Sign cat file that uses Winusb.sys as kernel-mode

2019-07-16 05:31发布

问题:

I'm trying to make an USB driver to be installable in Windows 8, this USB driver uses only WinUSB.

According to this post Signed INF driver works on the computer where it was signed, not others and also this website Practical Windows Code and Driver Signing all I have to do is to generate an .inf file, to generate a .cat file and sign this .cat file, but I'm having trouble with the signing part, the other steps are ok.

The sites I listed above makes clear that to sign a catalog file which the driver uses only WinUSB is not necessary to purchase any certification from any authorized Certification Authority.

The kernel modules you are using have already been signed by Microsoft and you will have no trouble getting them loaded into the kernel after the driver package is installed.

I have the SignTool.exe in a folder along with the mscvr-cross-gdroot-g2.crt. In a subfolder, let's say MyFolder I have my driver package.

MyFolder

├─ remsir.cat
├─ remsir.inf
│
├─┐ amd64\
│ ├ WdfCoInstaller01011.dll
│ ├ WinUSBCoInstaller2.dll
│ ├ WUDFUpdate_01011.dll
│
└─┐ i386\
  ├ WdfCoInstaller01011.dll
  ├ WinUSBCoInstaller2.dll
  ├ WUDFUpdate_01011.dll

So, basically I'm stuck at this point:

SignTool.exe sign /v /ac "mscvr-cross-gdroot-g2.crt" /n "Pololu Corporation" /t http://tsa.starfieldtech.com MyFolder\remsir.cat

This command line was copied from the other questions, but it isn't working for me. I tried to change some of the parameters but still without success, it doesn't matter what I do I always get the error message:

SignTool Error: No certificates were found that met all the given criteria.

First of all, I not really sure if I should change any of the parameters from this command line. They aren't really clear for me what they mean.

So.. Do I have to change any of the parameters in that command line? Do I have to install the mscvr-cross-gdroot-g2.crt or even the Pololu Corporation? If yes, how?

回答1:

You need to buy a signing certificate from some company like GlobalSign. Yes, Windows trusts the winusb components of your driver, but Windows 8 will not allow you to install the INF file unless it is signed by a real certificate.

Your quote from me is:

The kernel modules you are using have already been signed by Microsoft and you will have no trouble getting them loaded into the kernel after the driver package is installed.

This quote is still true. The point is that you will not even be able to install the driver package unless you sign the INF file.

The Pololu Corporation you saw in my examples is the name of my company and that part needs to be changed to be your company name. It needs to exactly match the company name embedded in the certificate you purchase.

Edit 1: Windows 8 doesn't require an INF file for WinUSB actually

If you are able to change the firmware of the device then you can avoid buying a certificate for your WinUSB device. For Windows 8 support, you should follow these instructions from the USB Core Team to get your device loaded without needing an INF file:

http://blogs.msdn.com/b/usbcoreblog/archive/2012/09/26/how-to-install-winusb-sys-without-a-custom-inf.aspx

Because you aren't supplying the INF file or the SYS files, I strongly expect that you won't need to sign anything for Windows 8.

For Windows 7 and earlier, you would need to supply an INF file to associate your device with WinUSB, but the INF file would not need to be signed because those versions do not require it.



回答2:

Target:

Install an .inf file that uses WinUSB as kernel-mode code.

Solution:

I solved my problem, not exactly as my initial idea of signing the .cat file.

My answer may be disappointing for most of people and I may receive lots of critics for not using the best practices and etc. It's inelegant and sounds more like an workaround than a really solution. But considering the main business of the company and the hurry for using the driver in Windows 8 I've reached a solution that is satisfactory for the company.

The main difference between Windows 7 to Windows 8 when talking about installing an unsigned driver is that Windows 7 shows an annoying red warning message that recommends the user to not install the unsigned driver, and Windows 8, under normal circumstances just doesn't install it anyway.

We coexisted all this time with this warning in Windows 7, so what I've done is to reconfigure Windows 8 to act like Windows 7.

Step 1:

At the end of my software's installation the installer runs a program that verifies the Windows' version, if it is Windows 8 it prompts a dialog asking for installing the drivers and advices that it will demand to reboot the Windows. If the user agrees, it will run a batch file that does:

  • Adds to HKLM..RunOnce a path for Batch File 2
  • Disable Driver Signature Enforcement
  • Restart the computer

Step 2:

When the user logs on it will run the second batch file, that was set to run into the RunOnce. It will do:

  • Run the DPInst.exe
  • Enable the Driver Signature Enforcement
  • Restart the computer.

At this point the driver will be installed and the original settings are restored. The annoying red warning message remains, just like it was in Windows 7, and life goes on..