit.

What am I missing in your question?

Peter
OSR

The procedure is valid for Vista x86. Unlike Vista x64, Vista x86 won’t
prevent driver from loading if it is not signed, however you will get the
“Found New Hardware wizard…” pop up on xp and “Windows can’t verify the
publisher…” window on Vista. So, by signing x86 driver you can avoid
getting these pop ups.

Using the process described in the kmcs_walkthrough doc (the link in your
email) you can create your own test certificate (so you can create
mycert.cer instead of looking for testroot.cer), sign your driver using this
cert, add the cert to your machine certificate store and then install the
driver.

  • kumar

This posting is provided “AS IS” with no warranties, and confers no rights.

“Gianluca Varenni” wrote in message
news:xxxxx@ntdev…
> [i’ll try again with a new thread…]
>
> Hi all.
>
> Is the procedure to test-sign a Vista x64 driver described in the link
> below valid for Vista x86?
>
> http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
>
> Having a test-signed driver for Vista and XP 32bit has become really
> discouraging. I need to have a test-signed driver to test the dynamic
> installation of a driver for 32bit systems and I need to be sure that no
> dialog “driver no certified…” is shown, noone seems to be able to give
> a final answer to this.
>
> I asked winqual, they test-signed my CAT files, from what I read on the
> internet I need the testroot.cer file to use them. I asked them, I asked
> this mailing list about this file. Nothing.
>
> How should I proceed?
> Has anyone used test-signing for 32bit on XP/Vista?
>
> GV
>
>
>

“Gianluca Varenni” wrote:

> I asked winqual, they test-signed my CAT files, from what I read on the
> internet I need the testroot.cer file to use them. I asked them, I asked
> this mailing list about this file. Nothing.

This is the part that kept me from responding. The KMCS walkthrough
document is for how you test-sign and/or release-sign your own driver,
for the purposes of proving who published the driver. You can
generate your own test certificate and test-sign everything with a
50-foot radius, using the steps in the KMCS walkthrough.

But this has nothing to do with winqual or WHQL testing, or the manner
in which your driver would be signed by winqual. If “they test-signed
my CAT files”, I have no idea what that means or what certificates are
involved. (Although perhaps running SIGNTOOL VERIFY against the
catalog would show you more detail about certificate and/or authority
you’re looking for.)

I was just waiting for someone familiar with the WHQL process to jump
in with “I’ve never heard of them test-signing a driver” or “yeah, the
test certificate they use simply needs you to add Root Agency as a
root authority, just like the self-sign test certificate would”.

Unless I too am just off-base on what it is you’re really asking.

Alan Adams

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Thursday, October 26, 2006 6:36 PM
Subject: RE:[ntdev] Vista x86 test signing

> Hmmmm… I’m not sure what to answer, cuz I’m not sure what you’re asking.
>
> You don’t NEED to sign 32-bit drivers on x86. Just x64. I guess you
> COULD sign then for x86, I don’t think it’d HURT anything, but I don’t
> think anything checks the signatures for 32-bit.
>
> What am I missing in your question?

I know that you don’t need to sign such drivers, but if they are not
signed, when you install them you have a wonderful dialog complaining. I
need to make sure that this doesn’t happen, that’s why I need to test-sign
the driver, testing the installation.

GV

>
> Peter
> OSR
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

----- Original Message -----
From: “Kumar Rajeev [MSFT]”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Thursday, October 26, 2006 7:21 PM
Subject: Re:[ntdev] Vista x86 test signing

> The procedure is valid for Vista x86. Unlike Vista x64, Vista x86 won’t
> prevent driver from loading if it is not signed, however you will get the
> “Found New Hardware wizard…” pop up on xp and “Windows can’t verify the
> publisher…” window on Vista. So, by signing x86 driver you can avoid
> getting these pop ups.
>
> Using the process described in the kmcs_walkthrough doc (the link in your
> email) you can create your own test certificate (so you can create
> mycert.cer instead of looking for testroot.cer), sign your driver using
> this cert, add the cert to your machine certificate store and then install
> the driver.

This means that the procedure you (uhm… winqual) use to test sign the
drivers we submit is the same as the one that we would obtain doing
everything on our own following that document. Right? What’s the reason then
to send you (xxxxx@microsoft.com) some drivers for test-signing if we can
do that on our own following that procedure? Moreover, I just received a
mail from MS about test signing, saying that there’s a transition period,
and

----
We are pleased to announce that the Winqual dev work to restore test
signatures via an automated process has been completed and will be included
in the next revision to the Winqual web site next month. Until then, if you
need one of these signatures renewed you will need to continue to use the
mail-in we are currently using.
----

This makes things more and more confused… (maybe I’m the one confused).

Have a nice day
GV

>
> - kumar
>
> This posting is provided “AS IS” with no warranties, and confers no
> rights.
>
> “Gianluca Varenni” wrote in message
> news:xxxxx@ntdev…
>> [i’ll try again with a new thread…]
>>
>> Hi all.
>>
>> Is the procedure to test-sign a Vista x64 driver described in the link
>> below valid for Vista x86?
>>
>> http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
>>
>> Having a test-signed driver for Vista and XP 32bit has become really
>> discouraging. I need to have a test-signed driver to test the dynamic
>> installation of a driver for 32bit systems and I need to be sure that no
>> dialog “driver no certified…” is shown, noone seems to be able to give
>> a final answer to this.
>>
>> I asked winqual, they test-signed my CAT files, from what I read on the
>> internet I need the testroot.cer file to use them. I asked them, I asked
>> this mailing list about this file. Nothing.
>>
>> How should I proceed?
>> Has anyone used test-signing for 32bit on XP/Vista?
>>
>> GV
>>
>>
>>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

----- Original Message -----
From: “Alan Adams”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Friday, October 27, 2006 3:00 AM
Subject: Re:[ntdev] Vista x86 test signing

> “Gianluca Varenni” wrote:
>
>> I asked winqual, they test-signed my CAT files, from what I read on the
>> internet I need the testroot.cer file to use them. I asked them, I asked
>> this mailing list about this file. Nothing.
>
> This is the part that kept me from responding. The KMCS walkthrough
> document is for how you test-sign and/or release-sign your own driver,
> for the purposes of proving who published the driver. You can
> generate your own test certificate and test-sign everything with a
> 50-foot radius, using the steps in the KMCS walkthrough.
>
> But this has nothing to do with winqual or WHQL testing, or the manner
> in which your driver would be signed by winqual. If “they test-signed
> my CAT files”, I have no idea what that means or what certificates are
> involved. (Although perhaps running SIGNTOOL VERIFY against the
> catalog would show you more detail about certificate and/or authority
> you’re looking for.)
>
> I was just waiting for someone familiar with the WHQL process to jump
> in with “I’ve never heard of them test-signing a driver” or “yeah, the
> test certificate they use simply needs you to add Root Agency as a
> root authority, just like the self-sign test certificate would”.
>

From what I understood (and after a day of testing/signing/yelling),
basically their test signing works in the same exact way as KMCS
walkthrough. That document seems to apply to Vista x64, but it actually
applies to general test-signing…

Again, this is what I understood…

GV

> Unless I too am just off-base on what it is you’re really asking.
>
> Alan Adams
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

>sign then for x86, I don’t think it’d HURT anything, but I don’t think
anything checks

the signatures for 32-bit.

I remember some MS’s health-monitoring tool in Vista - kinda antispyware,
forgot its name - and it is offended by unsigned kmode binaries, even on 32bit.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com