[wdmaudiodev] Re: How to sign up with MS with the Win10 driver no charge "attestment" option

  • From: "Paul Titchener" <pt@xxxxxxxxxxx>
  • To: <wdmaudiodev@xxxxxxxxxxxxx>
  • Date: Mon, 26 Oct 2015 11:20:10 -0700

We're only attempting to install one set of files or the other on each PC so I'm pretty confident its not an issue of mixed files.

Plus what does get installed in c:\windows\system32\drivers is the correct .sys file, with the correct cert, in this case the SHA1 cert for Win7.

But for some strange reason the Device Manager isn't seeing that cert.

Tim, we are using the same installation procedure we have always used, other than detecting the Win10 case and installing the SHA256 drivers always in that case.

But in the past we've also had occasional problems were our driver wasn't getting installed properly so I don't think this problem is new or related to Win10, its been ongoing.

But this the first time it happened on one of our test machines and that caused us to realize that it is probably a signing problem happening on some machines.

So I'm hoping that if we solve it the occasional install problems we've seen over time but couldn't chase down will be fixed.

I'm going to take a a look and step through the devcon code we are using as the installation occurs to see if that sheds any light on the problem, I'll report back what I find.

As far as I know this is the only source code available program that can be used for driver installs, is that correct?

Paul Titchener

-----Original Message----- From: Tom Duffy
Sent: Monday, October 26, 2015 11:06 AM
To: wdmaudiodev@xxxxxxxxxxxxx
Subject: [wdmaudiodev] Re: How to sign up with MS with the Win10 driver no charge "attestment" option

Wouldn't you see that discrepancy if some of the files were
signed with different signatures. They all have to match
(the cat file's signature) for device manager to OK them, even
though individually they all have "a" signature.

This doesn't explain why it would be a problem only on
some machines though.

---
Tom.


On 10/26/2015 10:19 AM, Paul Titchener wrote:
Tom and Vincent, thanks for your responses, that's good info.

However I still can't figure out what's going on wrong on some of our
driver installations that fail.

We actually had it happen on one of our test machines, it’s a Win7x64
machine.

We use a modified version of the MS devcon64.exe program that they
supply source code for to do our driver install.

On this machine at some point installation of the driver failed.

I can see that we were attempting to install the correct driver, the
.sys and .cat files in our program that we attempted to install are
signed with our SHA1 cert and not the MS cert.

Also when I look at the .sys file that got installed at
c:\windows\system32\drivers, doing a properties on it shows that it is
signed with our SHA1 cert so that looks fine.

But in the Device Manager the driver has an exclamation mark on it and
clicking on it brings up the code 52 error message that the driver is
not digitally signed.

If you go into Details and click on the .sys file name shown in that
same c:\windows\system32\drivers location it also states there that the
driver is not digitally signed.

So for some reason even though when using the File Explore Properties it
shows the driver is correctly signed, the Device Manager thinks it isn't
signed.

Does anyone know how to correct this discrepancy so the driver becomes
functional?

Thanks,

Paul Titchener

-----Original Message----- From: Tom Duffy
Sent: Monday, October 26, 2015 9:30 AM
To: wdmaudiodev@xxxxxxxxxxxxx
Subject: [wdmaudiodev] Re: How to sign up with MS with the Win10 driver
no charge "attestment" option

Possibly related:

We find some customers on Windows 7 have either
accidentally or on purpose missed out on installing KB3033929
from March 2015 that gives Windows 7 the ability to parse SHA-2
certificates. Without this, they get "unsigned driver"
errors when attempting to install a driver that was signed with
a newer, SHA-256 certificate.
Windows 8 comes with SHA-2 ability out of the box.

Tom.

