Signing drivers with signtool for XP 64-bit -- suppressing the war

From: Joe Koenig <Joe Koenig@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 29 Jul 2008 10:37:04 -0700

Ineed to suppress the unsigned driver installation dialog for an automation
project that I am working on. Now, for XP32, it is possible to suppress the
dialog a control panel setting, but that has been removed in XP64. The MS KB
article "Driver signing policy is automatically elevated for unsigned
drivers" (http://support.microsoft.com/kb/831583) describes this as "by
design". In short, it appears that while on XP32 you can choose to ignore
signed/unsigned warnings for unsigned drivers, the setting is ignored on
XP64. Therefore, I need to sign our drivers for unattended installation via
devcon, for automated testing.

Now, we have a Verisign certificate for signing of Windows Vista 32 and
64-bit drivers. Our signing process does work and the drivers are installed
automatically, without a prompt, for each subsequent installation after the
first when we check the box to allow further drivers signed by us to be
installed without prompting. For some reason, however, the same signing
infrastructure does not work for XP64, even with the OS-appropriate changes.
Here is our sequence of commands:

/bin/SelfSign/inf2cat.exe /driver:.. /os:Vista_X86, Vista_X64
/bin/SelfSign/inf2cat.exe /driver:.. /os:XP_X86, XP_X64

$ /bin/SelfSign/signtool.exe sign /v /ac MSCV-VSClass3.cer /v /s my /n
"<name>" /t http://timestamp.verisign.com/scripts/timestamp.dll <file>.sys
<file>64.sys <file>.cat <file>64.cat $ /bin/SelfSign/signtool.exe verify /v
/kp <file>.cat <file>.sys <file>64.cat <file>64.sys

The verified output for both XP and Vista is the following:

Verifying: Verifying: <file>64.sys
SHA1 hash of file: (not calculated)

Signing Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: 11/1/2025 6:54:03 AM
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: Class 3 Public Primary Certification Authority
Issued by: Microsoft Code Verification Root
Expires: 5/23/2016 10:11:29 AM
SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408

Issued to: VeriSign Class 3 Code Signing 2004 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 7/15/2014 4:59:59 PM
SHA1 hash: 197A4AEBDB25F0170079BB8C73CB2D655E0018A4

Issued to: {Our Corporate Certificate}
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 1/22/2010 4:59:59 PM
SHA1 hash: E3EFA4F5D3D320CE51EA7CE9C54E3CE6FBBBC055

The signature is timestamped: 7/25/2008 4:34:16 PM

Timestamp Verified by: Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: 12/31/2020 4:59:59 PM
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: 12/3/2013 4:59:59 PM
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: 6/14/2012 4:59:59 PM SHA1 hash:
ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

Now, when I go to install this on XP64, the following message appears in
setupapi.log:

Error 0x800b0109: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider. Now, when I install
the root certificate available on Microsoft.com
(http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx) "Microsoft
Cross-Certificates for Windows Vista Kernel Mode Code Signing" onto my XP64
machine, it shows up in the Certification Path with the message, "The issuer
of this certificate could not be found."

Does anyone have any hints as to why XP64 is being stubborn?

Thanks and Regards, Joe
.

Follow-Ups:
- RE: Signing drivers with signtool for XP 64-bit -- suppressing the war
  - From: Jennifer Stepler [MSFT]

Prev by Date: Re: Invalid Virtual Address
Next by Date: Re: Releasing a COM Port from an Active Application
Previous by thread: Delay power off
Next by thread: RE: Signing drivers with signtool for XP 64-bit -- suppressing the war
Index(es):
- Date
- Thread

Relevant Pages

RE: Signing drivers with signtool for XP 64-bit -- suppressing the war
... I don't see that you have a *signing* problem, ... signed/unsigned warnings for unsigned drivers, ... Signing Certificate Chain: ... SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3 ...
(microsoft.public.development.device.drivers)
RE: Mysterious signing problem
... certificate and my signing certificate to the certificate stores in my ... If my *signing* certificate is present in the "Unprivileged Execution Trust ... If I remove my signing cert from that store (keeping the CA ... initiates installation of .cab files. ...
(microsoft.public.pocketpc.developer)
Re: Intel(R) Matrix Storage Manager 7.0 - why should I want this thing?
... you should see the Intel Drivers installed ... presence of the "Intel XXXXXXR SATA RAID Controller". ... the mode in which a default Windows installation can "see" the ...
(microsoft.public.windowsxp.general)
Re: Intel(R) Matrix Storage Manager 7.0 - why should I want this thing?
... it already has the necessary drivers. ... the mode in which a default Windows installation can "see" the ... NCQ, dedicated I/O, mirroring, striping, RAID or eSata. ... ICH5R - This is the original RAID-Array chipset. ...
(microsoft.public.windowsxp.general)
Re: Is onboard NIC kaput? (ipconfig output: Unable to query host name.)
... network properties, reboot, then reinstall. ... Have you tried updating your MB drivers? ... followed the installation instructions carefully and when all was said ... uninstalled the NIC in the Device Manager, ...
(microsoft.public.windowsxp.hardware)