[wpkg-users] USB hardware drivers

[Mark Cooke]

Hi Chris, all,

You can cheat the signed check by creating a signing authority, using WPKG
to install your CA, and then signing the drivers yourself before you push
them to the clients.

I've appended a few scripts below.

Install.bat : My silent installer for pushing CAs to clients.

Sign.bat: This is a script that signs one of the USB drivers that I deploy
to out labs (Hauppauge's usblive driver in this case)

Key programs used during signing (available from microsoft.com):

Cstore.vbs    : Sample code from Microsoft for using capicom.dll
Inf2cat.exe   : MS Driver development tool
Signtool.exe  : MS Driver signing tool

Now there was a quirk to creating a certificate that signtool would use for
signing, but I'm not in my office at the moment for the exact process here.
>From memory, it needed a specific property adding to the certificate for
code signing when the cert was generated.


All of the above was put together with the help of search engines and the
Microsoft knowledge base / WHQL driver certification process documentation.


I hope that the information here provides some useful pointers to others
wanting to go down this route.  ( I found chasing manufacturers for WHQL
signed drivers to be a completely fruitless exercise! )

Cheers,

Mark

--------------------------------------

@echo off
:: SIGN.BAT

:: Remove any previous detritus and make the directories we will use
rd /S /Q "%TEMP%\sign"
mkdir "%TEMP%\sign"
mkdir "%TEMP%\sign\signed"

:: Copy over the original (well - nearly original - I uncommented the cat
lines) driver and signing tools
xcopy /Q /I /Y /Z "%SOFTWARE%\drvr_usblive\original\*.*"
"%TEMP%\sign\original"
xcopy /Q /I /Y /Z "%SOFTWARE%\tools\signing\*.*" "%TEMP%\sign"

:: Switch to the directory containing the original driver, and ensure there
are no cat files around
cd /D "%TEMP%\sign\original"
del /F *.cat

:: Create the cat files from the inf files
..\inf2cat /DRIVER:"%TEMP%\sign\original" /OS:XP_X86,2000

:: Then iterate over the cat files, and sign each one with the driver
signing certificate
for %%F in (*.cat) do ..\signtool sign -s "trustedpublisher" -n "PandA
Device Driver Signing Certificate" -t
"http://timestamp.verisign.com/scripts/timstamp.dll" %%F

:: Verify
for %%F in (*.cat) do ..\signtool verify %%F

:: Then copy the driver to the output directory
xcopy /Q /I /Y /Z "%TEMP%\sign\original\*.*"
"%SOFTWARE%\drvr_usblive\signed"

:: And clean up after ourselves
cd \
rd /S /Q "%TEMP%\sign"

exit /B 0

--------------------------------------

@echo off
:: CERT INSTALL.BAT

:: NOTE: This could be done using a group policy, but we also use WPKG for
non-AD
:: connected machines, so they would not inherit the group policy settings
for
:: certificates.


:: Register capicom if it isn't on the system already
if exist %WINDIR%\system32\capicom.dll goto skipcapi
copy "%SOFTWARE%\certs\capicom.dll" "%WINDIR%\system32\capicom.dll"
regsvr32 /s "%WINDIR%\system32\capicom.dll"
:skipcapi


:: University keys relating to wireless
CSCRIPT "%SOFTWARE%\certs\CSTORE.VBS" import -l LM -s Root
"%SOFTWARE%\certs\99 CybertrustEducationalCA.cer" > NUL
CSCRIPT "%SOFTWARE%\certs\CSTORE.VBS" import -l LM -s Root
"%SOFTWARE%\certs\99 GTECybertrustGlobalRoot.cer" > NUL


::==============================
:: Physics and Astronomy CA Keys
::==============================

:: From 01_PandA_CA ca-cert.cer
CSCRIPT "%SOFTWARE%\certs\CSTORE.VBS" import -l LM -s Root
"%SOFTWARE%\certs\01 PandA Root CA.cer" > NUL

:: From 02_Signing_CA ca-cert.cer
CSCRIPT "%SOFTWARE%\certs\CSTORE.VBS" import -l LM -s CA
"%SOFTWARE%\certs\02 PandA Sign CA.cer" > NUL

:: From 10_Driver_CA ca-cert.cer
CSCRIPT "%SOFTWARE%\certs\CSTORE.VBS" import -l LM -s CA
"%SOFTWARE%\certs\10 PandA Drvr CA.cer" > NUL

:: From 11_Client_CA ca-cert.cer
CSCRIPT "%SOFTWARE%\certs\CSTORE.VBS" import -l LM -s CA
"%SOFTWARE%\certs\11 PandA Client CA.cer" > NUL

:: From 12_Server_CA ca-cert.cer
CSCRIPT "%SOFTWARE%\certs\CSTORE.VBS" import -l LM -s CA
"%SOFTWARE%\certs\12 PandA Server CA.cer" > NUL

:: From 20_Driver_Cert drivers.cert.cer
CSCRIPT "%SOFTWARE%\certs\CSTORE.VBS" import -l LM -s trustedpublisher
"%SOFTWARE%\certs\20 PandA Drvr Cert.cer" > NUL

::=============================
:: Flag that keys are installed
::=============================
regedit /s "%SOFTWARE%\certs\set_version.reg"

exit /B 0

--------------------------------------

Directory of %SOFTWARE%\tools\signing

capicom.dll
CertMgr.Exe
Inf2Cat.exe
Microsoft.Whos.Shared.IO.Cabinets.dll
Microsoft.Whos.Shared.IO.Catalogs.dll
Microsoft.Whos.Shared.Xml.InfReader.dll
Microsoft.Whos.Winqual.Submissions.SubmissionBuilder.dll
Microsoft.Whos.Xml.NonXmlDataReader.dll
signtool.exe

> -----Original Message-----
> From: wpkg-users-bounces at lists.wpkg.org 
> [mailto:wpkg-users-bounces at lists.wpkg.org] On Behalf Of Chris Wilcox
> Sent: 01 April 2009 12:08
> To: wpkg
> Subject: Re: [wpkg-users] USB hardware drivers
> 
> This is normal behaviour for any device using non-signed 
> drivers.  There isn't any way around it beyond trying to 
> source some signed drivers.
> 
> 
>  
> > Date: Wed, 1 Apr 2009 13:05:31 +0200
> > From: andersn at isy.liu.se
> > To: wpkg-users at lists.wpkg.org
> > Subject: [wpkg-users] USB hardware drivers
> > 
> > I may be in the wrong forum here, but perhaps a kind soul 
> can set me in
> > the right direction.
> > 
> > I use WPKG for deploying hardware drivers for some USB devices. This
> > problems concerns a USB bluetooth dongle in particular.
> > 
> > Installing the driver via WPKG is no problem, but when the 
> user plugs in
> > the dongle it has to be installed as Administrator, and 
> this has to be
> > done for every USB port on the PC to be able to use it in that
> > particular port.
> > 
> > The driver itself is not signed by Microsoft. Could this be 
> the reason
> > as to why the Administrator is needed when the device is plugged in?
> > 
> > Anyway, is this problem solvable with WPKG at all given that I could
> > figure out what registry keys and/or files that changes 
> when the device
> > is plugged in?