Hi Chris, all, You can cheat the signed check by creating a signing authority, using WPKG to install your CA, and then signing the drivers yourself before you push them to the clients. I've appended a few scripts below. Install.bat : My silent installer for pushing CAs to clients. Sign.bat: This is a script that signs one of the USB drivers that I deploy to out labs (Hauppauge's usblive driver in this case) Key programs used during signing (available from microsoft.com): Cstore.vbs : Sample code from Microsoft for using capicom.dll Inf2cat.exe : MS Driver development tool Signtool.exe : MS Driver signing tool Now there was a quirk to creating a certificate that signtool would use for signing, but I'm not in my office at the moment for the exact process here. >From memory, it needed a specific property adding to the certificate for code signing when the cert was generated. All of the above was put together with the help of search engines and the Microsoft knowledge base / WHQL driver certification process documentation. I hope that the information here provides some useful pointers to others wanting to go down this route. ( I found chasing manufacturers for WHQL signed drivers to be a completely fruitless exercise! ) Cheers, Mark -------------------------------------- @echo off :: SIGN.BAT :: Remove any previous detritus and make the directories we will use rd /S /Q "%TEMP%\sign" mkdir "%TEMP%\sign" mkdir "%TEMP%\sign\signed" :: Copy over the original (well - nearly original - I uncommented the cat lines) driver and signing tools xcopy /Q /I /Y /Z "%SOFTWARE%\drvr_usblive\original\*.*" "%TEMP%\sign\original" xcopy /Q /I /Y /Z "%SOFTWARE%\tools\signing\*.*" "%TEMP%\sign" :: Switch to the directory containing the original driver, and ensure there are no cat files around cd /D "%TEMP%\sign\original" del /F *.cat :: Create the cat files from the inf files ..\inf2cat /DRIVER:"%TEMP%\sign\original" /OS:XP_X86,2000 :: Then iterate over the cat files, and sign each one with the driver signing certificate for %%F in (*.cat) do ..\signtool sign -s "trustedpublisher" -n "PandA Device Driver Signing Certificate" -t "http://timestamp.verisign.com/scripts/timstamp.dll" %%F :: Verify for %%F in (*.cat) do ..\signtool verify %%F :: Then copy the driver to the output directory xcopy /Q /I /Y /Z "%TEMP%\sign\original\*.*" "%SOFTWARE%\drvr_usblive\signed" :: And clean up after ourselves cd \ rd /S /Q "%TEMP%\sign" exit /B 0 -------------------------------------- @echo off :: CERT INSTALL.BAT :: NOTE: This could be done using a group policy, but we also use WPKG for non-AD :: connected machines, so they would not inherit the group policy settings for :: certificates. :: Register capicom if it isn't on the system already if exist %WINDIR%\system32\capicom.dll goto skipcapi copy "%SOFTWARE%\certs\capicom.dll" "%WINDIR%\system32\capicom.dll" regsvr32 /s "%WINDIR%\system32\capicom.dll" :skipcapi :: University keys relating to wireless CSCRIPT "%SOFTWARE%\certs\CSTORE.VBS" import -l LM -s Root "%SOFTWARE%\certs\99 CybertrustEducationalCA.cer" > NUL CSCRIPT "%SOFTWARE%\certs\CSTORE.VBS" import -l LM -s Root "%SOFTWARE%\certs\99 GTECybertrustGlobalRoot.cer" > NUL ::============================== :: Physics and Astronomy CA Keys ::============================== :: From 01_PandA_CA ca-cert.cer CSCRIPT "%SOFTWARE%\certs\CSTORE.VBS" import -l LM -s Root "%SOFTWARE%\certs\01 PandA Root CA.cer" > NUL :: From 02_Signing_CA ca-cert.cer CSCRIPT "%SOFTWARE%\certs\CSTORE.VBS" import -l LM -s CA "%SOFTWARE%\certs\02 PandA Sign CA.cer" > NUL :: From 10_Driver_CA ca-cert.cer CSCRIPT "%SOFTWARE%\certs\CSTORE.VBS" import -l LM -s CA "%SOFTWARE%\certs\10 PandA Drvr CA.cer" > NUL :: From 11_Client_CA ca-cert.cer CSCRIPT "%SOFTWARE%\certs\CSTORE.VBS" import -l LM -s CA "%SOFTWARE%\certs\11 PandA Client CA.cer" > NUL :: From 12_Server_CA ca-cert.cer CSCRIPT "%SOFTWARE%\certs\CSTORE.VBS" import -l LM -s CA "%SOFTWARE%\certs\12 PandA Server CA.cer" > NUL :: From 20_Driver_Cert drivers.cert.cer CSCRIPT "%SOFTWARE%\certs\CSTORE.VBS" import -l LM -s trustedpublisher "%SOFTWARE%\certs\20 PandA Drvr Cert.cer" > NUL ::============================= :: Flag that keys are installed ::============================= regedit /s "%SOFTWARE%\certs\set_version.reg" exit /B 0 -------------------------------------- Directory of %SOFTWARE%\tools\signing capicom.dll CertMgr.Exe Inf2Cat.exe Microsoft.Whos.Shared.IO.Cabinets.dll Microsoft.Whos.Shared.IO.Catalogs.dll Microsoft.Whos.Shared.Xml.InfReader.dll Microsoft.Whos.Winqual.Submissions.SubmissionBuilder.dll Microsoft.Whos.Xml.NonXmlDataReader.dll signtool.exe > -----Original Message----- > From: wpkg-users-bounces at lists.wpkg.org > [mailto:wpkg-users-bounces at lists.wpkg.org] On Behalf Of Chris Wilcox > Sent: 01 April 2009 12:08 > To: wpkg > Subject: Re: [wpkg-users] USB hardware drivers > > This is normal behaviour for any device using non-signed > drivers. There isn't any way around it beyond trying to > source some signed drivers. > > > > > Date: Wed, 1 Apr 2009 13:05:31 +0200 > > From: andersn at isy.liu.se > > To: wpkg-users at lists.wpkg.org > > Subject: [wpkg-users] USB hardware drivers > > > > I may be in the wrong forum here, but perhaps a kind soul > can set me in > > the right direction. > > > > I use WPKG for deploying hardware drivers for some USB devices. This > > problems concerns a USB bluetooth dongle in particular. > > > > Installing the driver via WPKG is no problem, but when the > user plugs in > > the dongle it has to be installed as Administrator, and > this has to be > > done for every USB port on the PC to be able to use it in that > > particular port. > > > > The driver itself is not signed by Microsoft. Could this be > the reason > > as to why the Administrator is needed when the device is plugged in? > > > > Anyway, is this problem solvable with WPKG at all given that I could > > figure out what registry keys and/or files that changes > when the device > > is plugged in? |