Sign cat file that uses Winusb.sys as kernel-mode code

Question

I'm trying to make an USB driver to be installable in Windows 8, this USB driver uses only WinUSB.

According to this post Signed INF driver works on the computer where it was signed, not others and also this website Practical Windows Code and Driver Signing all I have to do is to generate an .inf file, to generate a .cat file and sign this .cat file, but I'm having trouble with the signing part, the other steps are ok.

The sites I listed above makes clear that to sign a catalog file which the driver uses only WinUSB is not necessary to purchase any certification from any authorized Certification Authority.

The kernel modules you are using have already been signed by Microsoft and you will have no trouble getting them loaded into the kernel after the driver package is installed.

I have the SignTool.exe in a folder along with the mscvr-cross-gdroot-g2.crt. In a subfolder, let's say MyFolder I have my driver package.

MyFolder

├─ remsir.cat
├─ remsir.inf
│
├─┐ amd64\
│ ├ WdfCoInstaller01011.dll
│ ├ WinUSBCoInstaller2.dll
│ ├ WUDFUpdate_01011.dll
│
└─┐ i386\
  ├ WdfCoInstaller01011.dll
  ├ WinUSBCoInstaller2.dll
  ├ WUDFUpdate_01011.dll

So, basically I'm stuck at this point:

SignTool.exe sign /v /ac "mscvr-cross-gdroot-g2.crt" /n "Pololu Corporation" /t http://tsa.starfieldtech.com MyFolder\remsir.cat

This command line was copied from the other questions, but it isn't working for me. I tried to change some of the parameters but still without success, it doesn't matter what I do I always get the error message:

SignTool Error: No certificates were found that met all the given criteria.

First of all, I not really sure if I should change any of the parameters from this command line. They aren't really clear for me what they mean.

So.. Do I have to change any of the parameters in that command line? Do I have to install the mscvr-cross-gdroot-g2.crt or even the Pololu Corporation? If yes, how?

Btw, you will need to use an earlier version of those DLLs if you plan to support Windows XP. Check the docs, but I believe 1009 was the last version to support Windows XP. — David Grayson, Jul 17 '13 at 01:00
Well, I used 1009 so far, and worked great for XP, Vista and 7. I downloaded the 1011 because I thought they were necessary for Win 8. If 1009 work well on Win 8 I'll use them. — Math, Jul 17 '13 at 01:33
One thing I realized this morning, is that the `.cat` doesn't need to be in the driver package to install the driver in Win 7 machines, so theoretically, all I need is a default `.inf` to make it work on Win 8. I tried to get this default `.inf` uninstalling and excluding the driver from a Win 7 machine and letting the Windows Update download the default `.inf` for me, based on this statement from MSDN: `For versions of Windows earlier than Windows 8, the updated Winusb.inf is available through Windows Update`, but it is not!! The only way I make it work in Win 7 is installing my custom `.inf` — Math, Jul 17 '13 at 12:56

David Grayson · Answer 1 · 2013-07-16T22:12:22.460

2

You need to buy a signing certificate from some company like GlobalSign. Yes, Windows trusts the winusb components of your driver, but Windows 8 will not allow you to install the INF file unless it is signed by a real certificate.

Your quote from me is:

The kernel modules you are using have already been signed by Microsoft and you will have no trouble getting them loaded into the kernel after the driver package is installed.

This quote is still true. The point is that you will not even be able to install the driver package unless you sign the INF file.

The Pololu Corporation you saw in my examples is the name of my company and that part needs to be changed to be your company name. It needs to exactly match the company name embedded in the certificate you purchase.

Edit 1: Windows 8 doesn't require an INF file for WinUSB actually

If you are able to change the firmware of the device then you can avoid buying a certificate for your WinUSB device. For Windows 8 support, you should follow these instructions from the USB Core Team to get your device loaded without needing an INF file:

http://blogs.msdn.com/b/usbcoreblog/archive/2012/09/26/how-to-install-winusb-sys-without-a-custom-inf.aspx

Because you aren't supplying the INF file or the SYS files, I strongly expect that you won't need to sign anything for Windows 8.

