Packaging Unsigned Driver
I have a Doctor Stika Cutting machine, and i`m trying to package the driver for installation on our Windows 7 Network.
I have tried various ways and none have so far been successfull, I first tried doing a basic DPInst install with the silent switch and checking the driver file repository it doesnt install anything. I then tried it with the /LM switch and when run it displays a dialogue saying asks for confirmation of installing the driver as it is unsigned.
I then tried packaging as an MSI with pre/post scan and when deployed while the install is successfull and it installs the driver, when the device is plugged in, it appears as 'unspecified' and I cant use it as a printer. I rebuilt the package a second time on this time during the installation I plugged in the device and made sure the driver was correctly installed. When this package was deployed I got the same result as the first.
I then tried wrappig the package in a MSI with a custom action and DPInst, which when deployed gave the exact same results as using just DPInst.
I then looked at signing the driver myself and went through the tutorial and created a merge module to order the installation of the certificate and files. When added as part of an MSI firstly the program I used to create the Merge Module displays a dialogue saying its on a trial and you need to click an OK box. once clicked It gives me an error (dont have the exact message)
so does anyone have any suggestions as to how I can package this unsigned driver, and enabled it to be deployed across our network
Thanks
Craig Dunn
I have tried various ways and none have so far been successfull, I first tried doing a basic DPInst install with the silent switch and checking the driver file repository it doesnt install anything. I then tried it with the /LM switch and when run it displays a dialogue saying asks for confirmation of installing the driver as it is unsigned.
I then tried packaging as an MSI with pre/post scan and when deployed while the install is successfull and it installs the driver, when the device is plugged in, it appears as 'unspecified' and I cant use it as a printer. I rebuilt the package a second time on this time during the installation I plugged in the device and made sure the driver was correctly installed. When this package was deployed I got the same result as the first.
I then tried wrappig the package in a MSI with a custom action and DPInst, which when deployed gave the exact same results as using just DPInst.
I then looked at signing the driver myself and went through the tutorial and created a merge module to order the installation of the certificate and files. When added as part of an MSI firstly the program I used to create the Merge Module displays a dialogue saying its on a trial and you need to click an OK box. once clicked It gives me an error (dont have the exact message)
so does anyone have any suggestions as to how I can package this unsigned driver, and enabled it to be deployed across our network
Thanks
Craig Dunn
0 Comments
[ + ] Show comments
Answers (14)
Please log in to answer
Posted by:
weberik
12 years ago
first of all sign the driver yourself (tutorial is in this forum).
then before trying dpinst with silent switches, try the "GUI way" step by step to at least know the area you need to search the error.
doubleclick the cat file and see if its signature is valid.
if not, there is something wrong with the way you are signing it and you should fix that first.
doubleclick the dpinst exe and follow the wizard. if errors occur, fix them before using silent switches.
and at all times, you can check the logfile for errors (usually c:\windows\inf\setupapi.dev.log)
if the wizard and signature works without warnings and errors then you can start thinking about MSIs and silent installations.
then before trying dpinst with silent switches, try the "GUI way" step by step to at least know the area you need to search the error.
doubleclick the cat file and see if its signature is valid.
if not, there is something wrong with the way you are signing it and you should fix that first.
doubleclick the dpinst exe and follow the wizard. if errors occur, fix them before using silent switches.
and at all times, you can check the logfile for errors (usually c:\windows\inf\setupapi.dev.log)
if the wizard and signature works without warnings and errors then you can start thinking about MSIs and silent installations.
Posted by:
Bugs78
12 years ago
The signing of the driver didnt go too bad except for when I got to the date stamping the drivers with this command
SignCode.Exe -spc "c:\PlaneteersLtd_certificate\PlaneteersLtd.spc" -v "c:\PlaneteersLtd_certificate\PlaneteersLtd.pvk" -t http://timestamp.verisign.com/scripts/timstamp.dll "C:\cpdriver\captainplanet.cat"
I am using signtool instead of signcode but have changed the relevent switches accordingly, and cant see any issues, but I get a file not found error on the URL and also a file not recognised on the PVK file I created. I also noted that the .spc file when I double click it, it says its not trusted is this correct?
Thanks
SignCode.Exe -spc "c:\PlaneteersLtd_certificate\PlaneteersLtd.spc" -v "c:\PlaneteersLtd_certificate\PlaneteersLtd.pvk" -t http://timestamp.verisign.com/scripts/timstamp.dll "C:\cpdriver\captainplanet.cat"
I am using signtool instead of signcode but have changed the relevent switches accordingly, and cant see any issues, but I get a file not found error on the URL and also a file not recognised on the PVK file I created. I also noted that the .spc file when I double click it, it says its not trusted is this correct?
Thanks
Posted by:
weberik
12 years ago
i also use signtool for that and the syntax is a bit weird. also i didnt timestamp the driver and never had a problem with that.
i ended up putting the cert in a password protected file (signing right out of the store didn't work for some reason).
the syntax that worked in the end was:
signtool sign /v /f myCert.pfx /p XXX myCatalog.cat
where XXX is the password for the cert, myCatalog.cat the path to the cat file in the driver and myCert.pfx the certificate.
always use the the full path to the files.
tell me if works for you,
if not i will look up the exact way i used for a driver once and post it here,
but i asumed that the howto in this forum works better than my own way :)
i ended up putting the cert in a password protected file (signing right out of the store didn't work for some reason).
the syntax that worked in the end was:
signtool sign /v /f myCert.pfx /p XXX myCatalog.cat
where XXX is the password for the cert, myCatalog.cat the path to the cat file in the driver and myCert.pfx the certificate.
always use the the full path to the files.
tell me if works for you,
if not i will look up the exact way i used for a driver once and post it here,
but i asumed that the howto in this forum works better than my own way :)
Posted by:
Bugs78
12 years ago
I have managed to sign the driver correctly now (Thanx Weberik) think I was trying to do too many commands on one line, my next task is packaging it. Does anyone know where I can get freeware Installer software which will allow me to create custom actions and merge modules, however if it comes to it I will put everything in one package and forget the merge module for now.
I'v searched for options and the only thing iv have come up with is a shareware installer called Advanced Installer, which works but, it is a trial some displays dialogue when the package is created.
Thanks
Craig
I'v searched for options and the only thing iv have come up with is a shareware installer called Advanced Installer, which works but, it is a trial some displays dialogue when the package is created.
Thanks
Craig
Posted by:
weberik
12 years ago
i spent some time looking for freeware packaging tools and couldn't find any complete solution.
if i have to create an msi from scratch(at work), i use wise or adminstudio or whatever my current customer has or wants.
for editing only i use insted or orca.
i createad a few MSIs with orca only, but you absolutely need to know what you are doing and it takes some time.
if you just need the package to work, don't go that way, but if you want to learn something, try it :)
but for your driver i dont think you need an msi.
just place everything in a folder togther with the dpinst.exe (it automatically looks for a .inf in its current folder)
and run it with:
dpinst.exe /LM /S /F /SE
for troubleshooting purposes you can just doubleclick it and check if it works.
if you run the installation from a share, you should copy the package locally first and then execute it.
i usually prefer MSIs, but in this case the drivers are just installed with a binary custom action (dpinst from a merge module),
so you dont have much advantages over a batch file an MSI usually has.
if i have to create an msi from scratch(at work), i use wise or adminstudio or whatever my current customer has or wants.
for editing only i use insted or orca.
i createad a few MSIs with orca only, but you absolutely need to know what you are doing and it takes some time.
if you just need the package to work, don't go that way, but if you want to learn something, try it :)
but for your driver i dont think you need an msi.
just place everything in a folder togther with the dpinst.exe (it automatically looks for a .inf in its current folder)
and run it with:
dpinst.exe /LM /S /F /SE
for troubleshooting purposes you can just doubleclick it and check if it works.
if you run the installation from a share, you should copy the package locally first and then execute it.
i usually prefer MSIs, but in this case the drivers are just installed with a binary custom action (dpinst from a merge module),
so you dont have much advantages over a batch file an MSI usually has.
Posted by:
Bugs78
12 years ago
I have already tried dpinst and it still displays the 'windows cannot verify the publisher of this site' box which I need to try and automate the clicking of the 'Install this driver anyway' button, I thought signing the driver myself would sort this but, it hasnt.
Posted by:
weberik
12 years ago
that means your the certificate (you signed the driver with) is not properly installed.
it needs to be in the trustedPublisher and root store of the computer.
this can be scripted with certmgt.exe calls.
i think its also in the tutorial in this forum
it needs to be in the trustedPublisher and root store of the computer.
this can be scripted with certmgt.exe calls.
i think its also in the tutorial in this forum
Posted by:
Bugs78
12 years ago
Iv installed the SPC and the CER file into the trusted certificates folder and when I run DPInst it still displays that dialogue
Posted by:
mahendraKumar
12 years ago
Try to add the certificates in TrustedRoot and Trusted Publishers.
to add cer to trusted root
certmgr.exe -add "<path to cert file.cer>" -s -r localmachine ROOT
to add cer to trusted publisher
certmgr.exe -add "<path to cert file.cer>" -s -r localmachine Trustedpublisher
after executing the command cross check if ur catlog file is accepted by the cer ,
By double click the catlog file -> under digtal signatures -> you will find ur certificate added.
to add cer to trusted root
certmgr.exe -add "<path to cert file.cer>" -s -r localmachine ROOT
to add cer to trusted publisher
certmgr.exe -add "<path to cert file.cer>" -s -r localmachine Trustedpublisher
after executing the command cross check if ur catlog file is accepted by the cer ,
By double click the catlog file -> under digtal signatures -> you will find ur certificate added.
Posted by:
Bugs78
12 years ago
OK, so Iv had a bit of a breakthrough in that iv got a package which isntalls the certificates (Thanx mahendraKumar) and Iv got another package which installs the drivers with DPInst. Both packages install OK and according to the logs they are installed and waiting for a device to be connected. However when I connect a device it still appears as 'unspecified' and windows does not find the driver. In my event log is a printer driver install error within the message field. pfnPSetupParseInfAndCommitFileQueue failed
I`m rebuilding my PC's as i`m thinking it could be my PC playing up. and I will report back findings tommorow.
Thanks
I`m rebuilding my PC's as i`m thinking it could be my PC playing up. and I will report back findings tommorow.
Thanks
Posted by:
Bugs78
12 years ago
So I got my two packages, now when I try and run DPInst the install of the package fails, at the end of the log is the following. I have checked through the INF file and cannot find any reference to files which are not present.
ERROR: RETURN UpdateDriverForPlugAndPlayDevices. (Error code 0x2: The system cannot find the file specified.)
ERROR: Installation failed. (Error code 0x2: The system cannot find the file specified.)
ERROR: PnP Install failed. (Error code 0x2: The system cannot find the file specified.)
INFO: Attempting to rollback ...
INFO: No devices to rollback
INFO: RETURN: DriverPackageInstallW (0x2)
INFO: Returning with code 0x80010000
INFO: 12/08/2011 09:24:55
ERROR: RETURN UpdateDriverForPlugAndPlayDevices. (Error code 0x2: The system cannot find the file specified.)
ERROR: Installation failed. (Error code 0x2: The system cannot find the file specified.)
ERROR: PnP Install failed. (Error code 0x2: The system cannot find the file specified.)
INFO: Attempting to rollback ...
INFO: No devices to rollback
INFO: RETURN: DriverPackageInstallW (0x2)
INFO: Returning with code 0x80010000
INFO: 12/08/2011 09:24:55
Posted by:
weberik
12 years ago
usually the problem is that the INF references to a file that is not there, but since you already checked that im not sure what the problem is.
you could check the logfile of driver installations ("C:\Windows\inf\setupapi.dev.log") for clues.
the file is very verbose and should tell you about every single file used in the process.
there should be a section telling you that the driver is staged into the driver store.
you could check the logfile of driver installations ("C:\Windows\inf\setupapi.dev.log") for clues.
the file is very verbose and should tell you about every single file used in the process.
there should be a section telling you that the driver is staged into the driver store.
Posted by:
Bugs78
12 years ago
Hi all,
sorry for the delay in update, I still have not got any further, I have signed the driver and it is valid in my certificate store, however when I try and install it continues to ask me for permission to install.
I have re-made the certificate several times and still get the same result.
I have read online that Windows will only allow you to use a test certificate (i`m assuming thats what i`m making) if you edit using BCEDIT.
Is this correct and if it is i`m on a non-starter from the beginning.
Thanks
Craig
sorry for the delay in update, I still have not got any further, I have signed the driver and it is valid in my certificate store, however when I try and install it continues to ask me for permission to install.
I have re-made the certificate several times and still get the same result.
I have read online that Windows will only allow you to use a test certificate (i`m assuming thats what i`m making) if you edit using BCEDIT.
Is this correct and if it is i`m on a non-starter from the beginning.
Thanks
Craig
Posted by:
GrGrGr
12 years ago
Be more specific, what kind of dialogue and permissions is the system asking?
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.