Windows10:设备管理器中的错误代码 52,交叉签名驱动程序中的签名正确

Windows 10: Error code 52 in device manager with correct signature in cross-signed driver

我们开发了一个驱动,用我们公司的Verisign签名(SHA1+SHA256,包括证书链)对cat和sys文件进行了签名。我们在 Windows 7 和 10 32 位和 64 位版本下对其进行了测试。现在我们有一些随机客户报告说我们的设备在设备管理器中没有被正确识别并且出现错误 52:

Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)

Setupapi.dev.log 显示此错误:

_!!! dvi: Device not started: Device has problem: 0x34 (CM_PROB_UNSIGNED_DRIVER), problem status: 0xc0000428

但是 Setupapi.dev.log 中的这条消息也出现在工作安装中。

签名工具显示签名有效,windows 资源管理器上的属性页面也是如此。

这种行为的原因是什么?

可能的解决方案是 not dual signing the cat file and checking the root certs of the customer's pcs. I also learned that the error message in setupapi.dev.log is perfectly normal

在查阅了大量明显相互矛盾的 Microsoft 文档后,我终于找到了 https://docs.microsoft.com/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later- 上面写着:

"Note: Starting with Windows 10, version 1607, Windows will not load any new kernel mode drivers which are not signed by the Dev Portal.

[...]

Cross-signed drivers are still permitted if any of the following are true:

The PC was upgraded from an earlier release of Windows to Windows 10, version 1607.

Secure Boot is off in the BIOS.

Drivers was signed with an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA."

事实证明,在我们的 none 台测试机器上启用了安全启动,但正是在出现问题的客户机器上。

现在我们要对驱动进行WHQL认证。幸运的是,有些公司提供此服务,因此我们不必维护认证机器池。