none
signing a driver for Windows 7 64-bits

    Question

  • I need to have certified driver for 64-bits Windows 7. My developpement platform is Window XP SP3.

    I'm usign French OS, so I have some difficult to find real Windows error message to english.

     

    I build my PCIX device driver, in the root direcory thanks to the command:

     build -cef -amd64


    Files WDFetep327.sys and WDFetep327.inf are so generated.

     

    copy /Y C:\WinDDK\7600.16385.1\redist\wdf\amd64\WdfCoInstaller01009.dll Install

    copy /Y objfre_win7_amd64\amd64\*.sys Install

    copy /Y objfre_win7_amd64\amd64\*.inf Install

     

    All files needed to install driver on 64-bits Windows 7 OS are copied in the directoy Install

    I generate the catalog file thanks to the command: Inf2Cat /driver:Install /os:7_X64

    The 4 files: WdfCoInstaller01009.dllWDFetep327.sys, WDFetep327.inf and etep.cat are moved to the folder Install

    When I install this new driver for my PCIE card for Win 7 thanks to the Device Manager -> Update Driver

    an error occurs: the driver is 'nt signing and the material is not ready to use, the device appears as UNKNOWN DEVICE

     

    So I try to sign a driver thanks to this commands:

     

    MakeCert -r -pe -ss PrivateCertStore -n "CN=etep" Install\etep.cer

    CertMgr /add Install\etep.cer /s root

    CertMgr /add Install\etep.cer /s trustedpublisher

     

    SignTool sign /ac Install\etep.cer /s PrivateCertStore /t http://timestamp.verisign.com/scripts/timestamp.dll Install\etep.cat

    SignTool sign /ac Install\etep.cer /s PrivateCertStore /t http://timestamp.verisign.com/scripts/timestamp.dll Install\WDFetep327.sys

     

    Result:

    The name of my PCIE card appears is the device manager, with information about manufacturer, and driver.

    But the driver is not started because it is not certified: error message in the event log og Windows.

     

     

    Have you a solution to realise good digital signing?

     

     


    Delphine GARRO
    Wednesday, June 01, 2011 1:44 PM

Answers

  • Are you using a Class 3 Code signing certificate from Thawte or Verisign and if so do you also have the cross-certificates from Microsoft? Or are you attempting to use Test signing? In which case, do you have a host connected via 1384, or serial only if you are really really really desperate, and have you enabled test signing on the target? You cannot release a driver signed with a test certificate that you have generated.

    Gary G. Little NanoTelesis Systems, LLC
    Wednesday, June 01, 2011 2:26 PM
  • Do I use this command line?

    bcdedit /set testsigning on


    Delphine GARRO
    Wednesday, June 01, 2011 4:13 PM

All replies

  • Are you using a Class 3 Code signing certificate from Thawte or Verisign and if so do you also have the cross-certificates from Microsoft? Or are you attempting to use Test signing? In which case, do you have a host connected via 1384, or serial only if you are really really really desperate, and have you enabled test signing on the target? You cannot release a driver signed with a test certificate that you have generated.

    Gary G. Little NanoTelesis Systems, LLC
    Wednesday, June 01, 2011 2:26 PM
  • I'm attempting first to use test signing.

    How to enable test signing on the target ?


    Delphine GARRO
    Wednesday, June 01, 2011 3:04 PM
  • Do I use this command line?

    bcdedit /set testsigning on


    Delphine GARRO
    Wednesday, June 01, 2011 4:13 PM
  • Yes, on the target.
    Gary G. Little NanoTelesis Systems, LLC
    Wednesday, June 01, 2011 5:30 PM
  • Thank you.
    Delphine GARRO
    Monday, June 06, 2011 8:31 AM
  • I have this issue:

