Authenticode signed drivers
Hi all
I have struggled a lot with driver installation lately.
Is there anyone out there who can explain the following dilemma to me:
I have received an unsigned driver package from a small vendor.
I have signed these drivers by my selves using Authenticode.
Using DPInst to install these drivers silent on Windows XP SP1 now works ok, but when I try to install them through a msi file, using Wise and DIFxApp.msm, I receive the following error:
Signature verification failed while checking integrity of driver package 'ftdiport.inf
InstallDriverPackages failed with error 0xE0000244
Is it not possible to install an Authenticode signed driver package through Windows Installer?
Many thanks in advance!
I have struggled a lot with driver installation lately.
Is there anyone out there who can explain the following dilemma to me:
I have received an unsigned driver package from a small vendor.
I have signed these drivers by my selves using Authenticode.
Using DPInst to install these drivers silent on Windows XP SP1 now works ok, but when I try to install them through a msi file, using Wise and DIFxApp.msm, I receive the following error:
Signature verification failed while checking integrity of driver package 'ftdiport.inf
InstallDriverPackages failed with error 0xE0000244
Is it not possible to install an Authenticode signed driver package through Windows Installer?
Many thanks in advance!
0 Comments
[ + ] Show comments
Answers (10)
Please log in to answer
Posted by:
Foleymon
18 years ago
Did a quick google search on this one and it sounds like this is a similiar issue and a possible fix. DIFxApp 2.0 won't install my driver - it doesn't think it's signed
Posted by:
kkaminsk
18 years ago
Ok if I lookup 0xE0000244 from here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deployment/winupdte.mspx
I get a meaningful message of ERROR_SIGNATURE_OSATTRIBUTE_MISMATCH. So you reference the DIFx documentation at:
http://download.microsoft.com/download/5/D/6/5D6EAF2B-7DDF-476B-93DC-7CF0072878E6/DIFxAPI.doc
And find a bit more info being the certificate is not valid for the current version of Windows or it has expired. So I would check the certificate on the package to see what Windows says. I am not sure how to do this but I think if you find the cat file, right click and select properties you should find a tab with more info.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deployment/winupdte.mspx
I get a meaningful message of ERROR_SIGNATURE_OSATTRIBUTE_MISMATCH. So you reference the DIFx documentation at:
http://download.microsoft.com/download/5/D/6/5D6EAF2B-7DDF-476B-93DC-7CF0072878E6/DIFxAPI.doc
And find a bit more info being the certificate is not valid for the current version of Windows or it has expired. So I would check the certificate on the package to see what Windows says. I am not sure how to do this but I think if you find the cat file, right click and select properties you should find a tab with more info.
Posted by:
meastaugh1
18 years ago
Posted by:
kkaminsk
18 years ago
You can just not silenly in 2.0. Here is the snipet from the manual.
(http://download.microsoft.com/download/5/D/6/5D6EAF2B-7DDF-476B-93DC-7CF0072878E6/DIFxtools_reqs.doc)
Quiet Installation of Unsigned WHQL-Class Driver Packages on Windows XP and Windows 2000
The DIFx tools do not support a quiet installation of unsigned WHQL-class driver packages.
Installation of Non-WHQL-Class Driver Packages on Windows XP and Windows 2000
The following considerations apply to performing a wizard-mode installation of non-WHQL-class driver packages on Windows XP and Windows 2000.
Wizard Installation of Authenticode-Signed Non-WHQL-Class Driver Packages on Windows XP and Windows 2000
By default, the DIFx tools perform a wizard installation of non-WHQL-class driver packages that have an Authenticode signature. Setup handles driver packages with an Authenticode signature in the same way that Setup handles unsigned driver packages.
(http://download.microsoft.com/download/5/D/6/5D6EAF2B-7DDF-476B-93DC-7CF0072878E6/DIFxtools_reqs.doc)
Quiet Installation of Unsigned WHQL-Class Driver Packages on Windows XP and Windows 2000
The DIFx tools do not support a quiet installation of unsigned WHQL-class driver packages.
