unable to sign xp driver with "official certificate"

[dmurphey]

I am developing a Windows XP USB driver. I have followed the example in the WinDDK 6000 “selfsign_example.cmd”. Using a test certificate, my driver was signed without a problem (as viewed in DeviceManager). Next I purchased a Verisign Class 3 Code Signing certificate. The selfsign_example.cmd script executes properly, signs the driver and catalog file with an authentic certificate and installs the certificate. I can individually verify both the driver and catalog file, which are signed and chained to the certificate as expected. My driver executes without a problem after installation. However when I view the driver via DeviceManager, it shows as unsigned.

In setupapi.log, all goes well until the final few lines during my driver's installation:

@ 16:31:43.080 #V155 Executing default installer.
@ 16:31:43.112 #T200 Install Device: Begin.
@ 16:31:43.128 #V124 Doing copy-only install of "USB\VID_0A28&PID_0001\5&B791E26&0&2".
@ 16:31:43.159 #V005 Opened the PNF file of "c:\windows\inf\oem4.inf" (Language = 0409).
@ 16:31:43.175 #V011 Installing section [XylocUSB.INSTALL.NT] from "c:\windows\inf\oem4.inf".
@ 16:31:43.191 #T203 Install Device: Queuing files from INF(s).
@ 16:31:43.207 #V005 Opened the PNF file of "C:\WINDOWS\INF\drvindex.inf" (Language = 0409).
@ 16:31:43.239 #V094 Queued copy from section [XylocUSB.CopyFiles] in "c:\windows\inf\oem4.inf": "XylocUSB.sys" to "XylocUSB.sys" with flags 0x00000024, target directory is "C:\WINDOWS\system32\drivers".
@ 16:31:43.255 #V095 Source in section [sourcedisksfiles] in "c:\windows\inf\oem4.inf"; Media=1 Description="XylocUSB Installation Diskette" Tag="" Path="".
@ 16:31:43.287 #T204 Install Device: Queuing coinstaller files from INF(s).
@ 16:31:43.318 #V005 Opened the PNF file of "c:\windows\inf\oem4.inf" (Language = 0409).
#-046 Processing Coinstaller registration section [XylocUSB.INSTALL.NT.CoInstallers].
@ 16:31:43.382 #V056 Coinstallers registered.
@ 16:31:43.398 #V011 Installing section [XylocUSB.INSTALL.NT.Interfaces] from "c:\windows\inf\oem4.inf".
@ 16:31:43.414 #V054 Interfaces installed.
@ 16:31:43.446 #V121 Device install of "USB\VID_0A28&PID_0001\5&B791E26&0&2" finished successfully.
@ 16:31:43.462 #T201 Install Device: End.
@ 16:31:43.493 #V156 Completed default installer.
@ 16:31:43.509 #T185 Pruning Files: Verifying catalogs/INFs.
@ 16:31:43.541 #I180 Verifying file "c:\windows\inf\oem4.inf" (key "xylocusb.inf") against catalog "oem4.CAT" failed. Error 1168: Element not found.
@ 16:31:43.557 #I180 Verifying file "c:\windows\inf\oem4.inf" (key "xylocusb.inf") against catalog "oem4.CAT" failed. Error 1168: Element not found.
@ 16:31:43.589 #T186 Pruning Files: Verifying catalogs/INFs completed.
@ 16:31:43.621 #I180 Verifying file "C:\WINDOWS\system32\DRIVERS\XylocUSB.sys" (key "XylocUSB.sys") against catalog "C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\xylocusb.cat" failed. Error 0x800b0110: The certificate is not valid for the requested usage.
@ 16:31:43.668 #V330 Verifying file "C:\WINDOWS\system32\DRIVERS\XylocUSB.sys" (key "XylocUSB.sys") as self-signed failed. Error 0x800b0110: The certificate is not valid for the requested usage.

Might anyone shed some light on my error and advise me as to corrective actions?

Thanks

Unfortunately I don't have answers but I can second the problem with a cert
from Comodo. There seems to be something missing somewhere or we need some
special type of cert, although all the docs imply a standard Authenticode
cert will do.

--
Steve Maillet
EmbeddedFusion
www.EmbeddedFusion.com
smaillet at EmbeddedFusion dot com

[dmurphey]

I talked with VeriSign about this issue and they claim that it is a problem with the OS! That is discouraging knowing how difficult it is to contact Microsoft. I've tried to email them repeatedly at "ddksupp@microsoft.com" (which they recommend in their code signing example from the DDK!) but it appears to be a "black hole." Do you know another email address or phone number? Although I have followed the Microsoft signing guidelines to the letter, I have to believe that I am missing something. This is most likely a simple matter to resolve which would require little time on Microsoft's part.

Well after some further research I found this site:
http://www.microsoft.com/whdc/winlog...ign_perOS.mspx

It states that Authenticode signed drivers are treated as unsigned on XP.
Only Vista supports that apparently. !@#$#@ MS doesn't distinguish the docs
info clearly and just assumes everyone will robotically update to the latest
revision of software, so the old stuff doesn't matter. VERY ANNOYING!

--
Steve Maillet
EmbeddedFusion
www.EmbeddedFusion.com
smaillet at EmbeddedFusion dot com

[dmurphey]

Hi Steve

Perhaps I've been "chasing my tail." After installing my driver, the sys file is signed as is the catalog file which displays that both the sys and inf files are signed. The chain back to the Authenticode certificate seems legitimate. Is it possible that XP's DeviceManager is incapable of recognizing an Authenticode signed driver. Yet DeviceManager recognizes the driver as signed when I test sign the driver as demonstrated in the DDK example.

I still don't like this picture ...

Thanks
Dan

Based on the doc I posted and my experiments I conclude that Authenticode
signatures are not acknowledged by the driver installation system on XP and
it will always complain about a driver as not being signed unless it has a
WHQL signature on it.

Which specific sample are you referring to and from what DDK version did it
come from?

--
Steve Maillet
EmbeddedFusion
www.EmbeddedFusion.com
smaillet at EmbeddedFusion dot com

[dmurphey]

I have followed the example file (C:\WINDDK\6000\bin\SelfSign\selfsign_example.cmd) from DDK version "WinDDK 6000”. The only difference is that I signed both the driver.sys and the catalog file (as recommended elsewhere).