I have an inf file for a user-mode driver for a device.
Does windows require me to get this driver signed?
Are there any risks of not having this driver signed?
I know that kernel-mode drivers need to be signed.
The accepted answer is right about Windows 7, but things are different starting with Windows 8 and now 10.
User-mode drivers, like the Printer driver will install and work in an
x64-based computer. A dialog will appear to the user during
installation asking for approval to install the driver. Beginning in
Windows 8 and later versions of Windows, installation will not proceed
unless these driver packages are also signed.
https://learn.microsoft.com/en-us/windows-hardware/drivers/install/windows-driver-signing-tutorial
The short answer is no; windows does not require signing for user-mode drivers on x86/x64.
There are no risks with not having it signed, and you don't have to pay the fee to have Microsoft sign the driver.
UPDATE:
This is no longer the case as Soroush Falahati's answer will point out, please refer to his answer
You need to sign it, but you can use self signed certificates with user-more drivers.
Related
I need to communicate with a simple custom device directly through USB. I have full specifications for communication protocol. Unfortunately, the device vendor did not provide WinUSB driver for the device.
According to
https://msdn.microsoft.com/en-us/library/ff540283.aspx#inf
I should be able to install WinUSB driver automatically on Windows 10 using the inf template.
But installation fails with:
The third-party INF does not contain digital signature information.
As I understand, it is looking for a signed .cat file. But in this case I have no any files to sign nor .cat file. I just want to install Windows own WinUSB driver for the device, and clearly Windows drivers should be signed by Microsoft.
How do I proceed to install the .inf file?
If you only care about supporting Windows 8.1 and later, and you have the ability to change the device's firmware, you might consider using Micrsoft OS 2.0 Descriptors. This will allow a Windows computer to recognize the device as a WinUSB device and automatically load the WinUSB driver.
Another option would be to use Zadig or the related library libwdi to install the driver for your device. I would only recommend this for small, temporary, or organization-internal installations since it is kind of a hack (it installs its own certificate into your Trusted Root Certification Authorities list).
You could also look into disabling driver signature enforcement on your computer if you want to use the unsigned INF file.
If none of those options are going to work for you, then you need to look into buying a code-signing certificate from a certificate authority and signing your driver. Code signing for Windows is an ever-evolving field but my article Practical Windows Code and Driver Signing attempts to document what you need to know.
I have got a piece of hardware which communicates with my program using an FT2232C USB serial converter. All works fine if the device has already been attached to a computer before and the drivers were installed using an administrator account. But that is not the usual case.
These devices will be attached and removed at will and it will also not always be the same device that will be attached to a particular computer. Also, most of the users will not have administrator privileges and the computers are not connected to a LAN.
It is possible to automatically push files to these computers and add registry entries.
Does anybody have got any pointers on how to make Windows believe the devices driver has already been installed? I am currently thinking along the lines of tracking all changes that the driver installer does to the Windows installation and making these changes without any user interaction. But maybe there is an easier way?
We are currently talking Windows XP but in the not so far future there will be more and more Windows 7 (64 bit) computers as well.
While you could "pre-install" the driver by doing all the changes to the registry yourself (under a SYSTEM account, not regular Administrator -- you can use SysInternals PsExec to do this), this wouldn't help you unless you'd preinstall it for all possible ports. (Only USB devices which have an embedded serial number can be installed just once. Others are installed per-port.)
Another option is to sign the driver. A signed driver installs silently without the need for administrative credentials.
Does the vendor driver come with a .cat file? (And is the .cat file WHQL-signed?) If yes, you don't have a problem. Just install the driver with the standard tools (e.g. DPInst).
If not, you can always generate your own WHQL certificate (you cannot BUY a WHQL certificate), push this to all computers (since you're an administrator, you can do this) and then use the regular Windows tools (e.g. DPInst) to place the driver in the machines' driver stores. To generate the certificate, use CertUtil.exe and make sure you specify the "Windows System Component Verification" EKU. To sign the driver, use MakeCat.exe and SignTool.exe.
The best method with XP for the timebeing is to get hold of the administrator password, I used the following method a few months back and it has been brilliant, there is free software and instructions available here:
http://www.loginrecovery.com/
I have done a great deal of looking around, and I can't seem to get a straightforward answer to this issue.
