Windows 7 Broken Trusted Publisher Certificates signed Drivers fix

=Missing or incorrect Trusted Publishers/Certificates=

In this example - installing drivers for an Epson 3170 scanner that has a broken certificate chain. This will stop you being able to install from command line without fixing.

The error will manifest itself like this if installing directly

devcon Windows Security - "Would you like to install this device software" - tick box "Always trust software from"



or with the dpinst error in c:\WINDOWS\DPINST.log if doing command line with dpinst.exe

dpinst RETURN: DriverPackagePreinstallW (0xE0000242)

e.g. INFO:  Found driver package: 'E:\epson 3170\LIB\0c0a\Es32n.inf'. INFO:  Found driver package: 'E:\epson 3170\LIB\0c0a\Es52.inf'. INFO:  Preinstalling 'e:\epson 3170\es32.inf' ... INFO:  ENTER:  DriverPackagePreinstallW INFO:  RETURN: DriverPackagePreinstallW  (0xE0000242) INFO:  Preinstalling 'e:\epson 3170\es43.inf' ... INFO:  ENTER:  DriverPackagePreinstallW INFO:  RETURN: DriverPackagePreinstallW  (0xE0000242)

To test what's actually broken, you can use "signtool.exe /verify",

First one fails (as in this example) and second one is correct from an Epson V300 scanner driver. E:\>"E:\7600.DDK\signtool.exe" verify /a "e:\Epson 3170\es43.cat" SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Number of errors: 1

E:\>"E:\7600.DDK\signtool.exe" verify /a "e:\epson v300\es8b.cat" Successfully verified: e:\epson v300\es8b.cat (yes, Epson can't sign their drivers properly!)

=Extract certificate from .cat file=

Right click on the(any) .cat file in the driver package, in this case es3e.cat > Digital Signatures > Highlight the name in 'Name of Signer' on the 'Signatures List' > Details.

A new window 'Digital Signature Details' should open. > View certificate > 'Details' tab > 'Copy to File' > Next > (leave default X.509 DER encoded .CER) Next > File name, choose one, e.g "epson.cer" > Next > Finish.



(If anyone knows how to do this via command line please let me know as I couldn't find a way)

=Install certificate into cert store=

Import the DER encoded .CER certificate file "epson.cer" you just extracted to BOTH the ROOT(Trusted Root Certification Authority) and Trusted Publishers stores using certmgr.exe of the machine you wish to install the driver on.

C:\WinDDK\7600.16385.1\bin\amd64\CertMgr.exe -add "E:\epson 3170\epson.cer" -c -s -r localMachine TrustedPublisher C:\WinDDK\7600.16385.1\bin\amd64\CertMgr.exe -add "E:\epson 3170\epson.cer" -c -s -r localMachine ROOT

If you then rerun dpinst.exe you should now see it correctly installs in c:\WINDOWS\DPINST.log, here is a sample.

INFO:  Found driver package: 'e:\epson 3170\Es43.inf'. INFO:  Found driver package: 'e:\epson 3170\Es52.inf'. INFO:  Preinstalling 'e:\epson 3170\es27.inf' ... INFO:  ENTER:  DriverPackagePreinstallW SUCCESS:e:\epson 3170\es27.inf is preinstalled. INFO:  RETURN: DriverPackagePreinstallW  (0x0) INFO:  ENTER:  DriverPackageGetPathW INFO:  RETURN: DriverPackageGetPathW  (0x0) INFO:  Preinstalling 'e:\epson 3170\es32.inf' ... INFO:  ENTER:  DriverPackagePreinstallW SUCCESS:e:\epson 3170\es32.inf is preinstalled.

=Remove certificate after install=

If you wish to tidy the PC up back to its initial state certificate wise you can remove them like this after the driver is (pre)installed.


 * Note, MUST change the name option (-n) to match the 'Name of Signer'

CertMgr.exe -del -n "SEIKO EPSON Corporation" -c -s -r localMachine TrustedPublisher CertMgr.exe -del -n "SEIKO EPSON Corporation" -c -s -r localMachine ROOT

=Installing Remotely=

This call all be done automatically and remotely using psexec once the certificate (.cer) is extracted from the .cat.

You WILL need to change ALL occurances of two things (the name of the certificate file and 'Name on Certificate') in the .bat file with the link above example.
 * richud.com.cer to epson.cer (or whatever you called your cert when saved it out)
 * -n richud.com to -n "SEIKO EPSON Corporation" (or whatever the 'Name on Certificate' is for the cert)

=Updates=

Epson 4490
The Epson 4490 scanner driver (epson13552.exe) suffers a similar issue (Win7 64bit only tried) and is fixed in the same way. Note you will need to extract the cert from the cat file again.
 * Note, the certificates aren't interchangable between driver packages and you will need to extract from the specific driver bundles specific cat file(s).

ARM mbed Windows serial port driver
mbedWinSerial_16466.exe Driver here

To be able to silently install the ARM mbed driver, follow the same procedure as with the Epson top.

=Comments=