Windows 10：设备管理器中的错误代码52在交叉签名的驱动程序中具有正确的签名 [英] Windows 10: Error code 52 in device manager with correct signature in cross-signed driver

问题描述

我们开发了一个驱动程序，并用我们公司的Verisign签名（SHA1 + SHA256，包括证书链）对cat和sys文件进行了签名。我们在Windows 7和10（32位和64位版本）下对其进行了测试。现在，我们有一些随机的客户报告说，在设备管理器中无法正确识别我们的设备，并显示错误52：

we developed a driver and signed the cat and sys file with our company's Verisign signature (SHA1 + SHA256, including certificate chain). We tested it under Windows 7 and 10 both 32 and 64 bit versions. Now we have some random customers that report that our device is not recognized correctly in device manager and that error 52 shows up:

Windows无法验证该设备所需驱动程序的数字签名。最近的硬件或软件更改可能安装了未正确签名或损坏的文件，或者可能是来自未知来源的恶意软件。 （代码52）

Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)

Setupapi.dev.log显示此错误：

Setupapi.dev.log shows this error:

_ !!! dvi：设备未启动：设备有问题：0x34（CM_PROB_UNSIGNED_DRIVER），问题状态：0xc0000428

_!!! dvi: Device not started: Device has problem: 0x34 (CM_PROB_UNSIGNED_DRIVER), problem status: 0xc0000428

但是Setupapi.dev中的此消息。

But this message in Setupapi.dev.log is also present at working installations.

签名工具显示签名有效，与Windows资源管理器中的属性页相同。

Sign tool shows that the signature is valid, same does the properties page on windows explorer.

此行为的原因是什么？

推荐答案

对此的潜在解决方案是未对cat文件进行双重签名，并且< a href = https://docs.microsoft.com/zh-cn/windows-hardware/drivers/install/trusted-publishers-certificate-store rel = nofollow noreferrer>检查客户个人计算机的根证书。我还了解到setupapi.dev.log 完全正常

Potential solutions to this were not dual signing the cat file and checking the root certs of the customer's pcs. I also learned that the error message in setupapi.dev.log is perfectly normal

经过大量有关微软文档的相互矛盾的研究之后，我终于找到了
https://docs.microsoft。 com / windows-hardware / drivers / install / kernel-mode-code-signing-policy--windows-vista-and-later- 表示：

After some research with a lot of apparently contradictory Microsoft documentation I finally landed at https://docs.microsoft.com/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later- where it says:

；注意：从Windows 10版本1607开始，Windows将不会加载任何未由开发门户签署的新内核模式驱动程序。

"Note: Starting with Windows 10, version 1607, Windows will not load any new kernel mode drivers which are not signed by the Dev Portal.

[... ]

如果满足以下任一条件，仍允许使用交叉签名的驱动程序：

Cross-signed drivers are still permitted if any of the following are true:

PC已从Windows的早期版本升级到Windows 10，版本1607。

The PC was upgraded from an earlier release of Windows to Windows 10, version 1607.

安全启动已在BIOS中关闭。

Secure Boot is off in the BIOS.

驱动程序已使用2015年7月29日之前颁发的最终实体证书签名，该证书链接到受支持的交叉签名CA。

Drivers was signed with an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA."

事实证明，没有在我们的测试计算机上启用安全启动，但在有问题的客户计算机上启用了安全启动。

And it turned out that Secure Boot was enabled on none of our testing machines, but exactly on the customer machines that had the problem.

现在，我们必须使用驱动程序执行WHQL认证。幸运的是，有些公司将其作为服务提供，因此我们不必维护认证机池。

Now we have to perform a WHQL certification with the driver. Fortunately there are companies which offer this as a service, so we don't have to maintain a certification machine pool.

这篇关于Windows 10：设备管理器中的错误代码52在交叉签名的驱动程序中具有正确的签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！