Signed driver package rejected by Win 7 RC, Why?

I thought it would be nice to test my 64-bit KMDF 1.7 driver on Win 7
Ultimate RC... well even with a digital certificate used to sign the driver
package, it is rejected with the following message:

A recently installed program tried to install an unsigned driver. This
version of Windows requires all drivers to have a valid digital signature.
The driver is unavailable and ... (I get the message)

So what must I do to bypass this and test my driver? Must I go back to
Server2008?
--
Mr. Fixit needs your help! - John Bond , LLC

Look on Microsoft.com for a cross signing certificate that matches your
corporate certificate. There are procedures documented in WHQL for driver
and cat file signing. It is fairly easy to do once you have the correct
certs, but since someone else provides those to us I have never done it
myself. Once the certs are done and you have added the private key to your
computer it is just a matter of running inf2cat and signtool on the sys and
inf.


"John Bond" <> wrote in message
news:0785368D-EAE6-4496-AF6B-...
>I thought it would be nice to test my 64-bit KMDF 1.7 driver on Win 7
> Ultimate RC... well even with a digital certificate used to sign the
> driver
> package, it is rejected with the following message:
>
> A recently installed program tried to install an unsigned driver. This
> version of Windows requires all drivers to have a valid digital signature.
> The driver is unavailable and ... (I get the message)
>
> So what must I do to bypass this and test my driver? Must I go back to
> Server2008?
> --
> Mr. Fixit needs your help! - John Bond , LLC

I see that we need a .cer (cross signed certificate?) file based on our
public signature. Any estimates on how long it takes to obtain one?
--
Mr. Fixit needs your help! - John Bond , LLC


"John Bond" wrote:

> I thought it would be nice to test my 64-bit KMDF 1.7 driver on Win 7
> Ultimate RC... well even with a digital certificate used to sign the driver
> package, it is rejected with the following message:
>
> A recently installed program tried to install an unsigned driver. This
> version of Windows requires all drivers to have a valid digital signature.
> The driver is unavailable and ... (I get the message)
>
> So what must I do to bypass this and test my driver? Must I go back to
> Server2008?
> --
> Mr. Fixit needs your help! - John Bond , LLC

The command line:

SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n "AudioCodes,
Inc." /t http://timestamp.verisign.com/scripts/timestamp.dll
SmartWORKSDriver.sys

Is giving the following error message:

SignTool Error: No certificates were found that met all the given criteria.

Number of files successfully Signed: 0
Number of warnings: 0
Number of errors: 1

Is the .cer file found at:
http://www.microsoft.com/whdc/winlog...crosscert.mspx
the appropriate one to use? Or should I use the .cer I can export out of my
certificate store?
--
Mr. Fixit needs your help! - John Bond , LLC


"David Craig" wrote:

> Look on Microsoft.com for a cross signing certificate that matches your
> corporate certificate. There are procedures documented in WHQL for driver
> and cat file signing. It is fairly easy to do once you have the correct
> certs, but since someone else provides those to us I have never done it
> myself. Once the certs are done and you have added the private key to your
> computer it is just a matter of running inf2cat and signtool on the sys and
> inf.
>
>
> "John Bond" <> wrote in message
> news:0785368D-EAE6-4496-AF6B-...
> >I thought it would be nice to test my 64-bit KMDF 1.7 driver on Win 7
> > Ultimate RC... well even with a digital certificate used to sign the
> > driver
> > package, it is rejected with the following message:
> >
> > A recently installed program tried to install an unsigned driver. This
> > version of Windows requires all drivers to have a valid digital signature.
> > The driver is unavailable and ... (I get the message)
> >
> > So what must I do to bypass this and test my driver? Must I go back to
> > Server2008?
> > --
> > Mr. Fixit needs your help! - John Bond , LLC
>
>
> .
>

Did you import the pfx into your local certificate store? Did you generate
the inf with the inf2cat tool in the 7600.16385.0 (aka 7.0.0) WDK? Use the
tools from that WDK as I know it works.

