1 2 Previous Next 22 Replies Latest reply on Dec 16, 2012 3:40 AM by len.bleile

    Signing cyusb driver for Windows Vista/7 64-bit

      We use Cypress USB controllers for an our own product that should work under Windows Vista/7 64-bit. As I discovered in this forum we need a signed driver for x64 OS from Vista on. Now I would like to know the step I need to sign the driver. I would like to sign the driver because (if I'm not wrong) the cost is not too high (according to what I found here the certificate costs 99$).



      I learned from the Microsoft guide on kernel-mode code signing walkthrough how to: 1) obtain a Software Publisher Certificate (SPC) from a commercial CA (Certificate Autorithy); 2) create a .CAT file starting from the driver file (.SYS) and the driver setup information file (.INF); 3) use the SPC to sign the CAT file in order to be able to use the driver under Windows Vista/7 64-bit.



      Installing Cypress USB Generic Driver (3.4.6) I got the cyusb.sys and cyusb.inf files (under C:\Program Files\Cypress\Cypress Suite USB 3.4.6\Driver\wlh). These work fine for our product (for the moment only disabling the driver signature enforcement).



      Now I feel to miss some information on the steps I need to have our own signed driver that will work with our XXX product so that once plugged in our product to a computer that has the driver installed, the product is automatically recognized as the XXX product.



      First of all I guess I have to change on the USB controller and on the cyusb.inf the VID and the PID, isn't it? I guess these values have to be provided by Microsoft and I cannot use any values, isn't it? In this case how do I get them from Microsoft? Then if I do not modify the cyusb.sys driver do I need to follow the procedure that Cypress indicates for having the WHQL certificate? If I do not need this WHQL signing procedure, should I simply follow the instructions on the  kernel-mode code signing walkthrough provided my Microsoft?



      Please details as much as possible the steps needed for different scenarios.

        • 1. Re: Signing cyusb driver for Windows Vista/7 64-bit

          Winqual have all the steps, just follow it, you will get signed drivers.


          1, Buy verisign, and sign your driver.


          2, Test The signed driver on 64bit system using WHQL test tools(Not easy),  and subscribe the succeded test result to Winqual.


          3, wait for signed cat files.


          Find a WHQL suppotor will be easier. .

          • 2. Re: Signing cyusb driver for Windows Vista/7 64-bit

             VID is provided by USB-IF (please look at http://www.usb.org/home), Once you own a VID you can assign and maintain PID by yourself.


            You can WHQL sign the driver or use a 3rd party certificate to sign the driver (SPC). WHQL signing involves testing so it takes care that the hardware software interaction is right. So this is the one we've been recommending.


            I'm working on documenting the steps involved in signing using 3rd party certificate. Will update here once I have it ready.





            • 3. Re: Signing cyusb driver for Windows Vista/7 64-bit

              Test the driver using WHQL test tools means to setup firstly a network (server, workstation, test PC), isn't it? Since we are a startup company and we do not want to spend all that time, how should we do?



              aasi, you say that instead of WHQL sign I can use a SPC, but in the Cypress AN5297 document there is written "[...] Driver quality signature allows the driver to load in Windows with compatibility and reliability requirements defined by Microsoft.  The driver cannot be loaded in Windows 7 and  Vista 64-bit  operating systems (OS) without driver quality signature in normal mode [...]". So which is the real difference between WHQL and SPC sign? What will happen in practice when the driver will be staged (DIFx) or installed on another PC?



              And please can you give me more details on this cyusb.sys signed driver for Windows 7 64-bit? I guess it is WHQL signed, isn't it? May I use this .sys signed driver and by myself sign with SPC only the .cat file that I will construct starting from the .inf file (where I'll put our VID/PID) and the .sys signed by you? Would this be enough?



              We use EZ-USB FX2 CY7C68013 and the goal is to install on other machines the driver programmatically and with as less as possible user interaction.

              • 4. Re: Signing cyusb driver for Windows Vista/7 64-bit

                I've seen companies provide this as a service you might wanna look at that approach as well.


                The difference between SPC and WHQL is that SPC does not involve testing. So WHQL signed would give more confidence in terms of quality.


                I've not got a chance to play around with SPC signed drivers to see the behavior of the OS but based on MS documents my understanding is that SPC signed driver will behave the same way and can be distributed.