Installation of Non-WHQL-Class Driver Packages on Windows XP and Windows 2000
The following considerations apply to performing a wizard-mode installation of non-WHQL-class driver packages on Windows XP and Windows 2000.
Wizard Installation of Authenticode-Signed Non-WHQL-Class Driver Packages on Windows XP and Windows 2000
By default, the DIFx tools perform a wizard installation of non-WHQL-class driver packages that have an Authenticode signature. Setup handles driver packages with an Authenticode signature in the same way that Setup handles unsigned driver packages.
Posted by:
jsvenso1
18 years ago
Thanks for all your answers!
The information you have posted explaines a lot, particulary ERROR_SIGNATURE_OSATTRIBUTE_MISMATCH and This would explain the OS Mismatch error message.
The thing that still bothers me is that my Authenticode-Signed Non-WHQL-Class Driver Package can be installed silent by DPInst but not through Windows Installer with DIFxApp!
I guess I'll have to wait for DIFxApp 3.0.
By the way, does anyone know when that version will be released?
THANKS !
The information you have posted explaines a lot, particulary ERROR_SIGNATURE_OSATTRIBUTE_MISMATCH and This would explain the OS Mismatch error message.
The thing that still bothers me is that my Authenticode-Signed Non-WHQL-Class Driver Package can be installed silent by DPInst but not through Windows Installer with DIFxApp!
I guess I'll have to wait for DIFxApp 3.0.
By the way, does anyone know when that version will be released?
THANKS !
Posted by:
kkaminsk
18 years ago
I complained about how you could not silently install authenticode signed drivers with DIFx app to the team and was invited onto the beta. I got caught up with work and never signed up so I am a bit in the dark.
I should note another limitation I noticed about DIFx app was the fact that you had to order your driver installations if you are installing dependant drivers. So what I had to do with an older Sierra Wireless Aircard driver is put the two driver packages in different directories and configure the order via the DIFx specific tables to install the different drivers. For some reason DPInst knows how to do this.
I should note another limitation I noticed about DIFx app was the fact that you had to order your driver installations if you are installing dependant drivers. So what I had to do with an older Sierra Wireless Aircard driver is put the two driver packages in different directories and configure the order via the DIFx specific tables to install the different drivers. For some reason DPInst knows how to do this.
Posted by:
jsvenso1
18 years ago
Good news, problem solved!
I have managed to install my Authenticode-Signed Non-WHQL-Class Driver Package through DIFxApp and Windows Installer.
The thing that solved my problem was setting the flag to 10 in my MsiDriverPackages table. This gave me a comination of the legacy mode switch and the switch that suppress the dialog that prompts the user to connect the device to the computer.
This togheter with the OS setting Install the software anyway and don't ask for my approval made it possible to intall my driver package silent.
I have managed to install my Authenticode-Signed Non-WHQL-Class Driver Package through DIFxApp and Windows Installer.
The thing that solved my problem was setting the flag to 10 in my MsiDriverPackages table. This gave me a comination of the legacy mode switch and the switch that suppress the dialog that prompts the user to connect the device to the computer.
This togheter with the OS setting Install the software anyway and don't ask for my approval made it possible to intall my driver package silent.
Posted by:
meastaugh1
18 years ago
Sorry, could you just clarify for me:
I understand that you can install with the legacy mode enabled in DifXApp and setting Windows to install drivers, regardless of whether or not they're signed.
Understandably I don't want to set the OS to allow unsigned driver installation for everyone. So is the reason I cannot use authenticode to sign my unsigned drivers, DifXApp or the version of Windows I'm running?
I understand that you can install with the legacy mode enabled in DifXApp and setting Windows to install drivers, regardless of whether or not they're signed.
Understandably I don't want to set the OS to allow unsigned driver installation for everyone. So is the reason I cannot use authenticode to sign my unsigned drivers, DifXApp or the version of Windows I'm running?
Posted by:
kkaminsk
18 years ago
Hmm dunno how I missed this but DIFx 2.01 is out. http://www.microsoft.com/whdc/driver/install/DIFxtls.mspx
Driver Install Frameworks (DIFx) provides infrastructure and tools to simplify device and driver installation for both developers and users. DIFx tools includes the Driver Package Installer (DPInst), Driver Installation Frameworks for Applications (DIFxApp) and Driver Installation Frameworks Library (DIFxAPI).
Updates were made to DIFx 2.01 to address customer requests.
Features in Version 2.01:
• Driver Installation Frameworks Library (DIFxAPI).
• Support for install, uninstall, repair, and rollback of drivers.
• Ability to track and maintain application-driver-service associations and provide reference counting on drivers and services.
• DIFxAPI that exports the following functions:
• DriverPackagePreinstall()
• DriverPackageInstall()
• DriverPackageUninstall()
• DriverPackageGetPath()
• Ability to create driver installation packages for 32-bit, x64-based platforms and Itanium-based systems.
• Support for Windows Vista
• Driver Package Installer (DPInst).
• Ability to group packages belonging to multifunction devices.
• New XML elements and command-line switches for:
• Accepting unsigned drivers by using the legacy mode flag. The underlying operating system still performs signing checks, but the DIFx tools don't add any additional signing requirements.
• Scanning hardware before performing any preinstall or install to ensure that only packages for which hardware is present are loaded on the machine. This allows the use of DPInst for batch updates, during which the system is scanned for a large number of drivers and only those that are actually required are selected.
• Using uninstall to delete files that have been copied to the system during install.
• Driver Install Frameworks for Applications (DIFxApp).
• Ability to work with a scenario in which non-administrators can install administrator-authorized driver packages.
• New flags for:
• Using the legacy-mode flag to accept unsigned drivers. The underlying operating system still performs signing checks, but the DIFx tools don't add additional signing requirements.
• Deleting files on uninstall. Uninstall can delete files that have been copied to the system during install.
Driver Install Frameworks (DIFx) provides infrastructure and tools to simplify device and driver installation for both developers and users. DIFx tools includes the Driver Package Installer (DPInst), Driver Installation Frameworks for Applications (DIFxApp) and Driver Installation Frameworks Library (DIFxAPI).
Updates were made to DIFx 2.01 to address customer requests.
Features in Version 2.01:
• Driver Installation Frameworks Library (DIFxAPI).
• Support for install, uninstall, repair, and rollback of drivers.
• Ability to track and maintain application-driver-service associations and provide reference counting on drivers and services.
• DIFxAPI that exports the following functions:
• DriverPackagePreinstall()
• DriverPackageInstall()
• DriverPackageUninstall()
• DriverPackageGetPath()
• Ability to create driver installation packages for 32-bit, x64-based platforms and Itanium-based systems.
• Support for Windows Vista
• Driver Package Installer (DPInst).
• Ability to group packages belonging to multifunction devices.
• New XML elements and command-line switches for:
• Accepting unsigned drivers by using the legacy mode flag. The underlying operating system still performs signing checks, but the DIFx tools don't add any additional signing requirements.
• Scanning hardware before performing any preinstall or install to ensure that only packages for which hardware is present are loaded on the machine. This allows the use of DPInst for batch updates, during which the system is scanned for a large number of drivers and only those that are actually required are selected.
• Using uninstall to delete files that have been copied to the system during install.
• Driver Install Frameworks for Applications (DIFxApp).
• Ability to work with a scenario in which non-administrators can install administrator-authorized driver packages.
• New flags for:
• Using the legacy-mode flag to accept unsigned drivers. The underlying operating system still performs signing checks, but the DIFx tools don't add additional signing requirements.
• Deleting files on uninstall. Uninstall can delete files that have been copied to the system during install.
Posted by:
jsvenso1
18 years ago
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.