Signing USB-Drivers under Windows XP SP3

Hello,

I have a problem with signing USB-drivers.

We used this USB-drivers for years, but now we want to remove this nasty messages “this driver did not pass the windows logo…”.
And of course, in future we want to use this driver under Windows 7.

We bought this certificate:
“Verisign Class 3 Code Signing 2009-2 CA”

I implemented the signing of the driver files in this way:

pvk2pfx -pvk “myprivatekey.pvk” -spc “mycredentials.spc” -pi MyPwd -po MyPwd -f -pfx “Cert.pfx”
signtool.exe sign /f “Cert.pfx” /ac “MSCV-VSClass3.cer” /n “MyName” /p MyPwd /d MyName /sha1 D8F79FF13D920E2F88144F7BF3914D321594E962 “MyDriver.sys”
Inf2Cat.exe /driver:MyDriver /os:2000,XP_X86,Server2003_X86,Vista_X86
signtool.exe sign /f “Cert.pfx” /ac “MSCV-VSClass3.cer” /n “MyName” /p MyPwd /d MyName /sha1 D8F79FF13D920E2F88144F7BF3914D321594E962 “MyDriver.cat”
signtool.exe verify /v /kp “%MyDriver.cat” “MyDriver.sys”

I get this results:

Cross Certificate Chain:
Issued to: Microsoft Code Verification Root

Issued by: Microsoft Code Verification Root

Expires: Sat Nov 01 15:54:03 2025

SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: Class 3 Public Primary Certification Authority

Issued by: Microsoft Code Verification Root

Expires: Mon May 23 19:11:29 2016

SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408

Issued to: VeriSign Class 3 Code Signing 2009-2 CA

Issued by: Class 3 Public Primary Certification Authority

Expires: Tue May 21 01:59:59 2019

SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3

Issued to: MyName

Issued by: VeriSign Class 3 Code Signing 2009-2 CA

Expires: Mon Jun 17 01:59:59 2013

SHA1 hash: D8F79FF13D920E2F88144F7BF3914D321594E962

Successfully verified: MyDriver.sys

Number of files successfully Verified: 2

Number of warnings: 0

Number of errors: 0

If I click on MyDriver.cat it says, that the signing is valid.
If I right click on MyDriver.sys and properties it says, that the signing is valid too.

But when I install the driver I still get this nasty “this driver did not pass the windows logotest” message
and device manager states “not signed”!!!

Can anybody give any tips what is wrong (with me)?

many thanks in advance!

(sorry for my bad english)

> -----Original Message-----

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Wednesday, July 28, 2010 10:47 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Signing USB-Drivers under Windows XP SP3

If I click on MyDriver.cat it says, that the signing is valid.
If I right click on MyDriver.sys and properties it says, that
the signing is valid too.

But when I install the driver I still get this nasty “this
driver did not pass the windows logotest” message
and device manager states “not signed”!!!

Can anybody give any tips what is wrong (with me)?

Sure, it means your driver is not signed It complains about WHQL
signature, not about your company certificate. This is the way XP works.
Win7 are better, they’d tell your driver is signed by your company
certiicate and ask user if s/he trust your company. Better than red
prompt but still asks for user input. You need WHQL again to avoid any
prompts.

It doesn’t mean your certificate is useless. It allows you to ensure
code integrity and run your driver at x64 OSes. We sign all binaries
with company certificate automatically at build machines. But drivers
need additional signature; they have to pass DTM tests and you have to
pay for WHQL signature then.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

You can release sign drivers for vista and win7, install your cert on the
system, and install your drivers without warnings or popups. They will not
be logo’d, but they will be signed.

