Hi,
I need to create MSI package that installs driver.
As I understood the driver must be signed (.cat file).
So my question is which signature is supported by MSI engine?
WHQL signature or Vendor-Supplied Authenticode Signature?
Need your help ASAP,
Thanks in advance,
Any help will be appreciated,
Limor
This is a ready-only archive of the InstallSite Forum. You cannot post any new content here. / Dies ist ein Archiv des InstallSite Forums. Hier können keine neuen Beiträge veröffentlicht werden.
Signing Drivers
Started by
limors327
, Apr 17 2005 15:59
3 replies to this topic
Posted 18 April 2005 - 18:08
I am not sure about WHQL (never heard of it), but I do know Authenticode. You use Signcode.exe to apply the signature to the DLL/EXE/OCX. As a result, the file is changed somewhat, a large checksum and some extra info are added to that file. On such files, Windows Explorer shows a new property page called "Digital signatures".
The procedure is that you sign the file first, than included the signed file in the package. You should NOT include an unsigned file, and sign that file on the target system. In that situation, a hacker could change your MSI, replace the file by another one he created, as a result he will get a file signed by you. Another reason is that Authenticode certificates are only valid for one year.
Windows Installer has no need for support here, after all, it is just a different file.
Finally, you can use your signature to sign CAB files, and even the MSI itself. That makes sense, since your MSI package may contain Custom Actions contained in DLLs/EXEs in the Binary table.
The procedure is that you sign the file first, than included the signed file in the package. You should NOT include an unsigned file, and sign that file on the target system. In that situation, a hacker could change your MSI, replace the file by another one he created, as a result he will get a file signed by you. Another reason is that Authenticode certificates are only valid for one year.
Windows Installer has no need for support here, after all, it is just a different file.
Finally, you can use your signature to sign CAB files, and even the MSI itself. That makes sense, since your MSI package may contain Custom Actions contained in DLLs/EXEs in the Binary table.
Posted 19 April 2005 - 06:43
Thanks for your reply.
In order to install driver with MSI, I must use specific MSI tables that require specific input.
one of those is signed driver. so my question is can I use non WHQL signature here?
Thanks again,
Limor
In order to install driver with MSI, I must use specific MSI tables that require specific input.
one of those is signed driver. so my question is can I use non WHQL signature here?
Thanks again,
Limor
Posted 19 April 2005 - 10:06
I guess those MSI tables are used by the DifX custom actions. This is not standard MSI but a set of custom actions to extend MSI to support driver installs (MSI doesn't support driver installs by itself). I'm not sure which signature you need to use (I assume you checked the documentation from Microsoft) but I assume it must be a WHQL signature. Because Windows would bring up a warning if you try to install a driver that didn't pass the WHQL test.
Stefan Krüger
InstallSite.org twitter facebook