there is a lot of confusion in this thread. i have a valid code signing certificate, so i will try to clear up the misconceptions.
Quote:
Originally Posted by Upz
You also can edit the .inf (if you are sure that this will work), delete the signature and then disable de driver signature enforcement feature to install the "new" driver
|
windows will not even load a driver that has no signature, regardless of how you boot. a pnp driver package typically needs a signed
.sys and a signed
.cat that vouches for it. "no signature" simply does not work.
Quote:
Originally Posted by deepzero
The inf file is only used for installing, so you should check where the inf file stores the settings which devices to support, and edit it manually after installation. The question is if the .sys binary supports this at all.
|
you want him to take a registry comparison of before and after installing the driver and work backwards to determine what to add to the
.inf? are you kidding?
Quote:
Originally Posted by Kerlingen
Do any of these ideas work in WinPE? I would need to setup both devices during Windows setup in the preinstall environment and make sure Windows never removes one of them.
|
@chants is almost correct here, let me first correct one thing:
Quote:
Originally Posted by Kerlingen
From the things I've tried so far all edits of the *.inf invalidated the signature and since the driver is a boot-time kernel-mode driver I can't just use any certificate to sign it, it would need to be a WHQL certificate from Microsoft.
|
an EV code signing certificate from a microsoft-approved CA is all that is required for most kernel drivers, you do not need to submit for whql except for boot-critical drivers (i am simplifying, in truth this has gotten more complicated as of windows 10 1607, but the details will not matter in your case). you can tell dism and the windows boot process to ignore the whql requirement,
however you will still need to test sign your driver after you modify the
.inf. this will be a multi-step process if you want the system to boot up with the drivers loaded without further manual intervention.
@Kerlingen first, please read
this page in its entirety. you said your third-party driver is "boot-time kernel-mode", but kernel-mode does not imply "boot-time", or at least, it does not imply what most people think it does. since the driver for your
PCI\002 device comes with a signed
.cat, it is actually not boot-
critical (as it would require an embedded signature), but rather a pnp driver; this is the case with nearly all drivers. the important parts of the page:
1. Adding Drivers - you will be using dism offline for this; however, see #3
2. Understanding Driver Ranking - this is how pnp will decide which driver to install
3. Understanding Digital Signature Requirements - you will need to resign the driver with a test signing certificate. you will also need to boot your image to add the test signing certificate to the image. you can *THEN* use dism to add the test-signed driver to the offline image
*
how to create test signing certificates and test sign the driver. you will use a catalog file and the inf for this, not embedded signing
*
how to use dism to add the driver to the offline image
i would suggest you start by trying to get windows to successfully install and load your driver on an already running system. in other words, edit the
.inf, create and install the test signing certificate, create the
.cat, sign it and the driver, enable test signing mode, reboot, install the driver, reboot again, and cross your fingers ;]
let me know if you have any questions and i can try to help more.
this page also has some useful information if you're really stuck.
also, i'd just like to say that i spent a few
hours digging up the references for this post and writing it (even though i do this stuff every day), if you (or anyone else) appreciates it, i would appreciate some rep, it seems to be given out rather sparingly these days even for high-quality posts. hard family to join ;]