Mark Roddy

On Wed, Jul 28, 2010 at 5:15 PM, Michal Vodicka wrote:

> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of
> > xxxxx@yahoo.com
> > Sent: Wednesday, July 28, 2010 10:47 PM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Signing USB-Drivers under Windows XP SP3
> >
> > If I click on MyDriver.cat it says, that the signing is valid.
> > If I right click on MyDriver.sys and properties it says, that
> > the signing is valid too.
> >
> > But when I install the driver I still get this nasty “this
> > driver did not pass the windows logotest” message
> > and device manager states “not signed”!!!
> >
> > Can anybody give any tips what is wrong (with me)?
>
> Sure, it means your driver is not signed It complains about WHQL
> signature, not about your company certificate. This is the way XP works.
> Win7 are better, they’d tell your driver is signed by your company
> certiicate and ask user if s/he trust your company. Better than red
> prompt but still asks for user input. You need WHQL again to avoid any
> prompts.
>
> It doesn’t mean your certificate is useless. It allows you to ensure
> code integrity and run your driver at x64 OSes. We sign all binaries
> with company certificate automatically at build machines. But drivers
> need additional signature; they have to pass DTM tests and you have to
> pay for WHQL signature then.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

xxxxx@yahoo.com wrote:

I have a problem with signing USB-drivers.

We used this USB-drivers for years, but now we want to remove this nasty messages “this driver did not pass the windows logo…”.

Does it surprise you to learn that the way to “remove this nasty
message” is to pass the Windows logo testing?

If you install the driver package using the CAT file, on Windows 7 you
will see a “do you trust this publisher” warning instead of that logo,
but the way to get a silent install is to submit to WHQL.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

I’m not sure if it really solves OP’s problem Users would probably
complain more about the necessity to install a suspicious certificate on
their systems than about warning during driver installation.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com http:</http:>]

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
Sent: Wednesday, July 28, 2010 11:27 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Signing USB-Drivers under Windows XP SP3

You can release sign drivers for vista and win7, install your
cert on the system, and install your drivers without warnings or popups.
They will not be logo’d, but they will be signed.

Mark Roddy

On Wed, Jul 28, 2010 at 5:15 PM, Michal Vodicka
wrote:

> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf
Of
> xxxxx@yahoo.com
> Sent: Wednesday, July 28, 2010 10:47 PM
> To: Windows System Software Devs Interest List

> Subject: [ntdev] Signing USB-Drivers under Windows XP
SP3
>
> If I click on MyDriver.cat it says, that the signing
is valid.
> If I right click on MyDriver.sys and properties it
says, that
> the signing is valid too.
>
> But when I install the driver I still get this nasty
“this
> driver did not pass the windows logotest” message
> and device manager states “not signed”!!!
>
> Can anybody give any tips what is wrong (with me)?

Sure, it means your driver is not signed It
complains about WHQL
signature, not about your company certificate. This is
the way XP works.
Win7 are better, they’d tell your driver is signed by
your company
certiicate and ask user if s/he trust your company.
Better than red
prompt but still asks for user input. You need WHQL
again to avoid any
prompts.

It doesn’t mean your certificate is useless. It allows
you to ensure
code integrity and run your driver at x64 OSes. We sign
all binaries
with company certificate automatically at build
machines. But drivers
need additional signature; they have to pass DTM tests
and you have to
pay for WHQL signature then.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other
seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR
Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM,
debugging and other seminars visit: http://www.osr.com/seminars To
unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

+1

On Jul 28, 2010 6:31 PM, “Michal Vodicka” wrote:

I’m not sure if it really solves OP’s problem Users would probably
complain more about the necessity to install a suspicious certificate on
their systems than about warning during driver installation.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

------------------------------
From: xxxxx@lists.osr.com [mailto:
xxxxx@lists.osr.com] *On Behalf Of *Mark Roddy
Sent: Wednesday, July 28, 2010 11:27 PM

> To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Signing USB-Drivers under Windows XP SP3

> You can release sign drivers for vista and win7, install your cert on the
system, and install your…

—

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http:…

Actually the users don’t even have to know. The cert install and the driver
install can all be wrapped in an installer app.

Mark Roddy

On Wed, Jul 28, 2010 at 6:33 PM, MARTIN OBRIEN <
xxxxx@gmail.com> wrote:

+1

On Jul 28, 2010 6:31 PM, “Michal Vodicka” wrote:
>
> I’m not sure if it really solves OP’s problem Users would probably
> complain more about the necessity to install a suspicious certificate on
> their systems than about warning during driver installation.
>
>
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
> ------------------------------
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *Mark Roddy
> Sent: Wednesday, July 28, 2010 11:27 PM
>
>
> > To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Signing USB-Drivers under Windows XP SP3
>
> > You can release sign drivers for vista and win7, install your cert on the
> system, and install your…
>
>
> —
>
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http:…
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

On 07/29/2010 01:17 AM, Mark Roddy wrote:

Actually the users don’t even have to know. The cert install and the
driver install can all be wrapped in an installer app.