"John Bond" <> wrote in message
news:E34FBD0F-6332-4EEC-A1F9-...
> The command line:
>
> SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n "AudioCodes,
> Inc." /t http://timestamp.verisign.com/scripts/timestamp.dll
> SmartWORKSDriver.sys
>
> Is giving the following error message:
>
> SignTool Error: No certificates were found that met all the given
> criteria.
>
> Number of files successfully Signed: 0
> Number of warnings: 0
> Number of errors: 1
>
> Is the .cer file found at:
> http://www.microsoft.com/whdc/winlog...crosscert.mspx
> the appropriate one to use? Or should I use the .cer I can export out of
> my
> certificate store?
> --
> Mr. Fixit needs your help! - John Bond , LLC
>
>
> "David Craig" wrote:
>
>> Look on Microsoft.com for a cross signing certificate that matches your
>> corporate certificate. There are procedures documented in WHQL for
>> driver
>> and cat file signing. It is fairly easy to do once you have the correct
>> certs, but since someone else provides those to us I have never done it
>> myself. Once the certs are done and you have added the private key to
>> your
>> computer it is just a matter of running inf2cat and signtool on the sys
>> and
>> inf.
>>
>>
>> "John Bond" <> wrote in message
>> news:0785368D-EAE6-4496-AF6B-...
>> >I thought it would be nice to test my 64-bit KMDF 1.7 driver on Win 7
>> > Ultimate RC... well even with a digital certificate used to sign the
>> > driver
>> > package, it is rejected with the following message:
>> >
>> > A recently installed program tried to install an unsigned driver. This
>> > version of Windows requires all drivers to have a valid digital
>> > signature.
>> > The driver is unavailable and ... (I get the message)
>> >
>> > So what must I do to bypass this and test my driver? Must I go back to
>> > Server2008?
>> > --
>> > Mr. Fixit needs your help! - John Bond , LLC
>>
>>
>> .
>>

John Bond <> wrote:
>
>SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n "AudioCodes,
>Inc." /t http://timestamp.verisign.com/scripts/timestamp.dll
>SmartWORKSDriver.sys
>
>Is giving the following error message:
>
>SignTool Error: No certificates were found that met all the given criteria.
>
>Number of files successfully Signed: 0
>Number of warnings: 0
>Number of errors: 1
>
>Is the .cer file found at:
>http://www.microsoft.com/whdc/winlog...crosscert.mspx
>the appropriate one to use? Or should I use the .cer I can export out of my
>certificate store?

You must use the cross-certificate from Microsoft. That, of course,
assumes that you really do have a Verisign class 3 code-signing certificate
in your certificate store with the name "AudioCodes, Inc.". The string
must match exactly.
--
Tim Roberts,
Providenza & Boekelheide, Inc.

That is true, Tim. I also discovered that you can use Internet Exploder to
view all the certificates and kill old certs. That should help him validate
the name string. I suspect it is also case-sensitive, but I got the batch
file from someone who had it working.

"Tim Roberts" <> wrote in message
news:...
> John Bond <> wrote:
>>
>>SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n "AudioCodes,
>>Inc." /t http://timestamp.verisign.com/scripts/timestamp.dll
>>SmartWORKSDriver.sys
>>
>>Is giving the following error message:
>>
>>SignTool Error: No certificates were found that met all the given
>>criteria.
>>
>>Number of files successfully Signed: 0
>>Number of warnings: 0
>>Number of errors: 1
>>
>>Is the .cer file found at:
>>http://www.microsoft.com/whdc/winlog...crosscert.mspx
>>the appropriate one to use? Or should I use the .cer I can export out of
>>my
>>certificate store?
>
> You must use the cross-certificate from Microsoft. That, of course,
> assumes that you really do have a Verisign class 3 code-signing
> certificate
> in your certificate store with the name "AudioCodes, Inc.". The string
> must match exactly.
> --
> Tim Roberts,
> Providenza & Boekelheide, Inc.

There is also a "press F8 during startup" option that temporarily disables
the signed driver enforcement.

/ Hannes.

