Sign your driver (the .cat) with an Verisgn/GlobalSign certificate AND add
that certificate to I believe it’s the Trusted Publisher certificate store.
You can also add the Trusted Publisher certificate via a domain controller
for every machine in the domain.
My understanding of the signing requirements for silent install on the
different OS flavors (somebody jump in to correct this if I’m wrong):
-
Windows 7, allows .cat signing with an Authenticode certificate,
from a trusted root like Verisign, installed in the correct certificate
store, defaults to working just like WHQL signing -
Vista, also allows .cat signing with an Authenticode certificate,
from a trusted root like Verisign, installed in the correct certificate
store, works just like WHQL signing ONLY IF you set a group policy option to
make WHQL and company certificate signing of equal weight -
Win 2003 Server, WHQL signing ONLY, no real way to override it,
which is one reason we have the unclassified WHQL category, the user option
does not work -
XP, not positive, but seems like there was a working user option to
control unsigned install behavior
For Vista/Win7 I believe you need to preinstall the driver package in the
certificate store, as the distinction between server side and client side
driver install is gone.
There is also the strategy of writing non-PnP legacy drivers (not
recommended) and you just use the service manager API’s. No INF is involved
so no signature check (except for kernel code signing on 64-bit).
Since I know a bit about your product, and your drivers may be in the
display path, you might be having a signing issue for DRM signing. I believe
DRM singing is an attribute set as part of WHQL signing. It applies to any
driver in the protected media stacks where decrypted media data flows by. I
don’t believe there is any escape from DRM signing requirements as it would
make all DRM meaningless if there were. You MUST pass WHQL requirements for
DRM to get that level of signing.
Jan
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Pankaj Garg
Sent: Wednesday, February 10, 2010 5:46 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Disabling Windows 7 Driver Singing check
Is there an option by which Win 7 (32 bit) will not warn about an unsigned
driver? By this I mean the dialog box that appears warning the user about
unsigned driver.
Some documentation suggests a boot time option (disable integrity check)
should work but my testing indicates that it doesn’t work.
Thanks
Pankaj
PS…Yes I know we should have signed drivers…hopefully at some point we
will. Until then I need this to make a silent install work without the
dialog box.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer