windows驱动签名

转自：2019年最新WHQL认证申请流程

https://zhuanlan.zhihu.com/p/59189322

WHQL是Windows Hardware Quality Lab.的简称， 翻译成中文是windows系统硬件质量实验室。实验室主要执行windows徽标计划，检验硬件产品和驱动程序在windows系统下的兼容性和稳定性。

在此之前笔者有简述2016年申请WHQL认证流程，到现在Windows已经更新好几个版本，认证的网站和测试工具都一定的变化。笔者认为有必要将2019年最新的WHQL认证流程给大家说明一下，以便大家在申请的过程中更加顺利。

申请WHQL认证主要包含如下几步：

1， 申请EV代码签名证书

申请EV代码签名证书主要为了创建 Azure AD账户和提交测试LOG, 微软要求必须是Entrust, Symantec, Digicert, globasign 四家CA公司的EV代码签名证书。

2， 申请 Azure AD（Active Directory）账户

目前微软WHQL认证的网站已经改成Developer.Microsoft.com, 原来的http://Sysdev.microsoft.com已经停用。微软要求申请WHQL认证的公司必须要申请Azure AD账户。

3， 硬件（或软件）和驱动程序做HLK, HCK测试。

微软的测试工具有做许多的更新，到目前为止Windows 7 、Windows 8、Windows8.1还是采用HCK(Hardware certificate kit) 2.1版本来做测试。Windows 10采用HLK（Hardware Lab Kit）来做测试，但是HLK版本需要根据要Windows 10版本来选择。目前分别有HLK 1607， 1703， 1709， 1803， 1809版本， 笔者的经验是Windows 10 1803及以下版本可以共同用HLK 1803版本测试. 而HLK 1809版本只能用于测试Windows 10 1809和Windows server 2019， 不能兼容以下的版本。

4， 将全部测试项通过的LOG打包。

测试完成后需要用HCK或HLK将测试结果打包。用HCK打的包后缀名为HCKx, 而用HLK打包的是HLKx.

5， 提交测试结果给微软审核。

提交之前需要将前面创建的所有HCKx文件、HLKx合并，如果有驱动程序的需要加入驱动程序，然后创建一个新的HCKx或者HLKx文件，注意这次的创建需要用EV代码签名证书签名。 把新创建的HCKx或HLKx文件通过前面创建的Azure AD 账户提交微软审核。

6， 等待微软审核

微软审核周期因产品类型而有些差异。一般的产品通常1个小时左右可以审核完成，而有些如指纹仪这种需要微软人工审核的产品需要2天的时间。

7， 完成

微软审核通过（approved）,下载驱动数字签名catalogfile和微软认证报告。有需要的公司可以将驱动发布到windows Update.

 

8. windows 系统版本及 HLK和HCK 对应关系。

9.Signing requirements by version

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later-

10.WHQL Release Signature

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/whql-release-signature

11. Windows驱动 HCK测试方法及数字签名使用方法介绍

一、  HCK安装及使用方法介绍

1.   安装环境要求

      操作系统： Windows Server2008 R2英文版

                     需要两台电脑，一台做测试服务器，另一台做测试机

      网络要求：两台电脑必须都能连接internet，并同属一个局域网

      地区语言：最好选择默认值，选择China会安装不上，默认值为US

      安装工具： WHQL认证最新的测试工具是HCK，我们使用WindowsServer2008 R2操作系统，对应的HCK是

                      HCK2.1版本。使用离线安装，在线安装会有很多问题导致安装不上。

         

2.   HCK安装方法

      a.   点击HCKSetup.exe,选择下载离线安装文件；

      b.   待离线安装文件下载完成后，在测试服务器上安装HCK2.1，选择controller+studio模式；

      c.   待测试服务器上安装好了controller和studio，在测试机上安装HCK client，在开始菜单上面的搜索框里面输

             入：\\测试服务器主机名或IP\HCK~\HCKClient\ClientSetup.exe

 

3.   HCK测试方法

      具体测试步骤请在安装好HCK2.1工具后参考使用文档，上面有详细的使用说明。

 

 

12. Windows Hardware Lab Kit

https://docs.microsoft.com/zh-cn/windows-hardware/test/hlk/

 

13. win7和win8.1 hck测试

https://docs.microsoft.com/en-us/previous-versions/windows/hardware/hck/jj124227(v=vs.85)?redirectedfrom=MSDN

 

14. USB driver installer in NSIS

Creating a Windows Installer and Uninstaller for a custom USB driver using NSIS

转自： https://blog.sverrirs.com/2015/12/creating-windows-installer-and.html

The USB driver I created for the Xbox Big Button Controller has been sorely lacking a decent installer. I finally decided on writing one in the Nullsoft Scriptable Install System or NSIS for short.

The NSIS system is incredibly powerful and quite easy to learn. I quickly learned however that creating a fully automatic installer for a Windows driver is very tricky.

