I have created a storage adapter for windows biometric framework. Added related keys and parameters in the registry at Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_1162&PID_2200\5&376aba2d&0&9\Device Parameters\WinBio\Configurations and Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WbioSrvc\Databases. Copied the dll of my storage adapter in C:\WINDOWS\SYSTEM32\WINBIOPLUGINS directory. Tried to load the storage adapter in the biometric session using winbio.dll's WinBioOpenSession method. Getting the following errors:
1) In biometric event log= "The Windows Biometric Service failed to load an adapter binary: C:\WINDOWS\SYSTEM32\WINBIOPLUGINS\STORAGEADAPTER.DLL.The module was not properly signed".
2) In codeintegrity event log="Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\WinBioPlugIns\StorageAdapter.dll because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.".
Searched some information on the internet about above errors and found that the dll must be signed to install and load. So tried the test-signing and release-signing(with godaddy's driver signing certificate) both but still getting the same errors. The only thing I failed to do is to sign my dll with a cross certificate and its because I am unable to find the appropriate cross certificate for my driver signing certificate.
Query: Is it necessary to sign the dll with cross certificate and a driver signing certificate both or signing with only a driver signing certificate is sufficient to install it on windows?
Note: Please suggest me if I have missed something here or not following the correct process to load a custom storage adapter in the biometric session.
Modern Windows kernel requires drivers to be signed by specific Certificate Authority (CA) approved by Microsoft (actually it has to be signed with two keys CA and MS, MS for drivers loaded during the boot process). If you are developing driver you should have set up the test machine with disabled TESTSIGNING on test machine. And once you are done developing you and Microsoft need to sign driver before publishing in order for driver to be able to be loaded into kernel.
There is documentation on microsoft site how to prepare drivers test machine in details. But here is the command that will help disable TESTSIGNING in kernel (requires the reboot of system).
PLEASE NOTICE: path to the command may differ from system to system, search for bcdedit.exe on your PC to locate the path.
C:\Windows\winsxs\amd64_microsoft-windows-b..iondata-cmdlinetool_31bf3856ad364e35_6.1.7601.17514_none_e6510234bbcb2a8c\bcdedit.exe -set TESTSIGNING OFF
Also strongly suggest site community.osr.com where most of Windows kernel developers can be found exchanging their knowledge, site is dedicated to the kernel development. They have helped me alot in the past.
hope this helps you