    C:\driverIUSB>signtool sign /v /ac MSCV-ThawteClass3.cer /f myCert.pfx /p -PASSWORD- /n "XXXXX S.R.L." cwiusb.sys
    The following certificate was selected:
        Issued to: XXXXX S.R.L.
        Issued by: Thawte Code Signing CA - G2
        Expires:   Sat Jul 06 01:59:59 2013
        SHA1 hash: CBC8D981E2CB9D586D118BCB41CFD825324C3652

    Cross certificate chain (using user store):
        Issued to: thawte Primary Root CA
        Issued by: thawte Primary Root CA
        Expires:   Thu Jul 17 01:59:59 2036
        SHA1 hash: 91C6D6EE3E8AC86384E548C299295C756C817B81

            Issued to: Thawte Code Signing CA - G2
            Issued by: thawte Primary Root CA
            Expires:   Sat Feb 08 01:59:59 2020
            SHA1 hash: 808D62642B7D1C4A9A83FD667F7A2A9D243FB1C7

                Issued to: XXXXX S.R.L.
                Issued by: Thawte Code Signing CA - G2
                Expires:   Sat Jul 06 01:59:59 2013
                SHA1 hash: CBC8D981E2CB9D586D118BCB41CFD825324C3652

    Signtool Error: The provided cross certificate would not be present in the certi
    ficate chain.

     

    Why the cross certificate would'n be present in the chain?

     

     

    Wednesday, July 20, 2011 7:42 AM
  • Emanuele Vassallo wrote:
    >
    >I have this issue:
    >
    >C:\driverIUSB>signtool sign /v /ac MSCV-ThawteClass3.cer /f myCert.pfx /p -PASSWORD- /n "XXXXX S.R.L." cwiusb.sys
     
    Where did you find a Microsoft cross-certificate for Thawte?  That wasn't
    one of the CAs on their original list.  Do you have a URL?
     
    >The following certificate was selected:
    >    Issued to: XXXXX S.R.L.
    >    Issued by: Thawte Code Signing CA - G2
    >    Expires:   Sat Jul 06 01:59:59 2013
    >    SHA1 hash: CBC8D981E2CB9D586D118BCB41CFD825324C3652
    >
    >Cross certificate chain (using user store):
    >    Issued to: thawte Primary Root CA
    >    Issued by: thawte Primary Root CA
    >    Expires:   Thu Jul 17 01:59:59 2036
    >    SHA1 hash: 91C6D6EE3E8AC86384E548C299295C756C817B81
    >
    >        Issued to: Thawte Code Signing CA - G2
    >        Issued by: thawte Primary Root CA
    >        Expires:   Sat Feb 08 01:59:59 2020
    >        SHA1 hash: 808D62642B7D1C4A9A83FD667F7A2A9D243FB1C7
    >
    >            Issued to: XXXXX S.R.L.
    >            Issued by: Thawte Code Signing CA - G2
    >            Expires:   Sat Jul 06 01:59:59 2013
    >            SHA1 hash: CBC8D981E2CB9D586D118BCB41CFD825324C3652
    >
    >Signtool Error: The provided cross certificate would not be present in the certi
    >ficate chain.
    >
    >Why the cross certificate would'n be present in the chain?
     
    That would seem to imply that your certificate is not one of the ones
    covered by the Thawte cross-certificate.  Is your certificate supposed to
    be valid for KMCS code signing?
    --
    Tim Roberts, timr@probo.com
    Providenza & Boekelheide, Inc.
     

    Tim Roberts, DDK MVP Providenza & Boekelheide, Inc.
    Thursday, July 21, 2011 3:57 AM
  • In Thawte Assitance service there is a conflict of ideas. Some of them told me the it was passible (Kernel mode cross Signing) and here there is the link of THE truth.. :-)

    https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=SO5565#

    And some other not....

    The link wasn't very helpfull... the error it's posted above...

    I tryed a lot in some different way... only using anoder cross certificate it worked. But the verify didn't  works and so the installation of the driver.

     

    So now I'll revoke the Thawte certificate and I'll buy the Verisign one.

    After that I'll post the result.... 

    Thursday, July 21, 2011 3:38 PM
  • Emanuele Vassallo wrote:
    >
    >In Thawte Assitance service there is a conflict of ideas.
     
    I'll say.
     
    >Some of them told me the it was passible (Kernel mode cross Signing)
    >and here there is the link of THE truth.. :-)
    >
    >
    >And some other not....
     
    Well, if the cross-certificate is genuine, and there's no reason to think
    it's not, then you should be able to use a Thawte Class 3 Code Signing
    Certificate to satisfy KMCS.
     
    There are a couple of errors on that web page.  For example:
     
      Use the x64 checked build environment or the Server 2008 SDK
      build environment when using SIGNTOOL.  Only cross-sign .SYS files.
      CAT files do not need to be cross-signed. The system during load,
      only looks at the SYS file for verification and never looks at the
      CAT file (on 64bit systems only).
     
    You don't need to use a checked build environment.  You can use ANY DDK
    build environment when using "signtool".  Further, the operating system
    certainly WILL look at the CAT file for KMCS checking.  It's not necessary
    to sign the SYS file if the CAT file is signed.  I happen to do both, but
    it's not required.
     
    >The link wasn't very helpfull... the error it's posted above...
    >
    >I tryed a lot in some different way... only using anoder cross certificate
    >it worked. But the verify didn't  works and so the installation of the driver.
     
    Did you use /kp when you did the verify?  I suspect there was probably a
    path to success here, but I'll be curious to hear your Verisign story.
    --
    Tim Roberts, timr@probo.com
    Providenza & Boekelheide, Inc.
     

    Tim Roberts, DDK MVP Providenza & Boekelheide, Inc.
    Saturday, July 23, 2011 4:39 AM
  • In Thawte Assitance service there is a conflict of ideas. Some of them told me the it was passible (Kernel mode cross Signing) and here there is the link of THE truth.. :-)

    https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=SO5565#

    And some other not....

    The link wasn't very helpfull... the error it's posted above...

    Emanuele (and anyone else that has the same signtool error as you posted),

    I also tried cross-signing using the certificate downloaded from the Thawte page and I had the same error that you reported here. I believe I know what went wrong.

    If you double-click on the "MSCV-ThawteClass3.cer" file in Windows, and look at the "Certification Path" tab, you will see that the certificate references "thawte Primary Root CA - G3", but, if you look at your signtool error, you will see that "thawte Primary Root CA - G3" is not included in your certificate chain (your certificate is under "thawte ... CA - G2"). In short, "MSCV-ThawteClass3.cer" is the wrong file. I had this exact same problem.

    Oddly, yesterday, one of my co-workers found the Thawte page that you linked to, but when he downloaded the certificate, he got a completely different certificate than the one both you and I downloaded! It looks like Thawte recently changed the certificate that they have posted on the page you linked to. Anyway, if you go to that page again, and try downloading the new certificate, this new certificate references "thawte Primary Root CA" (which is in your certificate chain) and using the /ac switch with this new certificate should work. It did for me anyway, and I believe I had the same problem that you ran into.

     

     

    Wednesday, August 10, 2011 4:07 PM
  • Hello everybody,

    I've bought certificat on verisign.com : Verisign Class 3 Code signing 2010 CA and I've succeed in signing driver, because these informations appears when I've verify propreties of my driver file .sys . I succeed to install this driver but everytimes Windows reboots, it refuse to start the driver automatically with the error code : file not signed. I disable manually the driver and enable the driver thanks to the Device Manager, and the driver is started ! ( xithout updating the driver, without changing anything ... ) 

    What's the problem ? Windows in debug/test mode avoid driver to start automatically ?

    Have-you a solution....

    Best regards,


    Delphine GARRO
    Friday, September 02, 2011 4:21 PM
  • Delphine

    Your device  has to go through WHQL Testing and the results and Driver Binaries  have to submitted to Microsoft so that the Microsoft gives  you Digitally signed Cat files - which in turn avoid the unsigned pop-ups during the installation.

    If you need more information please  let us know.

