I need to communicate with a simple custom device directly through USB. I have full specifications for communication protocol. Unfortunately, the device vendor did not provide WinUSB driver for the device.
According to
https://msdn.microsoft.com/en-us/library/ff540283.aspx#inf
I should be able to install WinUSB driver automatically on Windows 10 using the inf template.
But installation fails with:
The third-party INF does not contain digital signature information.
As I understand, it is looking for a signed .cat file. But in this case I have no any files to sign nor .cat file. I just want to install Windows own WinUSB driver for the device, and clearly Windows drivers should be signed by Microsoft.
How do I proceed to install the .inf file?
If you only care about supporting Windows 8.1 and later, and you have the ability to change the device's firmware, you might consider using Micrsoft OS 2.0 Descriptors. This will allow a Windows computer to recognize the device as a WinUSB device and automatically load the WinUSB driver.
Another option would be to use Zadig or the related library libwdi to install the driver for your device. I would only recommend this for small, temporary, or organization-internal installations since it is kind of a hack (it installs its own certificate into your Trusted Root Certification Authorities list).
You could also look into disabling driver signature enforcement on your computer if you want to use the unsigned INF file.
If none of those options are going to work for you, then you need to look into buying a code-signing certificate from a certificate authority and signing your driver. Code signing for Windows is an ever-evolving field but my article Practical Windows Code and Driver Signing attempts to document what you need to know.
Related
I am trying to get our libusb-win32 driver to work with different Windows OS. I already successfully installed it on 7, 8 and 10 with a selfsigned certificate that I imported into the root and trustedpublisher.
What remains is to buy an official certificate and distribute it. Since Windows 10 there is the need to use EV for kernel mode drivers but libusb already ships the .sys and .dll with valid signature.
Since theres quite a difference in pricing the question is: Do I need an EV certificate to sign the .cat or can Windows differentiate between installing with standard certificate signature in the .cat and loading the kernel module with the embedded kernel module signature?
I need some clarification about driver signing in Windows 10.
We have working driver package that uses Winusb.sys driver that is signed from the start by Microsoft. But to install this driver to customer machine we have our own *.inf and 2 generated *.cat files for each supported platforms. Currently we have no issues using this driver in Windows 10 since modifications for Windows 8 support, but we want to add some additional hardware devices support in near future to driver, so it will be modified and need to be resigned.
The question is what certificate (Extended Validation (“EV”) Code Signing Certificate or just Standard Certificate) do we need to sign these *.cat files, so our driver can be installed correctly at Windows 10. Also is it necessary to submit out driver to Windows Hardware Developer Center Dashboard portal?
I saw this and some other articles that states, EV certificate signing is needed only by kernel-mode drivers (it seems after 90 days of Win10 release also user-mode drivers), but WinUSB driver is kernel-mode and fully supported and initially signed by Microsoft. So again what kind of certificate do we need to sign *.cat files and do we need to submit them to Microsoft portal?
The files structure before signing looks like
driver
|--*.inf
|--*amd64.cat
|--*x86.cat
|--amd64
|--WdfCoInstaller01009.dll
|--winusbcoinstaller2.dll
|--i386
|--WdfCoInstaller01009.dll
|--winusbcoinstaller2.dll
|--ia64
|--WdfCoInstaller01009.dll
|--winusbcoinstaller2.dll
My company also uses WinUSB for one of our devices. We currently use a "driver signing" certificate from Godaddy. Once the certificate is installed on your machine (they have step-by-step instructions for how to do this), you need to generate a pfx file and then you can use the signtool utility to sign the security catalog.
This link was a great resource for me: http://www.davidegrayson.com/signing/
I am trying to install a usb composite device I build on Windows 7(32bit & 64bit) and Windows8/8.1(32bit & 64bit).
The device composes of a Mass-storage and CDC Serial port device. I have provided an INF file to make Windows recognize the main composite device. Once that is recognized, I also provide INF for the CDC serial device. The mass-storage part functions without need of a INF file.
Now these INF files uses drivers that normal default Windows drivers.(usbccgp.sys, usbser.sys) Even when using these "default" drivers and not changing anything in them, do I still need to get a digital signature to install this device? Is there anyway to write the INF so as to bypass this error?
Thanks
Signatures are enforced when installing the drivers in 64-bit Windows. The drivers won't work without being signed. And once you have a proper certificate (note that not every code signing certificate will work), you can sign both the driver and cat file (if used) with this certificate.
I have got a piece of hardware which communicates with my program using an FT2232C USB serial converter. All works fine if the device has already been attached to a computer before and the drivers were installed using an administrator account. But that is not the usual case.
These devices will be attached and removed at will and it will also not always be the same device that will be attached to a particular computer. Also, most of the users will not have administrator privileges and the computers are not connected to a LAN.
It is possible to automatically push files to these computers and add registry entries.
Does anybody have got any pointers on how to make Windows believe the devices driver has already been installed? I am currently thinking along the lines of tracking all changes that the driver installer does to the Windows installation and making these changes without any user interaction. But maybe there is an easier way?
We are currently talking Windows XP but in the not so far future there will be more and more Windows 7 (64 bit) computers as well.
While you could "pre-install" the driver by doing all the changes to the registry yourself (under a SYSTEM account, not regular Administrator -- you can use SysInternals PsExec to do this), this wouldn't help you unless you'd preinstall it for all possible ports. (Only USB devices which have an embedded serial number can be installed just once. Others are installed per-port.)
Another option is to sign the driver. A signed driver installs silently without the need for administrative credentials.
Does the vendor driver come with a .cat file? (And is the .cat file WHQL-signed?) If yes, you don't have a problem. Just install the driver with the standard tools (e.g. DPInst).
If not, you can always generate your own WHQL certificate (you cannot BUY a WHQL certificate), push this to all computers (since you're an administrator, you can do this) and then use the regular Windows tools (e.g. DPInst) to place the driver in the machines' driver stores. To generate the certificate, use CertUtil.exe and make sure you specify the "Windows System Component Verification" EKU. To sign the driver, use MakeCat.exe and SignTool.exe.
The best method with XP for the timebeing is to get hold of the administrator password, I used the following method a few months back and it has been brilliant, there is free software and instructions available here:
http://www.loginrecovery.com/
I need to install the libusb-win32 driver on Windows 7 64 bit machines. This driver is open source so it is not digitally signed so I want to do this myself, but I wonder if this can be done WITHOUT paying lot of money. Is it possible to use a certificate which is NOT signed by Verisign or GlobalSign? Maybe self-signed or by using StartSSL instead?
And if yes, how do I do it? According to a how-to, The Practical Truth About x64 Kernel Driver Signing, I have to use a "cross-certificate" (and there are only six available on the Microsoft list and most of them are for CAs which are no longer active).
I don't care if the user is confronted with a warning message. I can even accept if the user has to install a special CA certificate first. I only require that the driver runs without manually disabling the signature check on each Windows startup.
No, the driver has to be cross signed by one of those specific certificates and thus the driver has to be signed by one of those CAs. You can disable driver signing on the machine for testing purposes, but obviously you don't want to do this on production machines. Sorry, that's just the way it is.
LibUSB_win32 is now already signed, according to http://sourceforge.net/apps/trac/libusb-win32/wiki
It says: "Vista/7/2008/2008R2 64 bit are supported from version 1.2.0.0 since a Microsoft KMCS accepted digital signature is embedded in the kernel driver libusb0.sys."
So the only thing you have to do is update your libusb_win32 driver.
To allow loading into kernel, you have to sign with those CA and have WHDL checked.
The only alternative would be using the user mode driver framework. (but libusb does not support it -- it was discussed, but never implemented)