                Win 7 and Vista x64 will not allow writing files to system folder unless they are signed. 


                Signing kind of has to do with hash code and stuff. When you change the inf file the hash code will be broken so you'll not be able to use the .cat file. You can generate it using inf2cat after making the necessary modifications to the inf file.


                If you sign the driver and place it in the appropriate system folder, no user intervention will be needed while using the driver.





                • 5. Re: Signing cyusb driver for Windows Vista/7 64-bit
                        Sorry I'm still missing information on      this cyusb.sys      signed driver for Windows 7 64-bit. I read somewhere that it is possible to sign either the .sys, the .cat or both of them. In this link are both signed? And are they both signed with WHQL?   
                       Because if yes, is it possible to keep your.sys signed with WHQL and use our .cat signed with SPC? In this way we might just opt for the fast SPC signing method and keep mantaining the benefit of the WHQL signing.   
                       thanks in advance   
                  • 6. Re: Signing cyusb driver for Windows Vista/7 64-bit

                    It is WHQL signed and it has signed the .sys and .inf as a whole package. The .cat contains the signature. So I don't think you would be able to use it in the fashion that you're proposing.





                    • 7. Re: Signing cyusb driver for Windows Vista/7 64-bit

                       Thanks aasi for your reply. Just last thing (hopefully), if it is signed with WHQL why do I get the following warning when trying to install it in windows 7 64-bit: "Installing this device is not recommended because Windows cannot verify that it is compatible with your hardware...."

                      • 8. Re: Signing cyusb driver for Windows Vista/7 64-bit

                         1. Are you using the files as is?


                        2. Does your device have a firmware running in it or are you connecting a unprogrammed FX2LP?





                        • 9. Re: Signing cyusb driver for Windows Vista/7 64-bit

                          If you don´t want to spend so much time and money on signing the CyUSB.sys driver, consider switching to WinUSB oder LibUSB driver. We use WinUSB driver and the effort to change the application software war about one day of work. This is much less then the effort for WHQL. WinUSB is signed by MS and if you want to get only a blue message (Do you want to trust the vendor...) from UAC while install all you need is the Verisign ID (99US$). The universal driver works on all Windows Systems beginning with XP SP2 and is stable as a rock. AFAIK the LibUSB is now signed, too and can also be used without WHQL even on 64 bit systems.

                          • 10. Re: Signing cyusb driver for Windows Vista/7 64-bit



                            Regarding difference between SPC and WHQL signed drivers - if you plan to install your driver silently (without user intervention/dialog boxes etc, in the way most hardware providers does) you MUST have WHQL signed driver. This point is not documented very well, we came to this when we bought SPC certificate from GlobalSign, signed our driver, then tried to install our properly signed driver package via dpinst.exe - Windows pops up a dialog asking do you trust the publisher and do you really want to install the driver. However, if user will allow this - driver works ok on all Windows, but that dialog make installation process not so nice...


                            Later we tried to move to WHQL but the point is that it accepts certificate only from Verisign, our owned from GlobalSign cant be used there. So we have to buy one more certificate now :)


                            Best regards, Arturas

                            • 11. Re: Signing cyusb driver for Windows Vista/7 64-bit

                               thanks to all of you guys! Now I've ideas a bit more clear (but still not completely).




                              We have got a SPC for the moment, since going for the WHQL signing is too long and complicated. Hence for the moment we settle for a non complete silent driver installation by requiring the user to accept to install the driver (a pop-up window asking to either trust or not the publisher). And for the moment we are using the Cypress general driver.




                              Now, what is the advantage of the WinUSB driver? Also the WinUSB should be signed (creating the CAT and then sign it), hence I guess that if we sign through SPC we still have the pop-up window, isn't it? 

                              • 12. Re: Signing cyusb driver for Windows Vista/7 64-bit

                                It doesn't support isochronous. Other than that I'm not aware of any difference between WinUSB and CyUSB.sys.


                                From what I know in terms of speed both should be almost same.





                                • 13. Re: Signing cyusb driver for Windows Vista/7 64-bit

                                  http://www.cypress.com/?docID=32167 has a table discussing this.





                                  • 14. Re: Signing cyusb driver for Windows Vista/7 64-bit



                                    This Chris R.'s information about WinUSB is interesting. I could give it a try but I don't know how to implement firmware downloading using WinUSB. Any ideas anyone?





                                    1 2 Previous Next