    Thanks

    Wintestlogo Team


    Wintest Consultancy and Services Email:help@wintestlogo.com This posting is provided "AS IS" with no warranties, and confers no rights.
    Saturday, September 03, 2011 5:03 PM
  • GARRO Delphine wrote:
    >
    >I've bought certificat on verisign.com : Verisign Class 3 Code signing
    >2010 CA and I've succeed in signing driver, because these informations
    >appears when I've verify propreties of my driver file .sys . I succeed
    >to install this driver but everytimes Windows reboots, it refuse to
    >start the driver automatically with the error code : file not signed.
     
    The problem is LIKELY to be the "cross certificate".  When you sign using
    your code-signing certificate, you also have to specify the cross
    certificate that matches it.  The cross certificate is issued by Microsoft,
    and basically tells the operating system that the authority that issued
    your certificate is valid.  You use the "/ac" parameter on signtool to
    specify the cross certificate.
     
    You can try fetching the Verisign cross certificate from here:
     
    You can tell whether you are doing this right by using the "/v" parameter
    on signtool.  If you have code it right, the chain ends with the "Microsoft
    Code Signing Authority."
    --
    Tim Roberts, timr@probo.com
    Providenza & Boekelheide, Inc.
     

    Tim Roberts, DDK MVP Providenza & Boekelheide, Inc.
    Saturday, September 03, 2011 10:59 PM
  • Hello Tim,

     

    Thank you for your fast answer !

     

    I've downloaded the Verisign cross certificate on the specified link: MSCV-VSClass3.cer.

    Should I install this certiciate in my Private Windows Certicate Store ?

    The certificated created by Verisign for ETEP company is CertificatETEP2011.pfx

     

    Signing driver failed when using this commands:

    SignTool sign /f Install\CertificatETEP2011.pfx /p UPY2011 /t http://timestamp.verisign.com/scripts/timstamp.dll /v Install\etep.cat

    SignTool sign /f Install\CertificatETEP2011.pfx /p UPY2011 /t http://timestamp.verisign.com/scripts/timstamp.dll /v Install\WDFetep515.sys

     

    SignTool sign /ac Install\MSCV-VSClass3.cer /t http://timestamp.verisign.com/scripts/timestamp.dll Install\etep.cat

    SignTool sign /ac Install\MSCV-VSClass3.cer /t http://timestamp.verisign.com/scripts/timestamp.dll Install\WDFetep515.sys

     

    Results:

    C:\WinDDK\7600.16385.1\etep\etep515>SignTool sign /f Install\CertificatETEP2011.pfx /p UPY2011 /t http://timestamp.verisign.com/s

    cripts/timstamp.dll /v Install\etep.cat

    The following certificate was selected:

        Issued to: ETEP

        Issued by: VeriSign Class 3 Code Signing 2010 CA

        Expires:   Fri Aug 31 01:59:59 2012

        SHA1 hash: 632716F52DB58438E466EAD643D41B927EBA2492

     

    Done Adding Additional Store

    Successfully signed and timestamped: Install\etep.cat

     

    Number of files successfully Signed: 1

    Number of warnings: 0

    Number of errors: 0

     

    C:\WinDDK\7600.16385.1\etep\etep515>SignTool sign /f Install\CertificatETEP2011.pfx /p UPY2011 /t http://timestamp.verisign.com/s

    cripts/timstamp.dll /v Install\WDFetep515.sys

    The following certificate was selected:

        Issued to: ETEP

        Issued by: VeriSign Class 3 Code Signing 2010 CA

        Expires:   Fri Aug 31 01:59:59 2012

        SHA1 hash: 632716F52DB58438E466EAD643D41B927EBA2492

     

    Done Adding Additional Store

    Successfully signed and timestamped: Install\WDFetep515.sys

     

    Number of files successfully Signed: 1

    Number of warnings: 0

    Number of errors: 0

     

    C:\WinDDK\7600.16385.1\etep\etep515>SignTool sign /ac Install\MSCV-VSClass3.cer /t http://timestamp.verisign.com/scripts/timestamp

    .dll Install\etep.cat

    Signtool Error: The provided cross certificate would not be present in the certificate chain.

     

    C:\WinDDK\7600.16385.1\etep\etep515>SignTool sign /ac Install\MSCV-VSClass3.cer /t http://timestamp.verisign.com/scripts/timestamp

    .dll Install\WDFetep515.sys

    Signtool Error: The provided cross certificate would not be present in the certificate chain.

     

    What is the problem ? Perhaps I don't use the good line commands ?

     

    Best regards,

     


    Delphine GARRO
    Monday, September 05, 2011 7:50 AM
  • I try this new command lines without success:

    signtool sign /v /ac "Install\MSCV-VSClass3.cer" /f Install\CertificatETEP2011.pfx /p delphine /n "VeriSign Inc." /t http://timestamp.verisign.com/scripts/timstamp.dll "Install\WDFetep515.sys"

    signtool sign /v /ac "Install\MSCV-VSClass3.cer" /f Install\CertificatETEP2011.pfx /p delphine /n "VeriSign Inc." /t http://timestamp.verisign.com/scripts/timstamp.dll "Install\etep.cat"

     

    ERROR MESSAGE:

    SignTool Error: No certificates were found that met all the given criteria.

     

     


    Delphine GARRO
    Monday, September 05, 2011 2:41 PM
  • GARRO Delphine wrote:
    >
    >I try this new command lines without success:
    >
    >signtool sign /v /ac "Install\MSCV-VSClass3.cer" /f Install\CertificatETEP2011.pfx /p delphine /n "VeriSign Inc." /t http://timestamp.verisign.com/scripts/timstamp.dll "Install\WDFetep515.sys"
     
    The subject name of your certificate is not "VeriSign, Inc."   It's
    probably the name of your company -- the entity that bought the
    certificate.  Because you're using /f to specify the exact certificate by
    filename, you shouldn't need the /n.  Other than that, this command line
    looks correct.
     
    Personally, I prefer to install my certificates in my certificate store and
    use the /n or /sha commands to identify which one to use, but what you're
    doing should work.
     
    >signtool sign /v /ac "Install\MSCV-VSClass3.cer" /f Install\CertificatETEP2011.pfx /p delphine /n "VeriSign Inc." /t http://timestamp.verisign.com/scripts/timstamp.dll "Install\etep.cat"
     
    Here's a personal superstition.  Are you signing the CAT file immediately
    after signing the SYS?  The CAT file includes a checksum of all of the
    files mentioned in your INF.  If any of those files changes, then the
    checksum is invalid, and the CAT file is ignored.  Thus, I always do things
    in this order:
       * sign the SYS
       * create the CAT
       * sign the CAT
     
    Otherwise, you're changing the SYS file (by signing it) after you have
    computed its checksum.  Now, I have been told that the CAT file checksum
    does not count the signature, so this is probably just nonsense on my part.
    --
    Tim Roberts, timr@probo.com
    Providenza & Boekelheide, Inc.
     

    Tim Roberts, DDK MVP Providenza & Boekelheide, Inc.
    Monday, September 05, 2011 7:33 PM
  • Dear Tim,

    Unfortunaly, the driver isn't always recognized as digitally signed.

    I use this commands:

    build -cef -amd64

    copy /Y C:\WinDDK\7600.16385.1\redist\wdf\amd64\WdfCoInstaller01009.dll Install

    copy /Y objfre_win7_amd64\amd64\*.sys Install

    copy /Y objfre_win7_amd64\amd64\*.inf Install

    signtool sign /v /ac "Install\MSCV-VSClass3.cer" /f Install\CertificatETEP2011.pfx /p delphine /t http://timestamp.verisign.com/scripts/timstamp.dll "Install\WdfCoInstaller01009.dll"

    signtool sign /v /ac "Install\MSCV-VSClass3.cer" /f Install\CertificatETEP2011.pfx /p delphine /t http://timestamp.verisign.com/scripts/timstamp.dll "Install\WDFetep515.sys"

    del Install\*.cat

    Inf2Cat /driver:Install /os:7_X64

    signtool sign /v /ac "Install\MSCV-VSClass3.cer" /f Install\CertificatETEP2011.pfx /p delphine /t http://timestamp.verisign.com/scripts/timstamp.dll "Install\etep.cat"

     

    Result isfor each file: .sys .cat .dll:

    The following certificate was selected:

        Issued to: ETEP

        Issued by: VeriSign Class 3 Code Signing 2010 CA

        Expires:   Fri Aug 31 01:59:59 2012

        SHA1 hash: 632716F52DB58438E466EAD643D41B927EBA2492

     

    Cross certificate chain (using machine store):

        Issued to: Microsoft Code Verification Root

        Issued by: Microsoft Code Verification Root

        Expires:   Sat Nov 01 15:54:03 2025

        SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

     

            Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

            Issued by: Microsoft Code Verification Root

            Expires:   Mon Feb 22 21:35:17 2021

            SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B

     

                Issued to: VeriSign Class 3 Code Signing 2010 CA

                Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

                Expires:   Sat Feb 08 01:59:59 2020

                SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

     

                    Issued to: ETEP

                    Issued by: VeriSign Class 3 Code Signing 2010 CA

                    Expires:   Fri Aug 31 01:59:59 2012

                    SHA1 hash: 632716F52DB58438E466EAD643D41B927EBA2492

     

    Done Adding Additional Store

    Successfully signed and timestamped: Install\etep.cat

     

    Number of files successfully Signed: 1

    Number of warnings: 0

    Number of errors: 0

     

    When I verify if driver is signed, no error appears:

     

    C:\WinDDK\7600.16385.1\etep\etep515>SignTool verify /v /kp Install\WDFetep515.sys

     

    Verifying: Install\WDFetep515.sys

    Hash of file (sha1): D05F8259B862DCB2CA91A3675288094E48AD608A

     

    Signing Certificate Chain:

        Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

        Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

        Expires:   Thu Jul 17 01:59:59 2036

        SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5

     

            Issued to: VeriSign Class 3 Code Signing 2010 CA

            Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

            Expires:   Sat Feb 08 01:59:59 2020

            SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

     

                Issued to: ETEP

                Issued by: VeriSign Class 3 Code Signing 2010 CA

                Expires:   Fri Aug 31 01:59:59 2012

                SHA1 hash: 632716F52DB58438E466EAD643D41B927EBA2492

     

    The signature is timestamped: Tue Sep 06 09:25:52 2011

    Timestamp Verified by:

        Issued to: Thawte Timestamping CA

        Issued by: Thawte Timestamping CA

        Expires:   Fri Jan 01 01:59:59 2021

        SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

     

            Issued to: VeriSign Time Stamping Services CA

            Issued by: Thawte Timestamping CA

            Expires:   Wed Dec 04 01:59:59 2013

            SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

     

                Issued to: VeriSign Time Stamping Services Signer - G2

                Issued by: VeriSign Time Stamping Services CA

                Expires:   Fri Jun 15 01:59:59 2012

                SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

     

    Cross Certificate Chain:

        Issued to: Microsoft Code Verification Root

        Issued by: Microsoft Code Verification Root

        Expires:   Sat Nov 01 15:54:03 2025

        SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

     

            Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

            Issued by: Microsoft Code Verification Root

            Expires:   Mon Feb 22 21:35:17 2021

            SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B

     

                Issued to: VeriSign Class 3 Code Signing 2010 CA

                Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

                Expires:   Sat Feb 08 01:59:59 2020

                SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

     

                    Issued to: ETEP

                    Issued by: VeriSign Class 3 Code Signing 2010 CA

                    Expires:   Fri Aug 31 01:59:59 2012

                    SHA1 hash: 632716F52DB58438E466EAD643D41B927EBA2492

     

