Prev: WinUSB device path
Next: Windows media center auto service with PBDA driver
From: Josh Kelley on 9 Dec 2009 17:33
I have a signed (but not WHQL-certified) driver that's giving security
warnings when I try to upgrade it in Windows Vista. Installing the
previous version of the driver works, and doing a fresh install of the
current version works, but the upgrade pops up a nasty warning:
"Windows Security: Windows can't verify the publisher of this driver
software."

The fresh install and upgrade are both done using DPinst:
dpinst.exe /se /sa /lm /path c:\Program Files\MyApp\ftdibus.inf /sw

Here's what appears to be the relevant section from setupapi.dev.log:
pol: {Driver package policy check - exit(0x00000000)}
16:19:20.626
dvi: Staging Package To Driver Store - phase 2
inf: Opened INF: 'C:\Users\Administrator\
{bedd06af-9c4a-4500-8264-dc966b9df6dd}\ftdibus.inf' ([strings] <src =
normal>)
inf: Opened INF: 'C:\Users\Administrator\
{bedd06af-9c4a-4500-8264-dc966b9df6dd}\ftdibus.inf' ([strings] <src =
normal>)
inf: Opened INF: 'C:\Users\Administrator\
{bedd06af-9c4a-4500-8264-dc966b9df6dd}\ftdibus.inf' ([strings] <src =
normal>)
inf: Opened INF: 'C:\Users\Administrator\
{bedd06af-9c4a-4500-8264-dc966b9df6dd}\ftdibus.inf' ([strings] <src =
normal>)
inf: Opened INF: 'C:\Windows\system32\DriverStore\Temp\
{f3ab5d64-8d1d-4f6a-bd1c-5908aad450be}\Package\ftdibus.inf' ([strings]
<src = normal>)
inf: Opened INF: 'C:\Windows\system32\DriverStore\Temp\
{f3ab5d64-8d1d-4f6a-bd1c-5908aad450be}\Package\ftdibus.inf' ([strings]
<src = normal>)
sig: {_VERIFY_FILE_SIGNATURE} 16:19:21.329
sig: Key = ftdibus.inf
sig: FilePath = C:\Windows\system32\DriverStore\Temp\
{f3ab5d64-8d1d-4f6a-bd1c-5908aad450be}\Package\ftdibus.inf
sig: Catalog = C:\Windows\system32\DriverStore\Temp\
{f3ab5d64-8d1d-4f6a-bd1c-5908aad450be}\Package\ftdibus.cat
flq: {SPFILENOTIFY_CABINETINFO}
flq: {SPFILENOTIFY_CABINETINFO - exit(0x00000000)}
flq: {SPFILENOTIFY_FILEEXTRACTED}
flq: {SPFILENOTIFY_FILEEXTRACTED - exit(0x00000000)}
flq: {SPFILENOTIFY_CABINETINFO}
flq: {SPFILENOTIFY_CABINETINFO - exit(0x00000000)}
flq: {SPFILENOTIFY_FILEEXTRACTED}
flq: {SPFILENOTIFY_FILEEXTRACTED - exit(0x00000000)}
! sig: Verifying file against specific (valid) catalog
failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed,
but terminated in a root certificate which is not trusted by the trust
provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 16:19:22.048
sig: {_VERIFY_FILE_SIGNATURE} 16:19:22.048
sig: Key = ftdibus.inf
sig: FilePath = C:\Windows\system32\DriverStore\Temp\
{f3ab5d64-8d1d-4f6a-bd1c-5908aad450be}\Package\ftdibus.inf
sig: Catalog = C:\Windows\system32\DriverStore\Temp\
{f3ab5d64-8d1d-4f6a-bd1c-5908aad450be}\Package\ftdibus.cat
flq: {SPFILENOTIFY_CABINETINFO}
flq: {SPFILENOTIFY_CABINETINFO - exit(0x00000000)}
flq: {SPFILENOTIFY_FILEEXTRACTED}
flq: {SPFILENOTIFY_FILEEXTRACTED - exit(0x00000000)}
flq: {SPFILENOTIFY_CABINETINFO}
flq: {SPFILENOTIFY_CABINETINFO - exit(0x00000000)}
flq: {SPFILENOTIFY_FILEEXTRACTED}
flq: {SPFILENOTIFY_FILEEXTRACTED - exit(0x00000000)}
sig: Success: File is signed in Authenticode(tm)
catalog.
sig: Error 0xe0000242: The publisher of an Authenticode
(tm) signed catalog has not yet been established as trusted.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000242)} 16:19:22.454
sto: Validating driver package files.
inf: Opened INF: 'C:\Windows\system32\DriverStore\Temp\
{f3ab5d64-8d1d-4f6a-bd1c-5908aad450be}\Package\ftdibus.inf' ([strings]
<src = normal>)
!!! sto: Failed to verify file C:\Windows
\system32\DriverStore\Temp\{f3ab5d64-8d1d-4f6a-bd1c-5908aad450be}
\Package\i386\ftbusui.dll against the catalog C:\Windows
\system32\DriverStore\Temp\{f3ab5d64-8d1d-4f6a-bd1c-5908aad450be}
\Package\ftdibus.cat. Error = 800f024b.
!!! sto: The file hash wasn't found in the catalog file.
The file is likely corrupt or the victim of tampering.
!!! sto: ValidateDriverPackageFiles() failed to validate the
driver package. Error = 800f024b
!!! sto: Failed to validate Driver Package files. Error =
800f024b
!!! sto: The Driver Package appears to be tampered. Inf = C:
\Windows\system32\DriverStore\Temp\{f3ab5d64-8d1d-4f6a-
bd1c-5908aad450be}\Package\ftdibus.inf, Error = 800f024b
! sto: The Driver Package appears to be tampered but user
wants to install it anyway.

signtool /verify reports no problems. Googling for 800f024b reveals
only one hit, a reference to a McAfee knowledge base article that
refers to missing "the signed device driver history for the Windows
Installer." (What is that? I'm using Inno Setup rather than Windows
Installer.)

If I install the software package containing the updated driver to a
new directory, I don't get this error. This makes me suspect that the
error is caused by a DLL from the old driver being checked against the
catalog from the new driver, or vice versa. But I thought that
Windows kept drivers in the driver store so that it wouldn't have to
depend on drivers remaining unchanged under c:\Program Files?

What's the right way to use DPinst to upgrade a signed driver?

--
Josh Kelley
From: Josh Kelley on 10 Dec 2009 10:49
On Dec 9, 5:33 pm, Josh Kelley <josh...(a)gmail.com> wrote:
> I have a signed (but not WHQL-certified) driver that's giving security
> warnings when I try to upgrade it in Windows Vista.  Installing the
> previous version of the driver works, and doing a fresh install of the
> current version works, but the upgrade pops up a nasty warning:
> "Windows Security: Windows can't verify the publisher of this driver
> software."

This ended up being a problem with my Inno Setup installer. On an
upgrade, Inno Setup skips files if they have the same version number.
One or more files in my updated driver had the same version number but
different contents than the old driver, so the driver installation
ended up with a few files from the old driver and understandably
failed signature verification.

--
Josh Kelley
From: Maxim S. Shatskih on 11 Dec 2009 19:58
>One or more files in my updated driver had the same version number but
>different contents than the old driver

Well, this is a major issue.

--
Maxim S. Shatskih
Windows DDK MVP
maxim(a)storagecraft.com
http://www.storagecraft.com

 | 
Pages: 1
Prev: WinUSB device path
Next: Windows media center auto service with PBDA driver