Windows 64bit complains that my debug driver is not signed

Ben · March 26, 2012, 8:40pm

After installing my upper filter driver and rebooting, Windows 7 64bit complains that my driver is not signed. This only happens if it is the debug version of my driver even though it *is* actually signed. It tells the user that the driver is not available, but in fact the app which uses this filter operates exactly as expected indicating that it is available. If I install the release version of my driver then I don’t get the message. Is this just a protection mechanism for not installing debug drivers?

Ben · March 26, 2012, 9:36pm

Hmmm. I jumped the gun on this apparently so probably best to ignore that first post. My problems are worse than that and clearly there is something I don’t understand about this process altogether.

I have simplified the process down to right clicking the inf file and choosing install. I still get the notification that Windows requires a signed driver. The .sys and .cat are both signed with a current valid certificate. What am I missing here?

Tim_Roberts · March 26, 2012, 9:41pm

xxxxx@nchsoftware.com wrote:

I have simplified the process down to right clicking the inf file and choosing install. I still get the notification that Windows requires a signed driver. The .sys and .cat are both signed with a current valid certificate. What am I missing here?

The likely issue is that you have not done the signing properly. For
KMCS, you must include the “cross certificate” that matches the
certificate authority that issued your certificate. Sometimes, you get
that from the issuing authority, sometimes you get that from Microsoft’s
master list. Who issued your certificate?

You can check this using
signtool verify /kp /v

If the first one in the chain is not Microsoft Code Verification Root,
then you did not include the cross certificate.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tim_Roberts · March 26, 2012, 9:42pm

xxxxx@nchsoftware.com wrote:

I have simplified the process down to right clicking the inf file and choosing install. I still get the notification that Windows requires a signed driver. The .sys and .cat are both signed with a current valid certificate. What am I missing here?

By the way, a CAT file is irrelevant for a right-click install. That is
basically a cheap software installer – it’s not a plug-and-play
install, it can’t be pre-installed, and the CAT file is never checked…

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · March 27, 2012, 1:13pm

Check the what signtool you are using when signing the code. The one from the Windows SDK (“C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin\signtool” ) works correctly for me, while the one that comes with WinDDK results in Error 52 when installing the driver.

Rachel

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Monday, March 26, 2012 8:41 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Windows 64bit complains that my debug driver is not signed

xxxxx@nchsoftware.com wrote:

I have simplified the process down to right clicking the inf file and choosing install. I still get the notification that Windows requires a signed driver. The .sys and .cat are both signed with a current valid certificate. What am I missing here?

The likely issue is that you have not done the signing properly. For
KMCS, you must include the “cross certificate” that matches the
certificate authority that issued your certificate. Sometimes, you get
that from the issuing authority, sometimes you get that from Microsoft’s
master list. Who issued your certificate?

You can check this using
signtool verify /kp /v

If the first one in the chain is not Microsoft Code Verification Root,
then you did not include the cross certificate.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Ben · March 27, 2012, 5:53pm

> The likely issue is that you have not done the signing properly.

Thanks, Tim. That’s exactly what the problem is. Funny how you have to run the verify command to actually uncover that. A warning message during the signing process would have saved me a bit of time.

Tim_Roberts · March 28, 2012, 12:46pm

xxxxx@nchsoftware.com wrote:

> The likely issue is that you have not done the signing properly.
Thanks, Tim. That’s exactly what the problem is. Funny how you have to run the verify command to actually uncover that. A warning message during the signing process would have saved me a bit of time.

The “signtool sign” command will show you the exact same thing with the
/v parameter

Unfortunately, this problem is not really something signtool can
diagnose. Your package WAS correctly signed, for most definitions of
the word “correctly”. It was simply not signed in a way that satisfies
KMCS. KMCS requires that the certificate chain end at a very specific
spot. Signtool can’t know that.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.