    Successfully verified: Install\WDFetep515.sys

     

    Number of files successfully Verified: 1

    Number of warnings: 0

    Number of errors: 0

    When Update Driver for my PCIE board, first time 64-bits Windows 7 ask me if I want always trust in ETEP company. I accept. The driver is also installed the first time, whithout any error message. But when I reboot, The driver isn't lauched: code error 10. When I verify details: the file WDFetep515.sys is considered as not digitally signed.  When I verify the status of this file WDFetep515.sys on Windows XP PRO, in the properties of the file it appears the file is digitally signed !!!!

    WHY Windows 7 doesn't never recognize this file as digitally signed???


    Delphine GARRO
    Tuesday, September 06, 2011 9:11 AM
  • Delphine

     For Testing purposes , you can get the drivers Test signed and get around this problem.

    We have seen this error with Windows7 64-bit drivers. Only way to get around this problem when you release this drivers to end-customers  is to get the drivers WHQL Certified.

    If you need more information please let us know.

     

    Thanks

    Wintestlogo Team


    Wintest Consultancy and Services Email:help@wintestlogo.com This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, September 06, 2011 9:19 AM
  • I've met the same problem with test signed driver, even if i've disabled test signing:  bcdedit.exe -set TESTSIGNING OFF

    My driver never started at boot of Windows 7. I always disable then enable it in the Device Manager, without updating driver...

     

    How to get drivers WHQL Certified ?


    Delphine GARRO
    Tuesday, September 06, 2011 9:54 AM
  • Test Signing has to be turned on.

     

    The drivers  have to tested using WLK1.6 and the results have to be submitted to Microsoft. Once they approve the results,we get the Digitally signed catalog files,using those signed catalog files we wont see this unsigned popups error any more.

    Could you please mail us. We will take it forward.

    Thanks

    Wintestlogo Team


    Wintest Consultancy and Services Email:help@wintestlogo.com This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, September 06, 2011 10:39 AM
  • Dear Wintestlogo Team,

    I don't need Driver "Certified for Windows" logos: WHQL is so not necessary and not compulsory. My society build few little quantity of each specific PCIE boards, compliant with Windows since NT4

    So my company choose to sign its own drivers rather than go through the WHQL testing process.

    Have you a better solution to be proposed to me?

     

    Thanks for your informations...


    Delphine GARRO
    Tuesday, September 06, 2011 12:56 PM
  • Hello Garro

    Could you please drop us an email, we can guide on how to get around this problem.

    Thanks

    Wintestlogo Team


    Wintest Consultancy and Services Email:help@wintestlogo.com This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, September 06, 2011 2:49 PM
  • GARRO Delphine wrote:
    >
    >Unfortunaly, the driver isn't always recognized as digitally signed.
    >
    >I use this commands:
    >
    >build -cef -amd64
    >
    >copy /Y C:\WinDDK\7600.16385.1\redist\wdf\amd64\WdfCoInstaller01009.dll Install
    >copy /Y objfre_win7_amd64\amd64\*.sys Install
    >copy /Y objfre_win7_amd64\amd64\*.inf Install
    >signtool sign ... "Install\WdfCoInstaller01009.dll"
     
    You should not sign the coinstaller.  It is already signed by Microsoft.
     
    >Result isfor each file: .sys .cat .dll:
    >
    >The following certificate was selected:
    >    Issued to: ETEP
    >    Issued by: VeriSign Class 3 Code Signing 2010 CA
    >    Expires:   Fri Aug 31 01:59:59 2012
    >    SHA1 hash: 632716F52DB58438E466EAD643D41B927EBA2492
    >Cross certificate chain (using machine store):
    >    Issued to: Microsoft Code Verification Root
    >    Issued by: Microsoft Code Verification Root
    >    Expires:   Sat Nov 01 15:54:03 2025
    >    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
    >...
     
    This is correct.  Your files are correctly signed.
     
    >When Update Driver for my PCIE board, first time 64-bits Windows 7 ask
    >me if I want always trust in ETEP company. I accept. The driver is also
    >installed the first time, whithout any error message. But when I reboot,
    >The driver isn't lauched: code error 10. When I verify details: the file
    >WDFetep515.sys is considered as not digitally signed.
    >...
    >WHY Windows 7 doesn't never recognize this file as digitally signed???
     
    How are you installing this?  The only way this works is if you pre-install
    your driver package to the driver store, and let Device Manager find it
    automatically.  If you install your driver the wrong way -- by copying the
    files into place -- then you lose the association between the CAT files and
    the other files, and it loses the signature.
    --
    Tim Roberts, timr@probo.com
    Providenza & Boekelheide, Inc.
     

    Tim Roberts, DDK MVP Providenza & Boekelheide, Inc.
    Thursday, September 08, 2011 3:09 AM
  • Wintest Consultancy and Services wrote:
    >
    >For Testing purposes , you can get the drivers Test signed and get around this problem.
    >
    >We have seen this error with Windows7 64-bit drivers.
     
    You have?  Under what circumstances?  I have never seen this fail with any
    of my driver packages, but if there's a way for a correctly-signed driver
    package to fail to load, then I think we in the community deserve to have
    more information.
    --
    Tim Roberts, timr@probo.com
    Providenza & Boekelheide, Inc.
     

    Tim Roberts, DDK MVP Providenza & Boekelheide, Inc.
    Thursday, September 08, 2011 3:11 AM
  • Dear Tim,

     

    How to pre-install my driver package to the driver store ?

    Actually, I open the device Manager and I choose to update the driver: I choose directory where  the files .cat .sys and DLL are stored

    and Windows updates the driver... Effectively, it's not a pre-install...

    Is it certainly the problem ?


    Delphine GARRO
    Thursday, September 08, 2011 7:21 AM
  • GARRO Delphine wrote:
    >
    >How to pre-install my driver package to the driver store ?
     
    The easiest way, in my opnion, is to copy DPinst.exe from the DDK into the
    same directory as the CAT/SYS/INF/DLL, then run "dpinst /lm".
     
    >Actually, I open the device Manager and I choose to update the driver:
    >I choose directory where  the files .cat .sys and DLL are stored
    >
    >and Windows updates the driver... Effectively, it's not a pre-install...
    >
    >Is it certainly the problem ?
     
    No, that should work.
    --
    Tim Roberts, timr@probo.com
    Providenza & Boekelheide, Inc.
     

    Tim Roberts, DDK MVP Providenza & Boekelheide, Inc.
    Saturday, September 10, 2011 4:03 AM
  • I think the driver is well signed because when I update driver Windows never displayed error message about unsigned file.

    Is it possible that driver could'nt start at the starting of Windows because It need an other ressource that is started later ?

    My device is a PCI Express x1 board from PLX.

    Is it possible to start later my driver ?

     

     


    Delphine GARRO
    Monday, September 12, 2011 11:58 AM
  • Does the files version  have to be the same?

    I've notice different version number betwwen sys file [6.1.7600.16385 built by: WinDDK] and this one specified in the INF file  [1.0.20.10] ...


    Delphine GARRO
    Wednesday, September 14, 2011 9:26 AM
  • GARRO Delphine wrote:
    >
    >Does the files version  have to be the same?
    >
    >I've notice different version number betwwen sys file [6.1.7600.16385 built by: WinDDK] and this one specified in the INF file  [1.0.20.10] ...
     
    They are not related.  The version in the INF file is stored in the
    registry and displayed in Device Manager, but that's all.
    --
    Tim Roberts, timr@probo.com
    Providenza & Boekelheide, Inc.
     

    Tim Roberts, DDK MVP Providenza & Boekelheide, Inc.
    Friday, September 16, 2011 3:10 AM
  • OK Tim !

    thanks you for this informations...


    Delphine GARRO
    Friday, September 16, 2011 8:27 AM