2

I am trying install a windows USB driver with a simple structure (containing only the following content -

  • app.inf,
  • app.cat
  • WdfCoInstaller01005.dll
  • WinUSBCoInstaller.dll

). The driver is sha 256 signed using a valid standard kernel mode code signing certificate issued by Digicert. I could see the digital signature in the app.cat file when I am see the properties of the file. I am trying to install the driver via install-shield setup in the Windows 7 SP1 64 Bit machine with all latest updates installed( including KB3033929). It still shows the warning Windows cant verify the publisher of this driver software.

For troubleshooting this I have tried installing the certificate in the target machine as one of the Stackoverflow link suggests. Still no hope.

I have used the following commands during the process of generating the .cat file and signing the .cat file. (There is no .sys file)

Inf2Cat /driver:"C:\CodeSigning" /os:7_X64,7_X86

C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x64>signtool.exe si
gn /v /ac "C:\CodeSigning\DigiCert High Assurance EV Root CA.crt"  /a /t ht
tp://timestamp.digicert.com  "C:\CodeSigning\Driver\app.cat"

EDIT Adding more information.

Digital Signature Information

Error while installing the driver

I have tried Sha256 Signing also (Referring from https://www.digicert.com/code-signing/driver-signing-in-windows-using-signtool.htm (section :Internet Explorer or Chrome for Windows)

signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /a /tr http://timestamp.digicert.com /td sha256 /fd sha256 "c:\path\to\FileToSign.cat"

Still I am getting the same error.

EDIT 2- Adding the source of the Inf file

Please refer the source of the .inf file below (Could be little legacy).

[Version]
Signature = "$Windows NT$"
Class =XYZdevice
ClassGuid={ad769fbf-c592-4b8c-940a-6e3782a545e8}
Provider = %ProviderName%
DriverVer=10/13/2017,6.00.2064
CatalogFile=%MFGFILENAME%.cat

; ========== Manufacturer/Models sections ===========

[Manufacturer]
%ProviderName% = XYZInc,NTx86,NTamd64

[XYZInc.NTx86]
%USB\MyDevice.DeviceDesc% =USB_Install, USB\VID_1448&PID_4AC0&REV_0001

[XYZInc.NTamd64]
%USB\MyDevice.DeviceDesc% =USB_Install, USB\VID_1448&PID_4AC0&REV_0001

; =================== Installation ===================

[ClassInstall32]
AddReg=SampleClass_RegistryAdd

[SampleClass_RegistryAdd]
HKR,,,,%ClassName%


;[1]
[USB_Install]
Include=winusb.inf
Needs=WINUSB.NT

;[2]
[USB_Install.Services]
Include=winusb.inf
AddService=WinUSB,0x00000002,WinUSB_ServiceInstall

;[3]
[WinUSB_ServiceInstall]
DisplayName     = %WinUSB_SvcDesc%
ServiceType     = 1
StartType       = 3
ErrorControl    = 1
ServiceBinary   = %12%\WinUSB.sys

;[4]
[USB_Install.Wdf]
KmdfService=WINUSB, WinUsb_Install

[WinUSB_Install]
KmdfLibraryVersion=1.5

;[5]
[USB_Install.HW]
AddReg=Dev_AddReg

[Dev_AddReg]
HKR,,DeviceInterfaceGUIDs,0x10000,"{15630179-b622-4834-8ff7-9916b1446884}"

;[6]
[USB_Install.CoInstallers]
AddReg=CoInstallers_AddReg
CopyFiles=CoInstallers_CopyFiles

[CoInstallers_AddReg]
HKR,,CoInstallers32,0x00010000,"WdfCoInstaller01005.dll,WdfCoInstaller","WinUSBCoInstaller.dll"

[CoInstallers_CopyFiles]
WinUSBCoInstaller.dll
WdfCoInstaller01005.dll

[DestinationDirs]
CoInstallers_CopyFiles=11

; ================= Source Media Section =====================
;[7]

[SourceDisksNames]
1 = %DISK_NAME%,,,\i386
2 = %DISK_NAME%,,,\amd64

[SourceDisksFiles.x86]
WinUSBCoInstaller.dll=1
WdfCoInstaller01005.dll=1

[SourceDisksFiles.NTamd64]
WinUSBCoInstaller.dll=2
WdfCoInstaller01005.dll=2

; =================== Strings ===================

[Strings]
MFGFILENAME="XYZDevice"
ProviderName="XYZ Inc"
ClassName="XYZ device"
USB\MyDevice.DeviceDesc="XYZ"
WinUSB_SvcDesc="XYZ"
DISK_NAME="Drivers"

I have verified the counter signature details also. Please refer the image below.

  • Thumbprint of the certificate used for cross signing (thumbprint: 2f 25 13 af 39 92 db 0a 3f 79 70 9f f8 14 3b 3f 7b d2 d1 43 cross-certificate for DigiCert High Assurance EV Root CA)
  • Thumbprint of the cross signed certificate which can be seen from the properties of the signed file is ‎40 01 91 47 5c 98 89 1d eb a1 04 af 47 09 1b 5e b6 d4 cb cb (I dont know whether it is correct or not)

enter image description here

Please help. I have spent plenty of time on this and still end up with no results. Any help on this would be really appreciable.

amesh
  • 1,311
  • 3
  • 21
  • 51
  • 1
    WinUSB comes with Windows 7, so you can reduce your driver package size by not using coinstallers. Your `/ac` argument looks suspect; are you sure that's a cross certificate? You could post the link to where you downloaded it. Posting a screenshot of the error would be good too, I'm not sure if it's an installation time error or not. Also, I wrote a [big article](http://www.davidegrayson.com/signing/) that you might find useful. – David Grayson Jan 02 '18 at 18:58
  • 1
    Actually I don't think you need to specify a cross certificate with the `/ac` argument because you're not signing a kernel-mode driver. Also, what part of your signtool invocation specifies which publisher certificate to use? – David Grayson Jan 02 '18 at 19:02
  • Also, you should use `/fd sha256` since SHA1 is deprecated, though I don't think that will solve your problem here. – David Grayson Jan 02 '18 at 19:06
  • @DavidGrayson, Thanks for your comments. I have tried from the following documentation of Digicert. https://www.digicert.com/code-signing/driver-signing-in-windows-using-signtool.htm ( section: Internet Explorer or Chrome for Windows). – amesh Jan 03 '18 at 04:26
  • @DavidGrayson I have tried Sha256 version of signing as well `signtool sign /v /ac "C:\path\DigiCert High Assurance EV Root CA.crt" /a /tr http://timestamp.digicert.com /td sha256 /fd sha256 "c:\path\to\FileToSign.cat"` Still I am getting the same error. – amesh Jan 03 '18 at 04:27
  • @DavidGrayson I will go through your article and understand more about this.. Thanks.. – amesh Jan 03 '18 at 05:02
  • 1
    I wonder if this is an InstallShield bug. Do you get the same error message if you put the INF and CAT file and all the required files in a directory, and install the INF file by right-clicking and selecting "Install"? You'll need a DefaultInstall section in the INF file (and don't forget to re-sign after adding it). – David Grayson Jan 03 '18 at 18:42
  • A driver needs two signatures. One provided by you, the other you get from Microsoft's WHQL after they verified your driver. A little birdy tells me that the latter one is missing. – Hans Passant Jan 03 '18 at 20:43
  • `Note The INF file of a driver package must not contain an INF DefaultInstall section if the driver package is to be digitally signed. For more information about signing driver packages, see Driver Signing.` – amesh Feb 26 '18 at 10:09

0 Answers0