Reputation: 33
I'm trying to get some USB drivers for medical devices pre-installed on our corporate workstations. Unfortunately, these drivers are not signed. Based on some research done here and elsewhere, I self-signed these drivers using a certificate that I created:
makecert -r -pe -n "CN=Self Root CA" -b 01/01/2006 -e 01/01/2099 -eku 1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.6 -sv selfcert.pvk selfcert.cer
I added the certificate to the "Trusted Root CA" and "Trusted Publishers CA" and and signed the drivers:
signtool sign /f selfcert.pfx /p password /uw /t http://timestamp.verisign.com/scripts/timstamp.dll /v C:\gendex\fusiondexis.cat
I added the '/uw' parameter because the "Windows System Component Verification" (1.3.6.1.4.1.311.10.3.6) and "Code Signing" (1.3.6.1.5.5.7.3.3) are present in the certificate, thus it seemed appropriate.
I then verified the signatures with signtool:
signtool.exe verify /pa /v /c C:\gendex\fusiondexis.cat C:\gendex\fusiondexis.inf
The driver files were copied to 'C:\gendex' and I updated the registry key 'DevicePath' to include this path when searching for driver files. However, when I plug-in the device, Windows displays the Add New Hardware Wizard which requires an admin to enter their credentials. If I don't do that, the device remains in an unrecognized state, and if I do--it works fine.
I've been banging my head trying to figure this out all day. Any help would be appreciated! Thanks.
Upvotes: 1
Views: 882
Reputation: 222007
Be sure that you added selfcert.cer
(Self Root CA) to local machine store and not to the user specific store. You can use
CertMgr.exe -add -c selfcert.cer -s -r localMachine AuthRoot
I deviloped the solution for one my customer about 8 years ago and it still work. I used at the time old version of SignTool which doesn't had /uw switch. I used just
SignTool.exe signwizard /v LXT52Xxp.cat
For the troubleshooting I would recommend you to set detailed SetupAPI log (see here and here). It will shows whether which drives from which directory will be get and whether the ranking of the driver will be interpreted the same as "Microsoft signed".
Upvotes: 1