RE: Disabling Windows 7 Driver Signing check

NTDEV
1

Sign your driver (the .cat) with an Verisgn/GlobalSign certificate AND add
that certificate to I believe it’s the Trusted Publisher certificate store.
You can also add the Trusted Publisher certificate via a domain controller
for every machine in the domain.

My understanding of the signing requirements for silent install on the
different OS flavors (somebody jump in to correct this if I’m wrong):

  1. Windows 7, allows .cat signing with an Authenticode certificate,
    from a trusted root like Verisign, installed in the correct certificate
    store, defaults to working just like WHQL signing

  2. Vista, also allows .cat signing with an Authenticode certificate,
    from a trusted root like Verisign, installed in the correct certificate
    store, works just like WHQL signing ONLY IF you set a group policy option to
    make WHQL and company certificate signing of equal weight

  3. Win 2003 Server, WHQL signing ONLY, no real way to override it,
    which is one reason we have the unclassified WHQL category, the user option
    does not work

  4. XP, not positive, but seems like there was a working user option to
    control unsigned install behavior

For Vista/Win7 I believe you need to preinstall the driver package in the
certificate store, as the distinction between server side and client side
driver install is gone.

There is also the strategy of writing non-PnP legacy drivers (not
recommended) and you just use the service manager API’s. No INF is involved
so no signature check (except for kernel code signing on 64-bit).

Since I know a bit about your product, and your drivers may be in the
display path, you might be having a signing issue for DRM signing. I believe
DRM singing is an attribute set as part of WHQL signing. It applies to any
driver in the protected media stacks where decrypted media data flows by. I
don’t believe there is any escape from DRM signing requirements as it would
make all DRM meaningless if there were. You MUST pass WHQL requirements for
DRM to get that level of signing.

Jan

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Pankaj Garg
Sent: Wednesday, February 10, 2010 5:46 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Disabling Windows 7 Driver Singing check

Is there an option by which Win 7 (32 bit) will not warn about an unsigned
driver? By this I mean the dialog box that appears warning the user about
unsigned driver.

Some documentation suggests a boot time option (disable integrity check)
should work but my testing indicates that it doesn’t work.

Thanks

Pankaj

PS…Yes I know we should have signed drivers…hopefully at some point we
will. Until then I need this to make a silent install work without the
dialog box.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

2

>Sign your driver (the .cat) with an Verisgn/GlobalSign certificate AND add that certificate to I believe

it’s the Trusted Publisher certificate store. You can also add the Trusted Publisher certificate via a
domain controller for every machine in the domain.

I’ve discovered the better, but undocumented way.

  1. create a self-sign test cert using makecert
  2. open it by Windows shell, look at the chain, find the Root Agency
  3. export the Root Agency’s cert to .cer file
  4. install this .cer file to the Trusted Root Cert Auths of the machine (not of user, use mmc.exe and manually add 2 Certificates snap-ins for Machine and User, then install to User, and move to Machine by mouse drag-and-drop).

After this, the test-signed package behaves exactly as the corporate-signed non-WHQLed one, i.e. “Do you trust this software” yellow warning. And, if the self-sign test itself (leaf, not root) is put to Trusted Publishers, then the install is silent.

  1. Windows 7, allows .cat signing with an Authenticode certificate, from a trusted root like Verisign,
    installed in the correct certificate store, defaults to working just like WHQL signing

The signature and the whole cert chain must be valid and end with a cert in the Trusted Root Cert Auths of the machine.

Failure at this step shows the red warning box of “unsigned” or “invalid signature”.

Then, if the cert (in the end of the chain, actually used for signing, not the root) is also in Trusted Publishers, the install is silent.

Else, the yellow warning of “Do you trust the software from ?” is displayed.

As about WHQL - I think their cert is just pre-installed to Trusted Publishers.

Surely I’m speaking about the install path of “devcon dp_add”+“devcon install”, i.e. SetupCopyOEMInf + root devnode creation + UpdateDriverForPlugAndPlayDevices.

The signature and trust is checked in SetupCopyOEMInf, which copies from your dir to Driver Store\FileRepository + oem%d.inf + oem%d.pnf and nothing else, which seems to be the normal path for software hardware-less kernel add-ons which need to create PDOs.

Only the driver installation for the devnode (inside UpdateDriverForPlugAndPlayDevices) copies the .sys to system32\drivers and creates the AddService/AddReg registry entries (SC database, event log source etc).

>4) XP, not positive, but seems like there was a working user option to control unsigned install
>behavior

More so, on pre-Vista, non-WHQLed PnP packages will give the “Do you trust” UI warning on each devnode installation, not only on SetupCopyOEMInf.

>There is also the strategy of writing non-PnP legacy drivers (not recommended) and you just use the
>service manager API’s. No INF is involved so no signature check

Yes. Now try to create the PDO from such. I’ve tried IoReportDetectedDevice and was dissatisfied by lots of tiny issues with this, so I switched to normal root devnode path.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com