On 10/26/2015 2:46 AM, Vincent Burel (VB-Audio) wrote:
It sounds like the same problem I got some days ago

The driver was maybe not well cross signed (because missing Microsoft
CER for example)

BTW: I found one trick to check that a sys file is well cross signed:

findstr /m "MicrosoftCodeVerifRoot" "mydriver.sys" (output nothing if
not found)

(source reference:
http://winprogger.com/cross-signing-kernel-mode-drivers/)

Regards

Vincent Burel

www.vb-audio.com

*De :*wdmaudiodev-bounce@xxxxxxxxxxxxx
[mailto:wdmaudiodev-bounce@xxxxxxxxxxxxx] *De la part de* Paul Titchener
*Envoyé :* dimanche 25 octobre 2015 20:38
*À :* wdmaudiodev@xxxxxxxxxxxxx
*Objet :* [wdmaudiodev] Re: How to sign up with MS with the Win10 driver
no charge "attestment" option

We’re now shipping our software that includes a Win 10 signed driver and
for most users it working correctly, both for users that did an upgrade
to Win 10 and those that bought new Win 10 machines.

For now we detect the OS version during installation and Win 10 machines
get drivers signed both by us and MS, other OS’s get the drivers only
signed by us.

But we’re occasionally hitting installation problems on some machines,
commonly (and maybe exclusively) Win7 ones, where they report that they
get a message about attempting to install an unsigned driver.

I’m wondering if these cases are being caused by a faulty OS detection
by the installer.

Tim, you had mentioned that here is an approach to build a single driver
that installs both on Win 10 and Win 7, 8 and 8.1 machines.

I thought the way we were signing our drivers, which is to sign them
first with our cert before submitting to MS, was the method that allowed
this single install.

But Win 7 and Win 8 machines give us a bad cert message when we try to
install these dual signed drivers.

Was there another step (or different method) we need to take to build a
single driver that will install on a Win 7, 8 and 10 machine?

Thanks,

Paul Titcener


******************

WDMAUDIODEV addresses:
Post message: mailto:wdmaudiodev@xxxxxxxxxxxxx
Subscribe: mailto:wdmaudiodev-request@xxxxxxxxxxxxx?subject=subscribe
Unsubscribe: mailto:wdmaudiodev-request@xxxxxxxxxxxxx?subject=unsubscribe
Moderator: mailto:wdmaudiodev-moderators@xxxxxxxxxxxxx

URL to WDMAUDIODEV page:
http://www.wdmaudiodev.com/
******************

WDMAUDIODEV addresses:
Post message: mailto:wdmaudiodev@xxxxxxxxxxxxx
Subscribe: mailto:wdmaudiodev-request@xxxxxxxxxxxxx?subject=subscribe
Unsubscribe: mailto:wdmaudiodev-request@xxxxxxxxxxxxx?subject=unsubscribe
Moderator: mailto:wdmaudiodev-moderators@xxxxxxxxxxxxx

URL to WDMAUDIODEV page:
http://www.wdmaudiodev.com/



******************

WDMAUDIODEV addresses:
Post message: mailto:wdmaudiodev@xxxxxxxxxxxxx
Subscribe: mailto:wdmaudiodev-request@xxxxxxxxxxxxx?subject=subscribe
Unsubscribe: mailto:wdmaudiodev-request@xxxxxxxxxxxxx?subject=unsubscribe
Moderator: mailto:wdmaudiodev-moderators@xxxxxxxxxxxxx

URL to WDMAUDIODEV page:
http://www.wdmaudiodev.com/
******************

WDMAUDIODEV addresses:
Post message: mailto:wdmaudiodev@xxxxxxxxxxxxx
Subscribe: mailto:wdmaudiodev-request@xxxxxxxxxxxxx?subject=subscribe
Unsubscribe: mailto:wdmaudiodev-request@xxxxxxxxxxxxx?subject=unsubscribe
Moderator: mailto:wdmaudiodev-moderators@xxxxxxxxxxxxx

URL to WDMAUDIODEV page:
http://www.wdmaudiodev.com/

Other related posts: