none
How to properly sign drivers RRS feed

  • Question

  • Hello, I have a few questions with regard to properly signing drivers.  Where I work, we produce an internal tool which, in order to perform its job, must have a custom hardware driver.  Others on my team have written this driver.  The simplest method for deployment is to use dpinst and so that's what we do.  Ordinarily, when I run, dpinst /se /path <path/to/driver_package>, I'm prompted with the question, "Do you wish to always trust drivers from so and so?"  Because this driver is signed internally, our install instructions say, "Yes."  Recently, however, I've encountered some systems, Windows 7 Professional and Enterprise, which say something like, "Windows cannot verify the publisher of this driver software," and a prompt to either "install" or "don't install" the driver.  Why is it that some systems, using the same dpinst command ask to always trust and others ask the other question?

    In researching this, I've come across a tool, SignTool, which I've used to verify the certificate that we use for signing the drivers.  When I use the tool as suggested in the link, I get, "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."  However, if I tell SignTool to disregard using the Driver Store Processes and instead use "the default authentication verification policy," (i.e. SignTool verify /pa <*.sys>) then the driver *.sys file is acceptable.  Since using the default authentication verification policy is satisfactory, what is the difference between that and the Windows Driver Authentication Policy?  How should the driver file be properly signed in order for the system to work?

    Thanks.

    Monday, May 16, 2016 9:44 PM

All replies

  • Please see this: http://www.davidegrayson.com/signing/

    -- pa

    Monday, May 16, 2016 9:58 PM
  • Thank you for the link.  It contains much and answers many questions.  However, I've verified that on these Windows systems that the signature is "ok."  That is, I can right-click on the *.sys and the *.cat files and I have a tab for "Digital Signature."  Furthermore, when I click on the button to view the "details" of the signature, the dialog window states, "This digital signature is OK."  It has all of our company information, dates of validity and the issuing authority. 

    From the link you've provided, it would seem that this driver is properly signed.  So, why am I seeing the dialog windows which seem to say that it is not?

    Monday, May 16, 2016 10:19 PM
  • Your problematic systems are Win7, so maybe this is a case of "SHA-1 phase out". Try sha-256 signature on them.  Or this could be caused by some other update that messed with root certificates.

    -- pa

    Wednesday, May 18, 2016 2:45 AM