Receiving error (Code 52) from a signed driver

2019-08-20 04:44发布

Sorry about the length but I wanted to get as much detail as I could in.

TL;DR: A driver file I signed using signtool & Verisign is still giving a Code 52 error when I install it.

I've created an INF file for a device which uses usbser.sys driver file, however even though I've signed it, I'm having trouble installing it on the target machine, in particular, I'm getting the following error...

Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)

I've created the INF file using a sample file I found here... https://gist.github.com/tracernz/26a5c4343cec83462fed

I changed it a little but I don't want to paste in my entire file. Here are some of the main points...

[Version]
Signature="$Windows NT$"
DriverPackageType = PlugAndPlay
DriverPackageDisplayName = %Device%
Class=Ports
ClassGUID={4d36e978-e325-11ce-bfc1-08002be10318}
Provider=%Provider%
CatalogFile=myfile.cat
DriverVer=07/16/2016,10.0.14393.0

[Manufacturer]
%Provider% = UsbDevice, NTamd64

[UsbDevice.NTamd64]
%Device% = Usb_Install, USB\VID_2102&PID_0003\5&2E3CC8B3&0&8

[Strings]
Provider = "MyCompany Ltd."
Device = "My Own Device"

(I also removed the line GenericDriverInstalled,,,,1 because INFVERIF was throwing an error because of it and I couldn't find anything online that explained what it was supposed to do or how to fix the error)

Target machine is 64bit Windows 10 IoT Enterprise.

So I create my cat file with inf2cat (/os:10_X64) - no errors reported ("Catalog generation complete")

Then I sign the cat file with this command:

"C:\Program Files\Microsoft SDKs\Windows\v7.0A\Bin\signtool" sign /f ..\MyCertificate.pfx /p MyPassword /t http://timestamp.verisign.com/scripts/timstamp.dll /v myfile.cat

This is reported as successful.

Then I copy the directory containing myfile.inf, myfile.cat and usbser.sys to my target machine.

On this machine, if I look at the Device Manager, I see my device, but not with the right name %UNWANTED_CDC_NAME% (COM4) - I'm not sure where this is coming from. The USB\VID_2102&PID_0003\5&2E3CC8B3&0&8 in the INF file above is the same as the Device Instance Path for this device.

I run pnputil \add-driver myfile.inf and I'm asked by a Dialogue Box whether I trust the publisher, which I agree to, and success is reported.

But in the Device Manager, my device hasn't changed its name to "My Own Device" as I expected!

So I go right click on my device, "Update Driver Software", "Browse my computer for driver software", "Let me pick from a list of device drivers on my computer", "Have disk..." and select myfile.inf

It shows "My Own Device" under the model, and says "This driver has an Authenticode(tm) signature."

But when I click "Next" I get an error saying that "Installing this device driver is not recommended because Windows cannot verify that it is compatible with your hardware." I click "Yes" to continue installing and then "Windows has successfully updated your driver software", but a restart is required.

So I agree to the restart and see my device has the correct name now, but with a yellow exclamation mark. I view the properties and I'm seeing that Code 52 error at the top of this question.

One other detail - I went back then to use signtool to verify the signature.

"C:\Program Files\Microsoft SDKs\Windows\v7.0A\Bin\signtool" verify /v myfile.cat

I get a list of certificates in "Signing Certificate Chain" starting with Verisign and a list in the Timestamp starting with Thawte Timestamping CA, but then an error saying:

SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Is this the cause of the Code 52 error? Why am I getting this, isn't Verisign trusted?

Edit - Though if I do

"C:\Program Files\Microsoft SDKs\Windows\v7.0A\Bin\signtool" verify /v /pa myfile.cat

...I get "Successfully verified"

1条回答
The star\"
2楼-- · 2019-08-20 05:08

Since Windows 10(version 1607), kernel mode drivers must be signed by Microsoft.
See also:

In Windows 10, the driver has been rewritten by using the Kernel-Mode Driver Framework that improves the overall stability of the driver.

I think your driver need to be signed by Microsoft.
I have got same error(Code 52) when I installed driver without Microsoft signature.

查看更多
登录 后发表回答