Windows 7 Broken Trusted Publisher Certificates signed Drivers fix

From richud.com
Jump to: navigation, search


Missing or incorrect Trusted Publishers/Certificates

In this example - installing drivers for an Epson 3170 scanner that has a broken certificate chain. This will stop you being able to install from command line without fixing.

The error will manifest itself like this if installing directly

devcon Windows Security - "Would you like to install this device software" - tick box "Always trust software from"

Missing or incorrect Trusted Publishers Certificates.png

or with the dpinst error in c:\WINDOWS\DPINST.log if doing command line with dpinst.exe

dpinst RETURN: DriverPackagePreinstallW (0xE0000242)

e.g.

INFO:   Found driver package: 'E:\epson 3170\LIB\0c0a\Es32n.inf'.
INFO:   Found driver package: 'E:\epson 3170\LIB\0c0a\Es52.inf'.
INFO:   Preinstalling 'e:\epson 3170\es32.inf' ...
INFO:   ENTER:  DriverPackagePreinstallW
INFO:   RETURN: DriverPackagePreinstallW  (0xE0000242)
INFO:   Preinstalling 'e:\epson 3170\es43.inf' ...
INFO:   ENTER:  DriverPackagePreinstallW
INFO:   RETURN: DriverPackagePreinstallW  (0xE0000242)


To test what's actually broken, you can use "signtool.exe /verify",

First one fails (as in this example) and second one is correct from an Epson V300 scanner driver.

E:\>"E:\7600.DDK\signtool.exe" verify /a "e:\Epson 3170\es43.cat"
SignTool Error: A certificate chain processed, but terminated in a root
        certificate which is not trusted by the trust provider.

Number of errors: 1

E:\>"E:\7600.DDK\signtool.exe" verify /a "e:\epson v300\es8b.cat"
Successfully verified: e:\epson v300\es8b.cat

(yes, Epson can't sign their drivers properly!)

Extract certificate from .cat file

Right click on the(any) .cat file in the driver package, in this case es3e.cat > Digital Signatures > Highlight the name in 'Name of Signer' on the 'Signatures List' > Details.

A new window 'Digital Signature Details' should open. > View certificate > 'Details' tab > 'Copy to File' > Next > (leave default X.509 DER encoded .CER) Next > File name, choose one, e.g "epson.cer" > Next > Finish.

Certificate export from driver catalogue file.cat.png

(If anyone knows how to do this via command line please let me know as I couldn't find a way)

Install certificate into cert store

Import the DER encoded .CER certificate file "epson.cer" you just extracted to BOTH the ROOT(Trusted Root Certification Authority) and Trusted Publishers stores using certmgr.exe of the machine you wish to install the driver on.

C:\WinDDK\7600.16385.1\bin\amd64\CertMgr.exe -add "E:\epson 3170\epson.cer" -c -s -r localMachine TrustedPublisher
C:\WinDDK\7600.16385.1\bin\amd64\CertMgr.exe -add "E:\epson 3170\epson.cer" -c -s -r localMachine ROOT


If you then rerun dpinst.exe you should now see it correctly installs in c:\WINDOWS\DPINST.log, here is a sample.

INFO:   Found driver package: 'e:\epson 3170\Es43.inf'.
INFO:   Found driver package: 'e:\epson 3170\Es52.inf'.
INFO:   Preinstalling 'e:\epson 3170\es27.inf' ...
INFO:   ENTER:  DriverPackagePreinstallW
SUCCESS:e:\epson 3170\es27.inf is preinstalled.
INFO:   RETURN: DriverPackagePreinstallW  (0x0)
INFO:   ENTER:  DriverPackageGetPathW
INFO:   RETURN: DriverPackageGetPathW  (0x0)
INFO:   Preinstalling 'e:\epson 3170\es32.inf' ...
INFO:   ENTER:  DriverPackagePreinstallW
SUCCESS:e:\epson 3170\es32.inf is preinstalled.

Remove certificate after install

If you wish to tidy the PC up back to its initial state certificate wise you can remove them like this after the driver is (pre)installed.

  • Note, MUST change the name option (-n) to match the 'Name of Signer'
CertMgr.exe -del -n "SEIKO EPSON Corporation" -c -s -r localMachine TrustedPublisher
CertMgr.exe -del -n "SEIKO EPSON Corporation" -c -s -r localMachine ROOT

Installing Remotely

This call all be done automatically and remotely using psexec once the certificate (.cer) is extracted from the .cat.

You WILL need to change ALL occurances of two things (the name of the certificate file and 'Name on Certificate') in the .bat file with the link above example.

  • richud.com.cer to epson.cer (or whatever you called your cert when saved it out)
  • -n richud.com to -n "SEIKO EPSON Corporation" (or whatever the 'Name on Certificate' is for the cert)

Updates

Epson 4490

The Epson 4490 scanner driver (epson13552.exe) suffers a similar issue (Win7 64bit only tried) and is fixed in the same way. Note you will need to extract the cert from the cat file again.

  • Note , the certificates aren't interchangable between driver packages and you will need to extract from the specific driver bundles specific cat file(s).


ARM mbed Windows serial port driver

mbedWinSerial_16466.exe Driver here

To be able to silently install the ARM mbed driver, follow the same procedure as with the Epson top.

Comments

blog comments powered by Disqus