For Windows 7 and earlier, you would need to supply an INF file to associate your device with WinUSB, but the INF file would not need to be signed because those versions do not require it.

edited Jul 16 '13 at 22:12

answered Jul 16 '13 at 21:11

David Grayson

84,103
24
152
189

Hum, ok. So I'll have to buy the certificate. But, after buying it, what will I get that I don't have now that prevents me to sign the catalog? I mean, I found the `mscvr-cross-gdroot-g2.crt` to download, what else do I need? What am I buying exactly? Is a cross-certificate with my company's name that will be installed in my machine? Thanks for your help!! – Math Jul 16 '13 at 21:44
Please see my "Edit 1" above. It might help you avoid needing to buy a certificate. If you do buy it, you will get the PRIVATE key for a certificate that is issued to you. This will allow you to use signtool.exe. The cross certificate you mention is just a cross certificate and only contains PUBLIC keys. This is kind of circular, isn't it? You ask "How do I avoid error A?" I said "You need to buy B." You ask "What will buying B get me?" The whole point is that Microsoft wants to know who is loading drivers into their OS, so you need to jump through a hoop to prove who you are. – David Grayson Jul 16 '13 at 22:15
Good article! I'll make some research based on that and will return to you soon, I may take some hours, though. – Math Jul 16 '13 at 22:48
Cool. There are some things you would want to ensure for best user experience: Your installer should detect Windows 8 and avoid trying to install the INF file. Installing the INF file in Windows 8 (i.e. with signature enforcement disabled) should not have a bad effect; basically it should have no effect. When the device is successfully installed in any version of Windows, it should always show up in the same part of the Device Manager (USB Devices) no matter how it was installed. The first one is just about your installer but the second two requirements would take some work to verify. – David Grayson Jul 17 '13 at 00:57
If one was to replace driver for a USB device, Zadig is a good tool. But that can not be used for distribution. If the same effect was to be achieved in a standard way, what would that be? Would using DPInst along with a signed INF file (https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/winusb-installation) be the right choice? If this method is to be followed, does one need an EV certificate? – Amruta Apr 10 '18 at 06:35
I prefer making a signed INF file and installing it by calling SetupCopyOemInf or by right-clicking on it and selecting "Install". DPInst is annoying since they use different executables for 32-bit and 64-bit. You don't need an EV certificate but you do need to buy a certificate. See http://www.davidegrayson.com/signing. – David Grayson Apr 10 '18 at 15:26
@DavidGrayson Thanks for the answer and the article. I also assume that I don't need to do anything with the Windows Hardware Dev Centre. Once I get a standard code signing certificate (not EV) and use inf2cat and signtool, I should be able to use the INF file. Am I right? need support for Windows 7 and Windows 10. – Amruta Apr 11 '18 at 07:55
I think we are just talking about a driver that uses WinUSB, so yes, that is right. – David Grayson Apr 11 '18 at 15:43
I did get the certificate and did sign my driver using the signtool. Everything works fine on a computer where I downloaded the certificate and installed it. But when I try this on another computer, I am getting errors. – Amruta May 22 '18 at 06:25
I think you should ask your own question with all the details of what you did and the errors you are getting. Showing your chain of trust is important too since it is likely that one of those certificates is not reliably installed on all Windows machines. – David Grayson May 22 '18 at 15:07

Math · Accepted Answer · 2013-07-18T20:19:33.907

Target:

Install an .inf file that uses WinUSB as kernel-mode code.

Solution:

I solved my problem, not exactly as my initial idea of signing the .cat file.

My answer may be disappointing for most of people and I may receive lots of critics for not using the best practices and etc. It's inelegant and sounds more like an workaround than a really solution. But considering the main business of the company and the hurry for using the driver in Windows 8 I've reached a solution that is satisfactory for the company.

The main difference between Windows 7 to Windows 8 when talking about installing an unsigned driver is that Windows 7 shows an annoying red warning message that recommends the user to not install the unsigned driver, and Windows 8, under normal circumstances just doesn't install it anyway.

We coexisted all this time with this warning in Windows 7, so what I've done is to reconfigure Windows 8 to act like Windows 7.

Step 1:

At the end of my software's installation the installer runs a program that verifies the Windows' version, if it is Windows 8 it prompts a dialog asking for installing the drivers and advices that it will demand to reboot the Windows. If the user agrees, it will run a batch file that does:

Adds to HKLM..RunOnce a path for Batch File 2
Disable Driver Signature Enforcement
Restart the computer

Step 2:

When the user logs on it will run the second batch file, that was set to run into the RunOnce. It will do:

Run the DPInst.exe
Enable the Driver Signature Enforcement
Restart the computer.

At this point the driver will be installed and the original settings are restored. The annoying red warning message remains, just like it was in Windows 7, and life goes on..

I hate this solution, but thanks for sharing it. We all need to help each other figure this stuff out. :) — David Grayson, Sep 18 '13 at 18:05
@DavidGrayson I hate this too :) I know very few of drivers, but I guess we would have some trouble through the driver signing process, once who developed our driver isn't here anymore. As I understand, the WinUSB is just a layer to expose the micro-controller functions through an API, it is not the driver itself. As you probably already saw I'm not good at this low-level stuff, that explains much of why the workaround :( — Math, Sep 18 '13 at 19:52

Sign cat file that uses Winusb.sys as kernel-mode code

2 Answers2

Linked