I am hobbyist programmer, I have done a great deal of work with windows drivers, and wrote my own personal 'antivirus' driver for windows XP. So don't get me wrong here, I don't work for any software development firm or anything of the like.
My question is: as far as windows 7 x64 is concerned, is there any possible legit and legal method I can use to release sign my driver that would only be for my own personal use?
Yes I am well aware I can test sign my driver and run it in a virtual machine under windows test mode, which I do quite frequently. However if you have used windows in test mode you know there are some major drawbacks.
So to to sum this all up, is it possible for me ( a hobbyist ) to release sign a driver for my own personal use and not have to deal with windows test mode?
Thanks.
If it's a boot time required driver, I don't think there is a way you can get it to use it without signing it with a certificate from a Microsoft sanctioned provider (Verisign only I think for drivers?).
If this is a normal device driver that isn't required at boot you can create your own certificates and use those instead. I did it myself for Vista x64 to get an HP ScanJet driver to work from XP x64 by signing the .sys and the .inf files.
I used Active Directory Certificate Services on my domain to issue a Code Signing certificate for my use and had my machine trust the ADCS CA certificate. These two actions will cause Windows to trust your signed driver.
I believe you could use OpenSSL to create a CA certificate and issue code signing certificates with that, but I've had no practice with it.
Again, to reiterate, if this driver is required at boot then this method will not work, if it's used for a device which can be attached at anytime, it should work.
You can have the ReactOS Foundation do it for you.
Please refer to my answer to this post: Windows 7 kernel driver signing.
So to to sum this all up, is it possible for me ( a hobbyist ) to release sign a driver for my own personal use and not have to deal with windows test mode?
Yes.
For boot time drivers: Go to VeriSign, buy the (only?) code signing certificate ($500), and sign your driver.
For non-boot drivers: You can self-sign, with appropriate warnings.
We have an application which uses the RNDIS USB driver, aka "Linux USB Ethernet/RNDIS Gadget" to talk to a linux based embedded device.
We have digitally signed (with a Verisign certificate) this driver for use with Windows 7. This eliminates an "unsigned driver" error message on install.
On XP, however, even a signed driver displays a "Linux USB Ethernet/RNDIS has not passed Windows Logo testing..."
This is, evidently, a driver developed by Microsoft. I saw reports that this and other drivers were signed in SP2 and this broke in SP3.
The goal is to do an install of the driver without a warning or error. Is this driver, or a compatible driver, available anywhere else? Is there a way to get it signed through WHQL?
According to http://en.wikipedia.org/wiki/WHQL_Testing:
A company can choose to sign their own drivers rather than go through
the WHQL testing process. These drivers would not qualify for the
"Certified for Windows" logos, but they would install on 64 bit
versions of Windows and install without a warning message on 32 bit
versions of Windows Vista or Windows 7.[2] However, it will not
install without a warning message on Windows XP.[3]
I read something somewhere about how to get around this but can't find it right now. Can you not get it (or a renamed copy of it) signed through WHQL?
I need to install the libusb-win32 driver on Windows 7 64 bit machines. This driver is open source so it is not digitally signed so I want to do this myself, but I wonder if this can be done WITHOUT paying lot of money. Is it possible to use a certificate which is NOT signed by Verisign or GlobalSign? Maybe self-signed or by using StartSSL instead?
And if yes, how do I do it? According to a how-to, The Practical Truth About x64 Kernel Driver Signing, I have to use a "cross-certificate" (and there are only six available on the Microsoft list and most of them are for CAs which are no longer active).
I don't care if the user is confronted with a warning message. I can even accept if the user has to install a special CA certificate first. I only require that the driver runs without manually disabling the signature check on each Windows startup.
No, the driver has to be cross signed by one of those specific certificates and thus the driver has to be signed by one of those CAs. You can disable driver signing on the machine for testing purposes, but obviously you don't want to do this on production machines. Sorry, that's just the way it is.
LibUSB_win32 is now already signed, according to http://sourceforge.net/apps/trac/libusb-win32/wiki
It says: "Vista/7/2008/2008R2 64 bit are supported from version 1.2.0.0 since a Microsoft KMCS accepted digital signature is embedded in the kernel driver libusb0.sys."
So the only thing you have to do is update your libusb_win32 driver.
To allow loading into kernel, you have to sign with those CA and have WHDL checked.
The only alternative would be using the user mode driver framework. (but libusb does not support it -- it was discussed, but never implemented)