"John Bond" wrote:

> I thought it would be nice to test my 64-bit KMDF 1.7 driver on Win 7
> Ultimate RC... well even with a digital certificate used to sign the driver
> package, it is rejected with the following message:
>
> A recently installed program tried to install an unsigned driver. This
> version of Windows requires all drivers to have a valid digital signature.
> The driver is unavailable and ... (I get the message)
>
> So what must I do to bypass this and test my driver? Must I go back to
> Server2008?
> --
> Mr. Fixit needs your help! - John Bond , LLC

David, are you saying that I cannot use KMDF 1.7 (WDK 6001.18002) and its
signtool and inf2cat to produce 64-bit loadable drivers? Do they NOT work?
If so I will upgrade to 7.0.0 WDK (KMDF 1.9??). (Did 7.0.0 reach released
status recently? I must have had my head buried too deeply in the sand.)

I just got comfortable with KMDF 1.7 having just shipped a driver to Verizon
for boards they used back in Win98/NT/2000.
--
Mr. Fixit needs your help! - John Bond , LLC


"David Craig" wrote:

> Did you import the pfx into your local certificate store? Did you generate
> the inf with the inf2cat tool in the 7600.16385.0 (aka 7.0.0) WDK? Use the
> tools from that WDK as I know it works.
>
> "John Bond" <> wrote in message
> news:E34FBD0F-6332-4EEC-A1F9-...
> > The command line:
> >
> > SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n "AudioCodes,
> > Inc." /t http://timestamp.verisign.com/scripts/timestamp.dll
> > SmartWORKSDriver.sys
> >
> > Is giving the following error message:
> >
> > SignTool Error: No certificates were found that met all the given
> > criteria.
> >
> > Number of files successfully Signed: 0
> > Number of warnings: 0
> > Number of errors: 1
> >
> > Is the .cer file found at:
> > http://www.microsoft.com/whdc/winlog...crosscert.mspx
> > the appropriate one to use? Or should I use the .cer I can export out of
> > my
> > certificate store?
> > --
> > Mr. Fixit needs your help! - John Bond , LLC
> >
> >
> > "David Craig" wrote:
> >
> >> Look on Microsoft.com for a cross signing certificate that matches your
> >> corporate certificate. There are procedures documented in WHQL for
> >> driver
> >> and cat file signing. It is fairly easy to do once you have the correct
> >> certs, but since someone else provides those to us I have never done it
> >> myself. Once the certs are done and you have added the private key to
> >> your
> >> computer it is just a matter of running inf2cat and signtool on the sys
> >> and
> >> inf.
> >>
> >>
> >> "John Bond" <> wrote in message
> >> news:0785368D-EAE6-4496-AF6B-...
> >> >I thought it would be nice to test my 64-bit KMDF 1.7 driver on Win 7
> >> > Ultimate RC... well even with a digital certificate used to sign the
> >> > driver
> >> > package, it is rejected with the following message:
> >> >
> >> > A recently installed program tried to install an unsigned driver. This
> >> > version of Windows requires all drivers to have a valid digital
> >> > signature.
> >> > The driver is unavailable and ... (I get the message)
> >> >
> >> > So what must I do to bypass this and test my driver? Must I go back to
> >> > Server2008?
> >> > --
> >> > Mr. Fixit needs your help! - John Bond , LLC
> >>
> >>
> >> .
> >>
>
>
> .
>

Thanks, Hannes, but I want to know that the full package works. We will be
starting our QA process with a very early version of our driver. Management
around here is scared witless by this change. Most of the other developers
with whom I work are very glad that Microsoft has provided the KMDF and are
excited about leaving our archaic driver behind. I need to prove early on
that Microsoft's improvements are solid and can be relied upon. (A lot of
heat in this here kitchen.)
But thanks for reminding me about the "back door". I'll need to pass that
tidbit on to the maintainers.
--
Mr. Fixit needs your help! - John Bond , LLC


"Hannes" wrote:

> There is also a "press F8 during startup" option that temporarily disables
> the signed driver enforcement.
>
> / Hannes.
>
> "John Bond" wrote:
>
> > I thought it would be nice to test my 64-bit KMDF 1.7 driver on Win 7
> > Ultimate RC... well even with a digital certificate used to sign the driver
> > package, it is rejected with the following message:
> >
> > A recently installed program tried to install an unsigned driver. This
> > version of Windows requires all drivers to have a valid digital signature.
> > The driver is unavailable and ... (I get the message)
> >
> > So what must I do to bypass this and test my driver? Must I go back to
> > Server2008?
> > --
> > Mr. Fixit needs your help! - John Bond , LLC