signed catalog when using WinUSB.dll
Elliot
some of our USB devices. We access the driver thru WinUSB.dll . To get our
driver 'signed' so that the user does not see any warnings on Vista and
Windows 7 when the USB device is plugged in, it looks like we have to submit
a driver package to WHQL in order to get a signed catalog file back from
Microsoft.
Our .inf file contains our USB vid/pid and refers to WinUSB.sys .
So...apparently, we need to submit a driver package with .inf and .cat files
and test logs for our device to WHQL even though WinUSB.sys came from
Microsoft.
Is my understanding of the situation correct?
Doron Holan [MSFT]
submitted as a packge so you can get them signed
d
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Elliot" <Ell...@discussions.microsoft.com> wrote in message
news:D8F6FA59-7633-4519...@microsoft.com...
mpv
"Doron Holan [MSFT]" <doron...@online.microsoft.com> wrote in message
news:%23ZRnwWz...@TK2MSFTNGP06.phx.gbl...
> correct, you need to get the INF, CAT and all of the coinstaller DLLs
> submitted as a packge so you can get them signed
>
I don't think you have to get the package signed by WHQL, because as you
state, WinUSB is already signed. All you need is a certificate from a CA
from the shortlist (that have a cross certificate from Microsoft). We got
one from GlobalSign.
With the tools from the WDK, you can then generate a .cat file from your
.inf file, and sign it yourself. Add that to your package and that should be
enough. We did it that way.
Regards, Matt
Tim Roberts
>>
>I don't think you have to get the package signed by WHQL, because as you
>state, WinUSB is already signed. All you need is a certificate from a CA
>from the shortlist (that have a cross certificate from Microsoft). We got
>one from GlobalSign.
>With the tools from the WDK, you can then generate a .cat file from your
>.inf file, and sign it yourself. Add that to your package and that should be
>enough. We did it that way.
Well, it depends on what you need. You don't need to sign the driver for
KMCS purposes, because it's already signed. But if you want to avoid the
"unsigned driver" warning at install time, then you need to get the driver
PACKAGE signed by WHQL.
--
Tim Roberts, ti...@probo.com
Providenza & Boekelheide, Inc.
mpv
"Tim Roberts" <ti...@probo.com> wrote in message
news:vlp4t5l3671ik1rgl...@4ax.com...
> Well, it depends on what you need. You don't need to sign the driver for
> KMCS purposes, because it's already signed. But if you want to avoid the
> "unsigned driver" warning at install time, then you need to get the driver
> PACKAGE signed by WHQL.
In this specific case (already signed WinUSB), I don't think so, and I am
speaking from experience.
We use a Wise script, together with the WinUSB co-installers, DPInst.exe
(which also has a 64 bit version), and the .inf file with corresponding
signed .cat file. That is enough. On installing the package on Vista 64 or
W7 64, we do not get a warning, just a dialog whether you want to trust our
company in future.
We have never had any business with WHQL.
(You yourself helped me find a bug in the MS example WinUSB .inf file, for
which I am still grateful.)
Regards, Matt
Tim Roberts
>
>In this specific case (already signed WinUSB), I don't think so, and I am
>speaking from experience.
>We use a Wise script, together with the WinUSB co-installers, DPInst.exe
>(which also has a 64 bit version), and the .inf file with corresponding
>signed .cat file. That is enough. On installing the package on Vista 64 or
>W7 64, we do not get a warning, just a dialog whether you want to trust our
>company in future.
Yes, that's the one. If the package is WHQL signed, there's no dialog at
all -- the driver installs silently.
As I said, it depends on what you need. Or, more accurately, what your
marketing department demands...
mpv
"Tim Roberts" <ti...@probo.com> wrote in message
news:ca0at59o4u8vnpj9r...@4ax.com...
>
> Yes, that's the one. If the package is WHQL signed, there's no dialog at
> all -- the driver installs silently.
>
> As I said, it depends on what you need. Or, more accurately, what your
> marketing department demands...
> --
I think there is a huge difference between a BIG RED warning, that advises
you NOT to install this driver, and a dialog that asks whether you want to
trust this company also in future (meaning the company's certificate is
added to a trusted category in the certificate store).
I don't know what else could happen with cross certificates. Surely this is
the procedure that was meant by Microsoft when they provided these cross
certificates?
Regards, Matt
Tim Roberts
>
>I think there is a huge difference between a BIG RED warning, that advises
>you NOT to install this driver, and a dialog that asks whether you want to
>trust this company also in future (meaning the company's certificate is
>added to a trusted category in the certificate store).
>I don't know what else could happen with cross certificates. Surely this is
>the procedure that was meant by Microsoft when they provided these cross
>certificates?
The cross certificates are used for KMCS, not for package signing. A
64-bit driver will not load at all unless it's signed with a code-signing
certificate and the appropriate cross certificate.
JoeB
> In this specific case (already signed WinUSB), I don't think so, and I am
> speaking from experience.
> We use a Wise script, together with the WinUSB co-installers, DPInst.exe
> (which also has a 64 bit version), and the .inf file with corresponding
> signed .cat file. That is enough. On installing the package on Vista 64 or
> W7 64, we do not get a warning, just a dialog whether you want to trust our
> company in future.
Matt, I've been lurking for a while reading your posts and I must say I
think you have the best handle on this situation than anyone else. Bravo.
I'm trying to figure out how to do an automatic install of the driver before
the user plugs the device in, you mentioned using a WISE script, is there any
way you could share that or how it works? Or could you or someone else give
me some direction on how I can pre-install the driver before the device gets
plugged in? I'd be happy to pay you or anyone for their help. Post back or
email please.
mpv
"JoeB" <Jo...@discussions.microsoft.com> schreef in bericht
news:6E27876C-E555-4795...@microsoft.com...
>
> you mentioned using a WISE script, is there any
> way you could share that or how it works?
>
Wise InstallBuilder is (or was) a tool for software distribution that allows
you to write setup programs for Windows applications.
It was bought by Altiris, and then by Symantec, and is now called Wise
Package Studio.
I have never upgraded from the 1998 version, as the Wise scripts are now
deprecated in favor of Windows installation script. The latest version only
adds stuff like a 64 bit test to the Wise scripts, which was not very hard
to write myself as a straight DLL function.
To install drivers (before plugging in the device), you should look into
Microsoft's DPInst, which does most of the work. Your script just copies the
necessary files and starts DPinst, that's basically it.
The issue with WinUSB is that it is an exception in the device driver field.
Being a ready made driver, it should not be that hard to use it, but there
are many pitfalls in the process, with lots of imperfect documentation.
I can understand that the hardcore driver people in this forum think it is
somewhat uninteresting compared to writing your own driver, and the signing
business is a lot of red tape.
If have, however, some difficulty reading in this forum that you need WHQL
when using WinUSB on 64 bit Windows, that is all. In my experience, you can
easily do without.
Regards, Matt
Tim Roberts
>
>To install drivers (before plugging in the device), you should look into
>Microsoft's DPInst, which does most of the work. Your script just copies the
>necessary files and starts DPinst, that's basically it.
Right. I have an NSIS installer that does that: I copy all of the files
(including dpinst) to a folder under Program Files, then launch dpinst.
Pretty painless, actually, and I even get an uninstall ability.
>The issue with WinUSB is that it is an exception in the device driver field.
>Being a ready made driver, it should not be that hard to use it, but there
>are many pitfalls in the process, with lots of imperfect documentation.
>I can understand that the hardcore driver people in this forum think it is
>somewhat uninteresting compared to writing your own driver, and the signing
>business is a lot of red tape.
>If have, however, some difficulty reading in this forum that you need WHQL
>when using WinUSB on 64 bit Windows, that is all. In my experience, you can
>easily do without.
That's true. The driver file itself has already been signed by Microsoft,
so there are no KMCS issues. The extent to which you go depends on your
needs. If you do not sign the CAT at all, you get the dreaded "CAUTION!
This driver is unsigned, the world's about to end" dialog. For some
people, that's just fine. If you sign the CAT with your own certificate,
you get the "Do you trust this publisher?" warning, which is not so bad. If
you submit for the WHQL signature, there's no dialog at all.
It depends on what your marketing department wants.