libusb0.sys snapshot release and digital signature

[mcuee]

(Updated on 13-Nov-2021)
Please take not libusb0.sys snapshot 1.2.7.1 release is not signed. Users who want to use it will have to get it signed by themselves. 1.2.7.2 snapshot release is signed but it will not work for Windows7.

Please help to test 1.2.7.3 to see if it works under Windows 7 or not.

V1.2.7.3 (11/13/2021) - SNAPSHOT RELEASE

• driver: sign the drivers using SHA1 as well as SHA256

• driver: sign the drivers after microsoft and not before (win7 fix)

V1.2.7.2 (10/25/2021) - SNAPSHOT RELEASE

• driver: sign the drivers using EV certificate: libusb0.sys snapshot release and digital signature #24

• driver: fix possible stack corruption: HPE team - found a stack override problem on libusb-win32 #19

• lib: fix missing check for failed CloseHandle(): Bug: usb_free_async should check CloseHandle return value #12

V1.2.7.1 (09/18/2019) - SNAPSHOT RELEASE

• Removed support for IA64
• Removed support for W2K
• Properly allocate NX pool memory on Win8+

V1.2.6.0 (01/17/2012)

• Official release.
• Removed ISO maximum transfer size restrictions/transfer splitting.
• Fixed inf-wizard device notification issue.

[dontech]

Yeah, the binaries are not signed any more.

The problem is that the signature will be invalid the second someone changes the INF file.

The old way of signing is not supported any more due to

1. WIN10 only supports SHA256 AFAIK.
2. Only signing the SYS file is not supported any more, as the entire SYS/INF/CAT package needs to be signed AFAIK.

Please update me if I am missing something.

We could test-sign the releases, but it would still only work if you enable test-signing in target installation.

/pedro

[dontech]

We can of course fix the SHA256 requirement easily.

[mcuee]

Yeah, the binaries are not signed any more.

The problem is that the signature will be invalid the second someone changes the INF file.

2. Only signing the SYS file is not supported any more, as the entire SYS/INF/CAT package needs to be signed AFAIK.

Please update me if I am missing something.

@dontech

Actually we can get the sys signed and then people can use Zadig or libusbk-inf-wizard to install libusb0.sys based driver under Windows 7/8//8.1/10/11.
Ref: https://community.osr.com/discussion/293115/windows-11-and-alternative-driver-installation-method-in-libwdi#latest

How to get the signed .sys file?
You need a EV certificate to sign in the Microsoft portal, you still need to submit a full driver package, then you can throw away the other files, just keep the signed libusb0.sys files (eg: 32bit/64bit). Maybe we can keep the signed DLL files as well.

[mcuee]

Ref: my question was answered by Tim Roberts in OSR ntdev forum.
https://community.osr.com/discussion/comment/301698

On Wed, Jun 16, 2021 at 8:38 PM Xiaofan Chen wrote:

I understand that one needs an EV certificate.
https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release

However, it is not clear to me how to submit a driver (.sys) file only
without an INF.

Previously we were able to use the code signing certificate to just
sign the .sys file
(libusb0.sys and liusbk.sys). Then users can use the following method to install
the driver packages under Windows 7/8/8.1/10. The method still works now.
https://github.com/pbatard/libwdi/wiki/Zadig
https://github.com/pbatard/libwdi/wiki/FAQ#What_are_these_USBVID_PID_MI__Autogenerated_certificates_that_libwdi_installs_in_the_Trusted_certificate_stores

Now assume we want to upgrade libusbk.sys and we get an EV certificate,
is it possible to just sign the libusbk.sys file? Or we can use a real
inf file and
then submit the inf file and libusbk.sys together for attestation signing, then
it will come back with a signed libusbk.sys driver?

libusbk:
https://github.com/mcuee/libusbk
(Note: we may want to discontinue libusbk.sys and contrate on WinUSB
support if the process is just too troublesome).

--
Xiaofan

Answer by Tim.
On Thu, Jun 17, 2021 at 2:11 AM Tim_Roberts wrote:

Tim_Roberts commented on Successful Windows 10 driver signing

You must have an INF, but it can be a fake INF, as long as it is syntactically correct and mentions all the DLLs you need. Microsoft signs all of the executable files included in the package. You can throw away the CAT file that comes back.

[mcuee]

Reference: low Windows driver rank score for libusbk as it is signed in Nov 2014. libusb0.sys 1.0.26 version was signed even earlier in Jan 2012.
https://github.com/pbatard/libwdi/wiki/Zadig#Preventing_the_replacement_of_a_Zadig_libusbK_USB_Device_Driver

For instance, Zadig's date stamp for libusbK might be 11/30/2014 for version 3.0.7.0 resulting in rank 00FF0001.

[dontech]

OK try this: https://sourceforge.net/projects/libusb-win32/files/libusb-win32-snapshots/20211025/

V1.2.7.2 (10/25/2021) - SNAPSHOT RELEASE

• driver: sign the drivers using EV certificate: libusb0.sys snapshot release and digital signature #24

• driver: fix possible stack corruption: HPE team - found a stack override problem on libusb-win32 #19

• lib: fix missing check for failed CloseHandle(): Bug: usb_free_async should check CloseHandle return value #12

[dontech]

I signed it with my EV signature. Give it a spin.

[mcuee]

@dontech Great. Now it works. I have tested by using building Zadig to use the libusb-win32-1.2.7.2 snapshot binary.

Replaced the HID driver of a test device with libusb0.sys driver. Here is the output of test

C:\libusb-win32-1.2.7.2-bin\bin\amd64> .\testlibusb-win.exe

DLL version:	1.2.7.2
Driver version:	1.2.7.2

bus/device  idVendor/idProduct
bus-0/\\.\libusb0-0001--0x0925-0x7001     0925/7001
- Manufacturer : Lakeview Research
- Product      : Generic HID
bLength:             18
bDescriptorType:     01h
bcdUSB:              0200h
bDeviceClass:        00h
bDeviceSubClass:     00h
bDeviceProtocol:     00h
bMaxPacketSize0:     08h
idVendor:            0925h
idProduct:           7001h
bcdDevice:           0001h
iManufacturer:       1
iProduct:            2
iSerialNumber:       0
bNumConfigurations:  1
  wTotalLength:         41
  bNumInterfaces:       1
  bConfigurationValue:  1
  iConfiguration:       0
  bmAttributes:         c0h
  MaxPower:             50
    bInterfaceNumber:   0
    bAlternateSetting:  0
    bNumEndpoints:      2
    bInterfaceClass:    3
    bInterfaceSubClass: 0
    bInterfaceProtocol: 0
    iInterface:         0
      bEndpointAddress: 81h
      bmAttributes:     03h
      wMaxPacketSize:   64
      bInterval:        1
      bRefresh:         0
      bSynchAddress:    0
      bEndpointAddress: 01h
      bmAttributes:     03h
      wMaxPacketSize:   64
      bInterval:        1
      bRefresh:         0
      bSynchAddress:    0

[mcuee]

BTW, as mentioned in the Wiki, libusb-win32 inf-wizard does not work. So we probably want to remove it from the next releases.

Ref:
https://sourceforge.net/p/libusb-win32/wiki/Home/
https://github.com/mcuee/libusb-win32/wiki
The installer from libusb-win32 does not either under Windows 7/10, please use the GUI installer from libusbK or Zadig.

[mcuee]

I will close this one and create another ticket for the inf-wizard.

[mcuee]

For those who want to use the snapshot, you can use Zadig snapshot here.

https://sourceforge.net/projects/libusb-win32/files/Zadig_libwdi/
binary: zadig_git_99a38ae62ba0.exe
Source code: libwdi_git_src_99a38ae62ba0.zip

[tormodvolden]

Very nice. I appreciate the efforts you have put in here.

[mcuee]

I have to re-open this as it is said the driver package does not work with Windows 7 x64.

Ref: libusb/libusb#94 (comment)

[mcuee]

I tend to think this is because of the signing process. It will work under Windows 10 but not Windows 7,
Ref: https://community.osr.com/discussion/291262/driver-signing-on-windows-7-and-10

But I am not exactly sure about the issue or the solution. I am checking with the reported on the details (whether his Widows 7 machine has the necessary SHA-2 update). Maybe I have to ask in OSR forum again. The whole Windows driver signature issue is pretty complicated.

Official documentation from Microsoft.
https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-drivers-signed-by-microsoft-for-multiple-windows-versions

[mcuee]

One possibilty is that the user does not have the necessary SHA-2 update on the Windows 7 machine.
https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-drivers-signed-by-microsoft-for-multiple-windows-versions

[mcuee]

Or to make things easier, we should just drop Windows 7/8/8.1 support and only supports Windows 10/11 for the next official release, now that Windows 11 is released.

Take note personally I do not have any love of older unsupported (by Microsoft) version of Windows, including Windows 7. I myself run Windows 11 on my two home laptops and my work laptop runs Windows 10.

[mcuee]

@dontech You can decide the minum version which you feel comfortable to work with. Thanks.

[mcuee]

Still there is an easy workaround for Windows 7 as well if Zadig snapshot does not work for Windows 7.

