Search code examples
windows-7device-driverdigital-signaturesetupapidriver-signing

dpinst / DifX won't install signed driver silently


When installing a signed driver (i.e. with a properly signed .CAB) on Windows 7 through DpInst, unless it's a WHQL-signed driver, you cannot install it silently. If you run DpInst in the non-silent mode, it'll prompt you to trust the "publisher". If you run DpInst in silent mode, it would fail with a signing-related error code (something like 0x800b0109 -- check your setupapi.app.log).


Solution

  • The straightforward way to do it is to add the signing certificate to the TrustedPublishers. You can do it programatically (the implementation of win32exception is left as an exercise to the reader):

    #include <windows.h>
    #include <wincrypt.h>
    #include "win32exception.h"
    
    void InstallTrustedPublisherCertificate(LPCTSTR CertificateFilePath)
    {
        DWORD dwContentType;
        PCCERT_CONTEXT pCertContext = NULL;
        if (!CryptQueryObject(
                CERT_QUERY_OBJECT_FILE,
                CertificateFilePath,
                CERT_QUERY_CONTENT_FLAG_ALL,
                CERT_QUERY_FORMAT_FLAG_ALL,
                0,
                NULL,
                &dwContentType,
                NULL,
                NULL,
                NULL,
                (const void **)&pCertContext))
                throw win32exception("CryptQueryObject");
    
        if (dwContentType != CERT_QUERY_CONTENT_CERT)
            throw exception("Incorrect content type of crypto object.");
    
        __try
        {
            HCERTSTORE hCertStore = CertOpenStore(
                CERT_STORE_PROV_SYSTEM,
                0,
                0,
                CERT_STORE_OPEN_EXISTING_FLAG |
                CERT_SYSTEM_STORE_CURRENT_USER,
                _T("TrustedPublisher"));
            if (hCertStore == NULL)
                throw win32exception("CertOpenStore");
    
            __try
            {
                if (CertAddCertificateContextToStore(hCertStore, pCertContext, CERT_STORE_ADD_NEWER, NULL))
                {
                    // Added certificate to TrustedPublisher store.
                }
                else
                {
                    DWORD err = GetLastError();
                    if (err == CRYPT_E_EXISTS)
                    {
                        // Certificate already exists in TrustedPublisher store.
                    }
                    else
                        throw win32exception("CertAddCertificateContextToStore", err);
                }
            }
            __finally
            {
                CertCloseStore (hCertStore, 0);
            }
        }
        __finally
        {
            CertFreeCertificateContext(pCertContext);
        }
    }