…opening a nice way to circumvent signing requirements at all.

-1

>signature, not about your company certificate. This is the way XP works.

Win7 are better, they’d tell your driver is signed by your company
certiicate and ask user if s/he trust your company.

And even 2003 is better in this. On 2003, you can also put your cert to Trusted Publishers and have silent device installs.

–
Maxim S. Shatskih

Windows DDK MVP

xxxxx@storagecraft.com

http://www.storagecraft.com

>> Actually the users don’t even have to know. The cert install and the

> driver install can all be wrapped in an installer app.

…opening a nice way to circumvent signing requirements at all.

Exactly so, this is what the people often use.

The whole WHQL business model, for instance, is sheer nonsense for software titles which have kernel-mode components. It is strictly for hardware like “yet another USB Wi-Fi”.

It was non-working and even provided adverse results for video card drivers, for instance.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

It doesn’t circumvent anything. Your drivers are signed using your approved
cert. It is microsoft’s documented path to releasing drivers without a logo.

Mark Roddy

On Thu, Jul 29, 2010 at 4:50 AM, Hagen Patzke wrote:

> On 07/29/2010 01:17 AM, Mark Roddy wrote:
> > Actually the users don’t even have to know. The cert install and the
> > driver install can all be wrapped in an installer app.
>
> …opening a nice way to circumvent signing requirements at all.
>
> -1
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

On 07/29/2010 02:11 PM, Mark Roddy wrote:

It doesn’t circumvent anything. Your drivers are signed using your
approved cert. It is microsoft’s documented path to releasing drivers
without a logo.

What happens on a 32-bit system, if you install a non-approved cert in
“trusted root storage”?

> What happens on a 32-bit system, if you install a non-approved cert in

“trusted root storage”?

You do not need Trusted Root Certification Authority, only Trusted Publishers.

Works like a charm.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

I use this approach for internal test handovers, then pull the
certificate and add the WHQL-signed drivers for the final test and
release. This keeps the test environment and as close to release mode as
possible - avoids having to mess about with ‘test mode’.

Mark Roddy wrote:

Actually the users don’t even have to know. The cert install and the
driver install can all be wrapped in an installer app.

> On Jul 28, 2010 6:31 PM, “Michal Vodicka”
> mailto:xxxxx wrote:
>>
>> I’m not sure if it really solves OP’s problem Users would
>> probably complain more about the necessity to install a suspicious
>> certificate on their systems than about warning during driver
>> installation.
>>
>> *From: Mark Roddy
>> Sent: Wednesday, July 28, 2010 11:27 PM
>>
>> You can release sign drivers for vista and win7, install
>> your cert on the system, and install your…</mailto:xxxxx>

Hello Maxim,

thank you for your answer to my problem.
Today I tried your nice approach.
I generated a certificate and installed it as root certificate.
It works perfectly on my computer! Silence install of my drivers after USB plug in!
But:
If I install the same certificate on the computers of my colleages,
it still fails and comes up with this nasty “no logo”-messages.

Must I create the certificate in a special way with special options to work on other
machines than my?

regards,

Thomas Kracke

— On Thu, 7/29/10, Maxim S. Shatskih wrote:

From: Maxim S. Shatskih
Subject: Re:[ntdev] Signing USB-Drivers under Windows XP SP3
To: “Windows System Software Devs Interest List”
Date: Thursday, July 29, 2010, 11:35 AM

>> Actually the users don’t even have to know. The cert install and the
>> driver install can all be wrapped in an installer app.
>
> …opening a nice way to circumvent signing requirements at all.

Exactly so, this is what the people often use.

The whole WHQL business model, for instance, is sheer nonsense for software titles which have kernel-mode components. It is strictly for hardware like “yet another USB Wi-Fi”.

It was non-working and even provided adverse results for video card drivers, for instance.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

>Must I create the certificate in a special way with special options to work on other

machines than my?

