Our online shopping is experiencing intermittent service disruptions.

Support teams are actively working on the resolution.

Home Community Discussion Forums Most Active Software Boards LabVIEW Topic

LabVIEW

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

VISA is generated INF that can't be installed in Win10

Re: VISA is generated INF that can't be installed in Win10

‎03-17-2024 06:09 AM - edited ‎03-17-2024 06:21 AM

I never said you were stupid. What I said is that it would be stupid from Microsoft to use someone's personal certificate store for root certificates. Both for maintenance reasons as well as security reasons.

 

@lutz1410 wrote:

what does this line mean?
c:\tmp\x64\signtool sign /debug /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 /v /s PrivateCertStore /n contoso.com(test) "mydriver.cat"

https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe

 

/tr is the URL for a timestamp server to use to create a trustable timestamp to add to the certificate

/td is the algorithm to use for the digest algorithm when communicating with the timestamp server

/fd Specifies the file digest algorithm to use for creating file signatures. Note: An error is generated if the /fd switch is not provided while signing.

/s is the certificate store to use to look for a certificate. Usually this is "My"

 

The signtool extracts a certificate from the specified certificate store to sign your driver with. When you try to install the driver in Windows, Windows will search for a chain of trust that eventually leads to a root certificate stored in its root certificate store. It never will even consider your personal certificate store for that. So you have to extract your self-signed certificate from your personal certificate store and then install it in the root certificate store (which is of course a privileged operation). And you may have to convert the certificate to only contain the public key part, not sure how strict Windows is about this, but root certificates with private key are another serious security risk, and Windows may simply not allow that.

 

The fact that your signtool defaults to SHA1 is also likely the reason that it is discontinued by Microsoft. SHA1 is for quite some years already considered not safe enough for any serious application. Or maybe you just downloaded an outdated signtool.

The new method is supposedly to use some Power Shell script, and that will likely be something else again in a few years. Sorry for not being more detailed but I don't have time to try all this right now on a computer myself.

 

Rolf Kalbermatter
My Blog
0 Kudos
Message 31 of 34
(127 Views)
Reply

Re: VISA is generated INF that can't be installed in Win10

‎03-17-2024 02:01 PM

yes thanks, I also found the link late yesterday evening, did I misunderstand the /s and /n options?
this is the message that says that it worked or not "Successfully signed: mydriver.cat"

0 Kudos
Message 32 of 34
(104 Views)
Reply

Re: VISA is generated INF that can't be installed in Win10

‎03-17-2024 02:31 PM

Sounds like it did successfully sign the file, but if the signing parameters are also sufficient for a valid signed driver I can't say for now.

Rolf Kalbermatter
My Blog
0 Kudos
Message 33 of 34
(98 Views)
Reply

Re: VISA is generated INF that can't be installed in Win10

‎03-17-2024 06:51 PM

This is a very detailed description with explanations too. It uses the old Windows 7 SDK tools, but should still be applicable:

 

https://stackoverflow.com/questions/84847/how-do-i-create-a-self-signed-certificate-for-code-signing...

 

Rolf Kalbermatter
My Blog
0 Kudos
Message 34 of 34
(85 Views)
Reply