/build/static/layout/Breadcrumb_cap_w.png

Can difxapp2 install authenticode signed drivers on XPSP2

A simple question. The authenticode documentation says that drivers can be signed with authenticode on Windows 2003 and above. But WHQL has to be used for 9x/2000. No mention XP.

Does the latest service pack enable XP to install authenticode signed drivers?

thanks

0 Comments   [ + ] Show comments

Answers (9)

Posted by: kkaminsk 19 years ago
9th Degree Black Belt
0
As far as I understand things all versions of XP should install signed drivers. It is when the driver is not signed that things become more complex.
Posted by: meastaugh1 19 years ago
Senior Purple Belt
0
Sorry, I don't think I made the question clear in my original post.

I have some unsigned drivers, and I'd like to sign them myself using authenticode. Will this work on XP?
Posted by: kkaminsk 19 years ago
9th Degree Black Belt
0
Well this is a grey area for me too. The last time I spoke to a developer they said this functionality would not be included until Longhorn. With the release of 2.0 I saw features that were not going to exist until Longhorn. I would say yes but I have never done it so my opinion does not count for much.
Posted by: kkaminsk 19 years ago
9th Degree Black Belt
0
The manual does sound promosing.

Wizard Installation of Signed WHQL-Class Driver Packages on Windows XP and Windows 2000

By default, the DIFx tools perform a wizard installation of driver packages with WHQL signatures and Authenticode signatures. The following considerations apply:

• If a driver package has a valid WHQL signature, Setup does not display a driver signing dialog box. If the WHQL signature is not valid, Setup displays a driver signing dialog box or block installation, depending on the driver signing option set for a computer (Ignore, Warn, or Block).

• Setup handles a driver with an Authenticode signature in the same way that Setup handles unsigned driver packages. Depending on the driver signing option set for a computer, Setup displays a driver signing dialog box or block installation (Ignore, Warn, or Block).
Posted by: meastaugh1 19 years ago
Senior Purple Belt
0
If setup handles authenticode signatures the same way as it does unsigned drivers, can you tell me what the point is in authenticode signature?
Posted by: kkaminsk 19 years ago
9th Degree Black Belt
0
There is a layer of security in there. The reason you would go through the trouble of signing your drivers is if you wanted only signed drivers (internal or Microsoft WHQL) to be installed on machines in the organization. This gives you control over which drivers are certified for your environment as well as some protection from people installing keyloggers or rootkits.

So it really comes down to your Active Directory security policy more than anything. Microsoft has given you a choice instead of forcing you to only use WHQL signed drivers like they did in DIFx 1.0.
Posted by: meastaugh1 19 years ago
Senior Purple Belt
0
The reason you would go through the trouble of signing your drivers is if you wanted only signed drivers (internal or Microsoft WHQL) to be installed on machines in the organization.

The policy in place is that signed drivers are installed by anyone, but local administrator rights are required to install unsigned drivers.

• Setup handles a driver with an Authenticode signature in the same way that Setup handles unsigned driver packages.

The reason I ask, is because I want to install unsigned drivers silently so when a standard user plugs in a pnp device (with unsigned driver) it will install silently, and not prompt for local administrator credentials. If authenticode signed drivers are treated the same as unsigned drivers, I guess this is not possible?

Apologies if I've misunderstood.
Posted by: kkaminsk 19 years ago
9th Degree Black Belt
0
You are correct. They are still pushing the WHQL signing for maximum functionality. I still think they should allow silent installs if the driver has been signed internally. I think it is somewhat ridiculous that you cannot silently install a driver that has been internally certified. Why punnish the corporate user for what the vendor chose. I have had vendors express their disinterest in WHQL certification of their drivers. It costs money and they do not see a direct benefit. Honestly who is not going to buy hardware based on the driver certification status.
Posted by: meastaugh1 19 years ago
Senior Purple Belt
0
Ok

Thanks anyway.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