1. Using Zadig 2.6 release to install libusb0.sys 1.2.6.0 device driver.
2. Using the libusb-win32 1.2.7.2 installer to upgrade libusb0.sys and libusb0.dll

[mcuee]

@dontech
@tormodvolden has a comment to see whether it is possible that you produce a signed release of the libusb 1.2.7.2 snapshot debug version with the debug info ON. I am not so sure about the Microsoft portal attestation signing policy with regard to debug version.

[dontech]

Hello all,

1. Yes, the attestation signing only works for win10. If we want full signing, we have to pass all the WHQL tests, which requires a larger test setup. I have done this before for clients, but it is super heavy. We could also find some bugs doing this, so it would not be a total waste.

2. Yeah i think we will include debug builds for the next release. No totally sure why "make dist" does not do this currently.

[mcuee]

Hello all,

1. Yes, the attestation signing only works for win10. If we want full signing, we have to pass all the WHQL tests, which requires a larger test setup. I have done this before for clients, but it is super heavy. We could also find some bugs doing this, so it would not be a total waste.

@dontech
If this can be done, that will be great. Take your time.

I assume that with WHQL it will work on Windows 7 onwards, including Windows 8/8.1 and Windows 10, as well as the corresponding Windows server versions.

Not so sure if we should even care for Windows XP and Windows Vista.

2. Yeah i think we will include debug builds for the next release. No totally sure why "make dist" does not do this currently.

That will be great.

[mcuee]

BTW, the following libusb issue fix does not seems to need the fix in 1.2.7.2.

• Windows: libusb0.sys support improvement libusb/libusb#94

[mcuee]

New Zadig 2.7 build with libusb0.sys 1.2.7.2 snapshot release.
https://github.com/mcuee/libwdi/releases/tag/v1.4.1

I built Zadig 2.7 from libwdi 1.4.1 release source codes with VS2019 and tested it with Windows 10 and 11. 
I am not so sure if it works under Windows 7/8/8.1. It will not work under Windows XP. Unlikely it will work under Windows Vista either. Please report your success or failure. Thanks.

[changyp6]

New Zadig 2.7 build with libusb0.sys 1.2.7.2 snapshot release. https://github.com/mcuee/libwdi/releases/tag/v1.4.1

I built Zadig 2.7 from libwdi 1.4.1 release source codes with VS2019 and tested it with Windows 10 and 11. I am not so sure if it works under Windows 7/8/8.1. It will not work under Windows XP. Unlikely it will work under Windows Vista either. Please report your success or failure. Thanks.

I have tried this driver on Windows 7 SP1 (32 / 64) / Windows 8.1 Version 6.3 Build 9600 x86_64 / Windows 10

On both windows 8.1 and windows 10, libusb0.sys is reported "signed by libusb-win32"
On windows7, libusb0.sys is reported "not signed", in x86 Windows7, driver can be loaded and can work, however, in x86_64 Windows7, driver is refused to be loaded by system, and "Error Code 52" is reported in the device manager driver detail page.

libusb0.sys 1.2.7.2 still CANNOT work in Windows 7

[mcuee]

@changyp6 Thanks a lot for the report. This is kind of expected based on the report in libusb git issues discussions.

The best is now to go with WHQL so that it will also work on Windows 7 (with the SHA2 signature update). But that may take some time as per @dontech.

[dontech]

I have found a work-around:

https://community.osr.com/discussion/293107/now-that-cross-signing-is-deprecated-how-are-you-all-supporting-windows-7

The reason for this mess is the deprecation of cross-certs, and a specific bug in the windows 7 cert handling.

I will try to create a new snapshot with the certificate chain changes needed, and see if it helps...

[dontech]

OK new snapshot ready:

https://sourceforge.net/projects/libusb-win32/files/libusb-win32-snapshots/

1. changyp6, could you please try this and report back?

2. Additionally, it would be great if you also tried it on an older win7 install, to see if the SHA1 i added actually works. Not sure.

[changyp6]

OK new snapshot ready:

https://sourceforge.net/projects/libusb-win32/files/libusb-win32-snapshots/

1. changyp6, could you please try this and report back?

2. Additionally, it would be great if you also tried it on an older win7 install, to see if the SHA1 i added actually works. Not sure.

I don't have test environment right now, so I'll try this new snapshot on next Monday, and give you feedback ASAP.

[mcuee]

@pazourek Please help to test 1.2.7.3 snapshot release under Windows 7 as well if you got the time. Thanks.

[pazourek]

I'm sorry, but I'm a little confused how to test the 1.2.7.3 snapshot. The version 1.2.7.2 contained an inf-wizard so I was able to install the driver. But the latest snapshot (libusb-win32-bin-1.2.7.3.zip) doesn't. There is also missing a .cat file.

[mcuee]

I'm sorry, but I'm a little confused how to test the 1.2.7.3 snapshot. The version 1.2.7.2 contained an inf-wizard so I was able to install the driver. But the latest snapshot (libusb-win32-bin-1.2.7.3.zip) doesn't. There is also missing a .cat file.

You can use Zadig to install libusb0.sys 1.2.6.0 driver for your device first, and then install libusb-win32 1.2.7.2 to upgrade the libusb0.sys and libusb0.dll file.

But I will create a release of Zadig 2.7 with the 1.2.7.3 snapshor release as well in a few hours.

[mcuee]

@pazourek
You can try my build of libwdi/Zadig here.
https://github.com/mcuee/libwdi/releases/tag/v1.4.1

[mcuee]

Mirror of libusb-win32 1.2.7.3 snapshot release here, I also include the above Zadig release.
https://github.com/mcuee/libusb-win32/releases/tag/snapshot_1.2.7.3

[pazourek]

The dirver installed by Zadig sems to work properly under Win7 Pro 64bit.

[mcuee]

The dirver installed by Zadig sems to work properly under Win7 Pro 64bit.

Great. Thanks for the confirmation.

[changyp6]

Mirror of libusb-win32 1.2.7.3 snapshot release here, I also include the above Zadig release. https://github.com/mcuee/libusb-win32/releases/tag/snapshot_1.2.7.3

I have tested libusb0.sys 1.2.7.3 driver on Windows 7 SP1 (32 / 64) / Windows 8.1 Version 6.3 Build 9600 x86_64 / Windows 10 x86_64
libusb0.sys 1.2.7.3 can be loaded on both Windows 7 (32 / 64) and can work well, however, in the driver detailed info page, it still shows that "driver is not signed".
libusb0.sys 1.2.7.3 can be loaded on Windows 8.1 / Windows 10 x86_64, and can work well, in the driver detailed info page, it shows "driver is signed by libusb-win32"

[dontech]

libusb0.sys 1.2.7.3 can be loaded on both Windows 7 (32 / 64) and can work well, however, in the driver detailed info page, it >>still shows that "driver is not signed".

Yeah, i noticed the same. Any ideas?

It think it's because its attestation signed, which for some reason is not liked by the older Windows GUI.
Anyone know how to fix this?

Clearly the GUI is not driven by the same logic as the driver installer itself, at the installer approves of the driver now.
So i would say this went from a blocker to a minor.

[dontech]

It does the same for libusbk installed via Zadig.

I think this is something related to some Windows internals. Not sure this is fixable.
Also, it's purely cosmetic.

Maybe someone at libusbK knows more?

[dontech]

I think its because the GUI wants the driver to be cross signed by Microsoft.

Cross signing was removed and deprecated: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates

As long as the driver works, i think its OK. Ideas?

[mcuee]

I think its because the GUI wants the driver to be cross signed by Microsoft.

Cross signing was removed and deprecated: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates

As long as the driver works, i think its OK. Ideas?

Yes, I agree with your conclusion. We are more or less ready with the next release.

[mcuee]

For those who want to get the 'cosmetic' fixed, one way is to submit your driver package (for specific devices specified in the inf) for WHQL and hopefully it can pass the tests. You need to have the EV cert and you need to pass the HLK.
https://www.osr.com/blog/2020/10/15/microsoft-driver-updates-allowed-win7-win8/

[mcuee]

@dontech -- can you do another experiment with attestation signing?

You have used the Option 1 in the following OSR forum post. The package will work under Windows 10. Now you may want to try Option2. This time you do not use your cert to sign the package. It is said that the result package will be working under Windows 7 and Windows 10.

Ref:
https://community.osr.com/discussion/292832/cross-signing-certs-expiring-this-week-how-will-whql-work
https://www.osr.com/blog/2021/04/08/lost-cause-no-driver-updates-allowed-except-for-win-10/

---

Peter_Viscarola_(OSR) Administrator
...

1. You have one or more cert that are registered with the dashboard. Sign everything with one of those certs, including your driver package, when you submit it for Attestation Signing. No cross-signing. The Attestation Signed package will install only on Win 10.

OR

2. Don’t sign the drivers, and the package will be installable on Win 7 and Win 10.

Done. No need to ask MSFT anything,

---

[dontech]

I tried not signing anything. Same thing: loads on win7 x64, but still states "not signed in GUI".

Fairly sure this is an O/S limitation we cannot get around, which was caused by the expiration of the cross-certs, which win7 GUI apparently wants. Either that or it wants an MS SHA1 signature, which the signing portal does not provide. To fix that Microsoft would need to push a fix for WIN7. Since WIN7 is EOL thats doubtful.

I think we a stuck with the current solution, unless someone can point to someone who has gotten around this.

[mcuee]

Good. Thanks for the confirmation. I will close this issue now.