Install it to local machine cert store, not to current user.

Install both to trusted roots and to trusted publishers.

More so, you can open your makecert-made cert, get the “Root Agency” from it, and install this “Root Agency” as trusted root. Then only install the full cert as trusted publisher.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Hello Maxim,
Thank you for your help!
Do you think that this will work on Windows 7 too?

regards,

Thomas Kracke

— On Fri, 7/30/10, Maxim S. Shatskih wrote:

From: Maxim S. Shatskih
Subject: Re:[ntdev] Re:Signing USB-Drivers under Windows XP SP3
To: “Windows System Software Devs Interest List”
Date: Friday, July 30, 2010, 8:37 PM

>Must I create the certificate in a special way with special options to work on other
>machines than my?

Install it to local machine cert store, not to current user.

Install both to trusted roots and to trusted publishers.

More so, you can open your makecert-made cert, get the “Root Agency” from it, and install this “Root Agency” as trusted root. Then only install the full cert as trusted publisher.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

>Do you think that this will work on Windows 7 too?

Worked for me from 2003 up on Vista, 2008 (R2 and the old one), and Win7.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

On Wednesday 28 July 2010 21:47:15 xxxxx@yahoo.com wrote:

I implemented the signing of the driver files in this way:

pvk2pfx -pvk “myprivatekey.pvk” -spc “mycredentials.spc” -pi MyPwd -po
MyPwd -f -pfx “Cert.pfx” signtool.exe sign /f “Cert.pfx” /ac
“MSCV-VSClass3.cer” /n “MyName” /p MyPwd /d MyName /sha1
D8F79FF13D920E2F88144F7BF3914D321594E962 “MyDriver.sys” Inf2Cat.exe
/driver:MyDriver /os:2000,XP_X86,Server2003_X86,Vista_X86 signtool.exe
sign /f “Cert.pfx” /ac “MSCV-VSClass3.cer” /n “MyName” /p MyPwd /d MyName
/sha1 D8F79FF13D920E2F88144F7BF3914D321594E962 “MyDriver.cat” signtool.exe
verify /v /kp “%MyDriver.cat” “MyDriver.sys”

When signing binaries you really should also use the /t option to add a
timestamp from http://timestamp.verisign.com/scripts/timstamp.dll otherwise
you’ll find your signature is marked as being invalid when the certificate
expires.

–
Bruce Cran

Hello Maxim,

I still have troubles to run the driver on other machines than my one.
This is my sequence:

my machine:
? MakeCert??? -r -sv “mypvk.pvk” -n “CN=my,O=myorg” -sr LocalMachine “mytest.cer”
? certmgr.exe?? -add “mytest.cer” -s -r localMachine Root

? certmgr.exe?? -add “mytest.cer” -s -r localMachine TrustedPublisher

? pvk2pfx.exe?? -pvk “mypvk.pvk” -spc “mytest.cer” -f -pi myPwd -po myPwd -pfx “mypfx.pfx”
? signtool.exe? sign /f “mypfx.pfx” /p myPwd “mydriver.sys”
? Inf2Cat.exe?? /driver:mydriver /os:2000,XP_X86,Server2003_X86,Vista_X86
? signtool.exe? sign /f “mypfx.pfx” /p myPwd “mydriver.cat”
? signtool.exe? verify /v “mydriver.cat” “%1\mydriver.sys”

other machines:
? certmgr.exe?? -add “mytest.cer” -s -r localMachine Root

? certmgr.exe?? -add “mytest.cer” -s -r localMachine TrustedPublisher
?
? then install the driver (plug in device).
? Now Device Manager is unhappy and says “did not past the logo test”

Any ideas?

regards,

Thomas Kracke

— On Sat, 7/31/10, Maxim S. Shatskih wrote:

From: Maxim S. Shatskih
Subject: Re:[ntdev] Re:Re:Signing USB-Drivers under Windows XP SP3
To: “Windows System Software Devs Interest List”
Date: Saturday, July 31, 2010, 1:02 AM

>Do you think that this will work on Windows 7 too?

Worked for me from 2003 up on Vista, 2008 (R2 and the old one), and Win7.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer