Windows App Cert Kit: InstallLocation False Failure - windows

I built an MSI using the WIX Toolset. In the MSI I use:
<SetProperty Id="ARPINSTALLLOCATION" Value="[INSTALLFOLDER]" After="CostFinalize"/>
to set the InstallLocation regkey. When testing with the App Cert Kit I get the failure:
A non-optional value 'InstallLocation' is missing or invalid for program.
After checking the registry on my PC and another's the correct registry key
InstallLocation: C:\Program Files\*program_name*\
is present on both in the correct location
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{GUID}.
I tried consulting a related question but honestly have no idea what the solution is saying. I also tried running the Cert Kit on the other computer but to no avail. Is this a known bug in the Cert Kit or is that not a valid InstallLocation?

Related

Install a seft signed driver on Windows 10 64 bit

I am struggling to develope my own driver to hook on serial port IRP.
To start I followed microsoft guide "Write a Universal Windows driver (KMDF) based on a template"
It seems that the driver is written and built successfully so as signed too:
Rebuild started...
1>------ Rebuild All started: Project: KMDF Driver1, Configuration: Release x64 ------
1>Building 'KMDF Driver1' with toolset 'WindowsKernelModeDriver10.0' and the 'Universal' target platform.
1>Stamping x64\Release\KMDFDriver1.inf
1>Stamping [Version] section with DriverVer=09/03/2022,17.42.15.777
1>Driver.c
1>KMDF Driver1.vcxproj ->D:\_PROJECTS\_BASIC SOFTWARE\DriverTemplate\KMDF Driver1\x64\Release\KMDFDriver1.sys
1>Done Adding Additional Store
1>Successfully signed: D:\_PROJECTS\_BASIC SOFTWARE\DriverTemplate\KMDF Driver1\x64\Release\KMDFDriver1.sys
1>
1>Driver is 'Universal'.
1>........................
1>Signability test complete.
1>
1>Errors:
1>None
1>
1>Warnings:
1>None
1>
1>Catalog generation complete.
1>D:\_PROJECTS\_BASIC SOFTWARE\DriverTemplate\KMDF Driver1\x64\Release\KMDF Driver1\kmdfdriver1.cat
1>Done Adding Additional Store
1>Successfully signed: D:\_PROJECTS\_BASIC SOFTWARE\DriverTemplate\KMDF Driver1\x64\Release\KMDF Driver1\kmdfdriver1.cat
1>
========== Rebuild All: 1 succeeded, 0 failed, 0 skipped ==========
Then I tried to install using Device Manager: Action-> Add legacy driver-> Install the hardware that I manually select from a list (Advanced)-> I have Disk-> "KMDFDriver1.inf"->
Here it days "This driver is not digitally signed!"
And on the [Next] step it fails with:
"The third-party INF does not contain digital signature information."
My .inf file is like this:
;
; KMDFDriver1.inf
;
[Version]
Signature="$WINDOWS NT$"
Class=System ; TODO: specify appropriate Class
ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318} ; TODO: specify appropriate ClassGuid
Provider=%ManufacturerName%
CatalogFile=KMDFDriver1.cat
DriverVer = 09/03/2022,18.2.12.202
PnpLockdown=1
[DestinationDirs]
DefaultDestDir = 12
KMDFDriver1_Device_CoInstaller_CopyFiles = 11
[SourceDisksNames]
1 = %DiskName%,,,""
[SourceDisksFiles]
KMDFDriver1.sys = 1,,
;
;*****************************************
; Install Section
;*****************************************
[Manufacturer]
%ManufacturerName%=Standard,NTamd64
[Standard.NTamd64]
%KMDFDriver1.DeviceDesc%=KMDFDriver1_Device, Root\KMDFDriver1 ; TODO: edit hw-id
[KMDFDriver1_Device.NT]
CopyFiles=Drivers_Dir
[Drivers_Dir]
KMDFDriver1.sys
;-------------- Service installation
[KMDFDriver1_Device.NT.Services]
AddService = KMDFDriver1,%SPSVCINST_ASSOCSERVICE%, KMDFDriver1_Service_Inst
; -------------- KMDFDriver1 driver install sections
[KMDFDriver1_Service_Inst]
DisplayName = %KMDFDriver1.SVCDESC%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 3 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\KMDFDriver1.sys
;
;--- KMDFDriver1_Device Coinstaller installation ------
;
[KMDFDriver1_Device.NT.CoInstallers]
AddReg=KMDFDriver1_Device_CoInstaller_AddReg
CopyFiles=KMDFDriver1_Device_CoInstaller_CopyFiles
[KMDFDriver1_Device_CoInstaller_AddReg]
;
[KMDFDriver1_Device_CoInstaller_CopyFiles]
;
[KMDFDriver1_Device.NT.Wdf]
KmdfService = KMDFDriver1, KMDFDriver1_wdfsect
[KMDFDriver1_wdfsect]
KmdfLibraryVersion = 1.15
[Strings]
SPSVCINST_ASSOCSERVICE= 0x00000002
ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
DiskName = "KMDFDriver1 Installation Disk"
KMDFDriver1.DeviceDesc = "KMDFDriver1 Device"
KMDFDriver1.SVCDESC = "KMDFDriver1 Service"
My project folder contains the follwoing files:
[D:_PROJECTS_BASIC SOFTWARE\DriverTemplate\KMDF Driver1\x64\Release]
KMDFDriver1.cer
KMDFDriver1.inf
KMDFDriver1.pdb
KMDFDriver1.sys
My goal is to be able to write and sign my own driver to hook it on my main application
I am running on a Windows 10 - 64 Bit - Secure Boot (which requires signed drivers).
I have my certificates valid and expiring in 2032.
What am I doing wrong?
Thanks
Like Anders said, use the test signature. It is the default for new projects.
Go to properties -> Driver signing -> General, and back change sign mode to Test Sign if it's not.
Then right click the .inf -> install (on the target computer). Or go to device manager, right click your device and update driver, then select your driver.
Secure Boot might mess with that, IDK I never used it.
Another option is to disable driver signature enforcement. Search in google how to do that if you need to.
Partially done but messy like hell and not finished with Driver testing but at least the Driver has been installed.
Preliminary requisites:
Make sure you have your certificate present in the Certificated list. It was created in Visual Studio.
Make sure Visual Studio compiles with no error.
In my case and for this little guide I did a Kernel Driver and Visual Studio built 2 different sets of drivers and .inf files.
Important: Disable Secure Boot if your BIOS has it. There is no tricky workaround to this. I did not like to do it but I had to.
../x64/Release/KMDFDriver.cer
../x64/Release/KMDFDriver.inf
../x64/Release/KMDFDriver.pdb
../x64/Release/KMDFDriver.sys
and
../x64/Release/KMDF Driver1/KMDFDriver.cat <-Catalog to add to System Database
../x64/Release/KMDF Driver1/KMDFDriver.inf <-Modify Manufacturer Name
../x64/Release/KMDF Driver1/KMDFDriver.sys <-THIS IS OUR TARGET
Here comes how I made it using the Catalog signed driver:
Disabled Secure Boot from BIOS (my machine has it)
Enable Test signing from commandline (admin lev)
"Bcdedit.exe -set TESTSIGNING ON"
Compiled Driver with visual studio
Modified .inf
ManufacturerName="MeMyselfAndI" ;
NOTE: this is very important otherwise the driver installation gives you a generic "error occured"
Signed driver again using Signtool.
NOTE: This is the strange part as Visual Studio apparently signed the code already but I needed to sign it again. Indeed right after the Driver size went from 9KB to 14KB
My certificate was present and generated by Visual Studio and then I used the /a option (automatic).
SignTool sign /v /a /d kmdfdriver1.cat /t http://timestamp.digicert.com KMDFDriver1.sys
Added my certificate to catalog.
SignTool catdb /v /u kmdfdriver1.cat
Note: All three files are in the same subdir of Visual Studio. To make it faster copy SignTool from its ClickOnce directory to your builing directory.... just copy it.
At this point the catalog is not loaded into the system yet. It is just installed. If you try to install it you'll get this message "The hash for the file is not present in the specified catalog file. The file is likely corrupt or the victim of tampering."
Time to REBOOT your PC
Finally right click on the .inf file and follow the instructions with the red banner and all the warnings of the world but off it goes!
Conclusions:
This was one of the most challenging and frustrating task of my life.
It is poorly documented in case of errors and a lot of damn pitfalls.
This link helped me more than any other Microsoft's docs:
http://www.davidegrayson.com/signing/
I hope this partially detailed way helped all like me who spent a day to get it to work smashing against Windows science walls.
R64

deploying debug app to playbook gives "failure 881 required signatures missing (RDK, AUTHOR)"

I am using Marmalade to build a PlayBook app, but I think my question applies to PlayBook apps in general. I have successfully created a debugtoken.bar file and have installed it on my device. When I go to try to install a built application.bar file on the device, I get:
[execute] "blackberry-deploy.bat -device 192.168.1.114 -password ******* -installApp -package deployments\default\playbook\release\Quote Unquote.bar"
Info: Sending request: Install
Info: Action: Install
Info: File size: 6400334
Info: Installing ...
Info: Processing 6400334 bytes
actual_dname::
actual_id::
actual_version::
result::failure 881 required signatures missing (RDK, AUTHOR)
ERROR: error running blackberry-deploy
***ERROR***
Note that this is the Marmalade deploy tool running the standard PlayBook installer.
What I don't understand is: I thought the point of using a debugtoken.bar file was that you could install unsigned apps. I have in fact successfully deployed these unsigned apps using the Marmalade deploy tool just like this. But I was having problems signing the app for distribution, so I went back and did everything from scratch, requested new code signing keys from RIM, made a new debugtoken.bar file and installed it, etc. And now I'm worse off than I was before because I can't even install to the device now.
So again: My understanding is that the point of debugtoken.bar was to be able to deploy to the device before actually signing the application.bar for distribution. So what does this error message even mean?
To answer my own question:
For deploying a "debug" build to a device, it's critical to have
Application-Development-Mode: true
in the MANIFEST.MF within the .bar file.
A stupid mistake, but I'll leave this up in case it helps anyone...
Taking a look to the QNX deployment plugin "C:\Marmalade\6.1\s3e\deploy\plugins\qnx\qnx.py" I found that 'FOR DEVELOPMENT' option is false if the 'playbook_keystore' is given so I just cleared the signing section on the Marmalade System Deployment Tool and it is not longer trying to sign it

Windows 8 driver install and catalog/signature validation

I can't get windows 8 (release preview) to accept either the inf2cat or makecat approach described as solutions to the question at
What changed in the driver signature requirements for Windows 8?
unless I disable validation.
I am not signing these with any certificates at this point, just trying to get past the errors preventing the drivers from installing at all.
Windows 8 gives me a very nondescript error:
"A problem was encountered while attempting to add the driver to the store."
Looking in the event logs, there is nothing of use; only an informational entry from "Windows Error Reporting" indicating a PnPdriverimporterror.
When i use my original files with the cab files that don't match the inf, I get the error everyone else is listing:
The hash for the file is not present in the specified catalog file.
I have one .inf file that i need to generate a .cat for.
Perhaps I am doing something wrong. Ideas??
INF2CAT Approach
c:\win_xp_vista32_64>inf2cat /driver:"." /os:XP_X86,XP_x64,Vista_X86,Vista_x64,7_X86,7_X64,8_X86,8_X64
.......................
Signability test complete.
Errors:
None
Warnings:
22.9.10: usbser.sys in [drivercopyfiles.nt] is missing from [SourceDisksFiles] s
ection in \mchpcdc.inf; ok if file source is provided via LayoutFile in [Version
].
22.9.10: %driverfilename%.sys in [drivercopyfiles.ntamd64] is missing from [Sour
ceDisksFiles] section in \mchpcdc.inf; ok if file source is provided via LayoutF
ile in [Version].
Catalog generation complete.
c:\win_xp_vista32_64\mchpcdc.cat
MAKECAT approach
--- start of catalog.cdf file---
[CatalogHeader]
Name=mchpcdc.cat
ResultDir=.\
[CatalogFiles]
<hash>mchpcdc=.\mchpcdc.inf
---end of .cdf file ---
c:\win_xp_vista32_64>makecat catalog.cdf
These same files, w/ the cat from either approach install just fine in Windows 7.
I think this problem is to do with "windows driver signing enforcement". You can resolve this by disabling this option. Go through with below link:
http://tivadj-tech.blogspot.in/2012/09/certificate-check-error-when-installing.html
I just tested this on Windows 10 and 8 PRO now, to get this right, follow these steps:
1) From your Start menu, locate your DDK's "x64 Checked Build Environment" i.e. the custom DOS build screen. Right-click, run-as administrator...
2) Compile your source with the Build tools etc.
3) Go into your compiled code, and then create your test-certificate (you don't need to purchase one just yet, use your self-signed one created with the line below):
makecert -r -pe -ss PrivateCertStore -n CN=newhex.com(Test) NewhexTest.cer
The above means your certificate is called "newhex.com(Test)" and the generated file is "NewhexTest.cer"
4) Create / Edit your .CDF file which contains items about what your CAT file's contents.
5) Create your CAT file by executing:
makecat -v MyCDF.CDF
This should generate an un-signed CAT file that includes all files specified by your CDF.
6) Sign your CAT file as follows:
Signtool sign /v /s PrivateCertStore /n newhex.com(test) /t http://timestamp.verisign.com/scripts/timestamp.dll MyDriverWhatever.cat
This should result in a CAT file that is signed, but don't just install it, because your Windows can't trust Newhex's cert since it's not in the keystore, to fix this do:
7) Add your certificate to your private Key Store, remember this step MUST be done by an administrators access, otherwise you will get an error about (Keystore not found etc):
certmgr.exe -add NewhexTest.cer -s -r localMachine root
This should add into your keystore, Once done, you can then:
8) Go into your device manager, and add your new driver, you would get a warning but will be accepted and installed without the need to reboot with a forced (Don't check cert type account).
I tried this already and it works on Windows 10 and Windows 8 pro versions.
Kind Regards
Heider Sati
You are supposed to use inf2cat, not makecat, because you have an INF file.
You should work on addressing those warnings from inf2cat by fixing your INF file. Here is my INF file that uses usbser.sys and doesn't cause any warnings: https://gist.github.com/3647208
I was able to fix my INF file thanks to the advice from chinzei in the first post of this thread: http://www.microchip.com/forums/m488342-print.aspx
If you continue to have trouble, please edit your question to include the source of your INF file, or at least a link to the source.
I encounter the same problem and was able to install my driver with a TEST certificate using the instructions provided here:
http://msdn.microsoft.com/en-us/windows/hardware/gg487328.aspx

signtool error in visual studio 2008

After rebuilding my c++ project, I got this error message at my output box inside Visual Studio 2008.
1>SignTool Error: No certificates were found that met all the given criteria.
1>Project : error PRJ0019: A tool returned an error code from "Signing library..."
How to solve this?
update:
here is from my visual studio setting...
signtool sign /n "Against Intuition Oy" /t http://timestamp.verisign.com/scripts /timstamp.dll Release\WOT.dll
signtool cannot find a cerificate named "Against Intuition Oy" in your certificate store; do you have it?
Try running signtool from the command line, try some different options to see if it works out. Run 'signtool sign /?' to get information, or check msdn for additional info.
You can create certificates yourself:
makecert -r -pe -ss MyTempCert -n "CN=Against Intuition Oy" MyTempCert.cer
sign:
signtool sign /a /s MyTempCert /n "Against Intuition Oy" Release/WOT.dll
If you do not need signing, disable or delete the postbuild event in the project's setting (in release mode, your debug mode doesn't have it) and obviously you will not get errors anymore.
In my case, I had the same error only because my user account had no password.
Setting a password for the user account fixed the issue.

What causes ClickOnce URLDownloadToCacheFile failed during installation?

I'm getting the following error when installing my ClickOnce application via firefox. It doesn't happen with IE on the same computer. I swear I've installed it via firefox before. This is a Windows 7 machine.
The following properties have been set:
Property: [AdminUser] = true {boolean}
Property: [ProcessorArchitecture] = Intel {string}
Property: [VersionNT] = 6.1.0 {version}
Running checks for package '.NET Framework 2.0 (x86)', phase BuildList
Running external check with command 'C:\Users\luke\AppData\Local\Temp\VSDEF1A.tmp\DotNetFX\dotnetchk.exe' and parameters ''
Process exited with code 1
Setting value '1 {int}' for property 'DotNetInstalled'
Reading value 'Version' of registry key 'HKLM\Software\Microsoft\Internet Explorer'
Read string value '8.0.7600.16385'
Setting value '8.0.7600.16385 {string}' for property 'IEVersion'
The following properties have been set for package '.NET Framework 2.0 (x86)':
Property: [DotNetInstalled] = 1 {int}
Property: [IEVersion] = 8.0.7600.16385 {string}
Running checks for command 'DotNetFX\instmsia.exe'
Result of running operator 'ValueExists' on property 'VersionNT': true
Result of checks for command 'DotNetFX\instmsia.exe' is 'Bypass'
Running checks for command 'DotNetFX\WindowsInstaller-KB893803-v2-x86.exe'
Result of running operator 'ValueExists' on property 'Version9x': false
Result of running operator 'VersionLessThan' on property 'VersionNT' and value '5.0.3': false
Result of running operator 'VersionGreaterThanOrEqualTo' on property 'VersionMsi' and value '3.0': true
Result of checks for command 'DotNetFX\WindowsInstaller-KB893803-v2-x86.exe' is 'Bypass'
Running checks for command 'DotNetFX\dotnetfx.exe'
Result of running operator 'ValueNotEqualTo' on property 'DotNetInstalled' and value '0': true
Result of checks for command 'DotNetFX\dotnetfx.exe' is 'Bypass'
'.NET Framework 2.0 (x86)' RunCheck result: No Install Needed
Launching Application.
URLDownloadToCacheFile failed with HRESULT '-2146697211'
Error: An error occurred trying to download 'http://croppy.lukehunter.net/download/croppy.application'.
The following is the howto from Microsoft, but this doesn't apply to firefox. There is no redirection happening either.
If a user has set Internet Explorer
Advanced Security option "Warn if
changing between secure and not secure
mode" on the deployment target
computer, and if the setup URL of the
ClickOnce application being installed
is redirected from a non-secure to a
secure site (or vice-versa), the
installation will fail because the
Internet Explorer warning interrupts
it.
Internet Explorer calls either LaunchApplication or ShOpenVerbApplication procedure from dfshim.dll behind the scenes, whereas Firefox plug-in (as well as a standard bootstrapper created by Visual Studio 2008-2010, which could also produce this rare error) uses a different, out of date technique to launch ClickOnce applications. (Note, that LaunchApplication requires at least .NET Framework 2 SP 2.)
To avoid such error one could redirect Internet Explorer to a deployment manifest (.application) and all other browsers to a custom installer (.exe) that would install .NET Framework if necessary and then call ShOpenVerbApplication.
Hmm, after using IE to install, then uninstalling, I was able to install via firefox again. Odd.
The following worked for me:
Within the local distribution package CLICK ONCE a web.config file was generated on line clientCache that was the problem, in which altered as follows for CHROME and IE8 and now run the file:
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="1.00:00:00" />
I've had this and it to resolve it was to disable the firewall. I sadly don't know what Firewall settings it was, I just disabled the lot and it ran/installed without issue.
After exhausting firewall options on this issue, I found that my excutable was pointing to the IP Address of the Application Server. When I changed the site deployment and consequently the executable to the FQDN of the server instead of the IP Address, the installer worked first time.
Simple Solution, on cmd execute setup.exe /URL=http://< Production  URL>/
Easy!

Resources