The full code for the installer can be found on GitHub

https://github.com/sverrirs/XboxBigButton

Installer

The installer was a quite straight-forward process. There is a lot of information already out there on how to install device drivers and do all sorts of fancy device install operations.

The features of the installer are as follows:

1. Performs an uninstall of any older install of the same product

2. Copies the correct binary files depending on the architecture being targetted (32 or 64 bit)

3. Installs the driver into the Windows DriverStore

4. Triggers a re-scan of the "unknown" plug and play devices to force the device to install itself correctly

The dpinst.exe (Driver Package Installer) utility was helpful in abstracting away the complexities of installing a driver and the installer is heavily centered around that step. The dpinst.xml file contains all the configuration options for this utility.

 

Uninstaller

Now this was a massive headache!

Simply speaking, performing a clean uninstall of a device driver on Windows is an incredibly tricky process. For some reason Microsoft has made it incredibly difficult to ensure that you can unload and delete any installed INF files you might have installed on your system programatically.

The features that I wanted for the uninstaller were:

1. Uninstalls any USB devices from the Device Manager

2. Completely removes the driver files from the Windows DriverStore

Neither of these steps were easy to solve given the information on the internet. The biggest problems were that

1. The uninstall utilities such as PnPutil.exe only partially remove the device driver. The INF file is still left on your system in the form of the originally installed OEM driver INF file. This results in issues if you ever offer driver upgrades the user might actually not load the newest driver after upgrading if the old INF file is present.

2. Uninstalling the USB device from the Device Manager was particularly difficult due to a problem with the devcon.exe (Device Console) program constantly erroring out for some reason when executed from NSIS.

3. The return codes from devcon were not trackable from within the NSIS script.

My final solution was to push all the heavy lifting of uninstalling the device and INF file to an external bat file as the NSIS system was having difficulties calling and parsing the correct return codes from the devcon tool.

DriverStore Explorer [RAPR] is a really useful tool to debug the DriverStore and clean up any lingering INF files.

The biggest problem was to figure out that the reason why the devcon program was failing is that it requires the working directory to be set to its current directory before running. SetOutPath solved that issue

	; Set working dir to the driver dir (otherwise the uninstall of any loaded devices wont work)
	Push $OUTDIR
	SetOutPath "$INSTDIR\driver"
	; Execute the device uninstall and inf deletion script
	ExecWait '"$INSTDIR\driver\uninstall_device.bat"' $0
	DetailPrint "Return code was $0"
	; Restore the working directory
	Pop $OUTDIR
	SetOutPath $OUTDIR # Optional if working directory does not matter for the rest of the code

view rawnsis_uninstall_setworkingdir.nsi hosted with ❤ by GitHub

 

The uninstall batch script was a bit tricky because your driver installs under a generic OEMxx.inf name so you need to figure out this name before you uninstall the device to be able to successfully remove the INF file from the system.

	@echo off
	REM START BY FINDING THE OEM INF FILE
	setlocal EnableDelayedExpansion
	SET OEM_FILE=
	set oemdata="devcon.exe dp_enum"
	FOR /F "eol=. tokens=*" %%a IN ( '%oemdata%' ) DO (
	set line=%%a
	set ourline=!line:Sverrir Sigmundarson=!
	if not !line!==!ourline! (
	SET OEM_FILE=!prev_line!
	)
	SET prev_line=%%a
	)
	echo Installed OEM file found as: !OEM_FILE!
	setlocal DisableDelayedExpansion
	REM REMOVE THE DEVICE
	devcon.exe remove =media "*VID_045e&PID_02a0*"
	if NOT errorlevel == 0 (
	echo Can not remove USB device, error %errorlevel%
	exit /b %errorlevel%
	)
	echo USB device successfully uninstalled from the system
	:uninstall_delete_inf
	IF [%OEM_FILE%] == [] (
	echo Could not locate OEM file installed. No INF to remove.
	goto success
	)
	pause >nul
	devcon.exe dp_delete %OEM_FILE%
	if NOT errorlevel == 0 (
	echo Can not delete the inf file named %OEM_FILE% from DriverStore, error %errorlevel%
	exit /b %errorlevel%
	)
	echo OEM file %OEM_FILE% successfully deleted from the DriverStore
	:success
	echo Success
	exit /b 0
	:fail
	echo Failure
	exit /b 100

view rawuninstall_device.bat hosted with ❤ by GitHub

 

Gotchas

1. Finding the right device in devcon.exe was tricky as the device category must be correctly specified. In my case I install the driver under the built in "Sound, Video and game controllers" which has the name "Media" behind the scenes. By specifing =media in my remove query I was able to find it successfully.

2. Working directory must be set before devcon.exe is called.

3. devcon.exe dp_delete function uses the generic OEM name of your INF file. You must use dp_enum first to obtain the name that Windows assigned your of the INF file when installed.

SHOW ME THE ENTIRE INSTALLER CODE

This article is also available on Linked in:  https://www.linkedin.com/pulse/creating-fully-automatic-installer-uninstaller-driver-sigmundarson

 

 

10. wdk版本和系统的对应关系