A simple question. The authenticode documentation says that drivers can be signed with authenticode on Windows 2003 and above. But WHQL has to be used for 9x/2000. No mention XP.

Does the latest service pack enable XP to install authenticode signed drivers?

thanks
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
As far as I understand things all versions of XP should install signed drivers. It is when the driver is not signed that things become more complex.
Answered 06/28/2005 by: kkaminsk
Ninth Degree Black Belt

Please log in to comment
0
Sorry, I don't think I made the question clear in my original post.

I have some unsigned drivers, and I'd like to sign them myself using authenticode. Will this work on XP?
Answered 06/28/2005 by: meastaugh1
Senior Purple Belt

Please log in to comment
0
Well this is a grey area for me too. The last time I spoke to a developer they said this functionality would not be included until Longhorn. With the release of 2.0 I saw features that were not going to exist until Longhorn. I would say yes but I have never done it so my opinion does not count for much.
Answered 06/28/2005 by: kkaminsk
Ninth Degree Black Belt

Please log in to comment
0
The manual does sound promosing.

Wizard Installation of Signed WHQL-Class Driver Packages on Windows XP and Windows 2000

By default, the DIFx tools perform a wizard installation of driver packages with WHQL signatures and Authenticode signatures. The following considerations apply:

• If a driver package has a valid WHQL signature, Setup does not display a driver signing dialog box. If the WHQL signature is not valid, Setup displays a driver signing dialog box or block installation, depending on the driver signing option set for a computer (Ignore, Warn, or Block).

• Setup handles a driver with an Authenticode signature in the same way that Setup handles unsigned driver packages. Depending on the driver signing option set for a computer, Setup displays a driver signing dialog box or block installation (Ignore, Warn, or Block).
Answered 06/28/2005 by: kkaminsk
Ninth Degree Black Belt

Please log in to comment
0
If setup handles authenticode signatures the same way as it does unsigned drivers, can you tell me what the point is in authenticode signature?
Answered 06/29/2005 by: meastaugh1
Senior Purple Belt

Please log in to comment
0
There is a layer of security in there. The reason you would go through the trouble of signing your drivers is if you wanted only signed drivers (internal or Microsoft WHQL) to be installed on machines in the organization. This gives you control over which drivers are certified for your environment as well as some protection from people installing keyloggers or rootkits.

So it really comes down to your Active Directory security policy more than anything. Microsoft has given you a choice instead of forcing you to only use WHQL signed drivers like they did in DIFx 1.0.
Answered 06/29/2005 by: kkaminsk
Ninth Degree Black Belt

Please log in to comment
0
The reason you would go through the trouble of signing your drivers is if you wanted only signed drivers (internal or Microsoft WHQL) to be installed on machines in the organization.

The policy in place is that signed drivers are installed by anyone, but local administrator rights are required to install unsigned drivers.

• Setup handles a driver with an Authenticode signature in the same way that Setup handles unsigned driver packages.

The reason I ask, is because I want to install unsigned drivers silently so when a standard user plugs in a pnp device (with unsigned driver) it will install silently, and not prompt for local administrator credentials. If authenticode signed drivers are treated the same as unsigned drivers, I guess this is not possible?

Apologies if I've misunderstood.
Answered 06/29/2005 by: meastaugh1
Senior Purple Belt

Please log in to comment
0
You are correct. They are still pushing the WHQL signing for maximum functionality. I still think they should allow silent installs if the driver has been signed internally. I think it is somewhat ridiculous that you cannot silently install a driver that has been internally certified. Why punnish the corporate user for what the vendor chose. I have had vendors express their disinterest in WHQL certification of their drivers. It costs money and they do not see a direct benefit. Honestly who is not going to buy hardware based on the driver certification status.
Answered 06/29/2005 by: kkaminsk
Ninth Degree Black Belt

Please log in to comment
0
Ok

Thanks anyway.
Answered 06/29/2005 by: meastaugh1
Senior Purple Belt

Please log in to comment
Answer this question or Comment on this question for clarity