All 64-bit versions of Windows, starting with Windows 7, by default prohibit the installation of device drivers that are not signed with the correct digital signature. Unsigned drivers are blocked by the operating system. The presence of a digital signature guarantees (to some extent) that the driver was released by a specific developer or vendor, and its code has not been modified after it was signed.

Today we will show how you can independently sign any unsigned driver for the 64-bit versionWindows10 or Windows 7 .

Let's assume that we have a driver for a certain device for x64 Windows 10 or Windows 7 that does not have a digital signature (in our example, this will be a driver for a fairly old video card). An archive with drivers for our version of Windows (I managed to find a driver for Windows Vista x64) was downloaded from the manufacturer’s website and its contents were unpacked into the c:\tools\drv1\ directory. Let's try to install the driver by adding it using a standard utility pnputil.

Pnputil –a "C:\tools\drv1\xg20gr.inf"

Note. This and all subsequent commands are executed in a command prompt run with administrator rights.

During its installation, Windows 7 will display a warning that the system cannot verify the digital signature of this driver.

In Windows 10, such a warning does not even appear, but in the console a warning appears that the third-party INF file is missing digital signature information.

When trying to install a driver from Windows Explorer, if you right-click on the driver inf file and select Install / Install an error will appear:

The third-party INF does not contain digital signature information.

The third party INF does not contain signature information.

Let's try to sign this driver using a self-signed certificate.

Utilities required for driver signing

To work, we will need to download and install (with default settings) the following application developer tools for Windows.

• Windows SDK (or Microsoft Visual Studio 2005 or higher) for your version of Windows - these packages include the Windows SDK Signing tools for Desktop, which includes the utility we need - signtool.exe;
• Windows Driver Kit 7.1.0 - ISO image GRMWDK_EN_7600_1.ISO size 649 MB

Advice. On Windows 10, you can use newer versions of the Windows SDK and Windows Driver Kit. Before installing these tools, make sure that the .NET Framework 4 is installed on your system.

Create a self-signed certificate and private key

Let's create a directory C:\DriverCert in the root of the disk.

Let's open a command line and go to the following directory:

cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\bin

Let's create a self-signed certificate and a private key issued, for example, to the company Winitpro:

makecert -r -sv C:\DriverCert\myDrivers.pvk -n CN="Winitpro" C:\DriverCert\MyDrivers.cer

During creation, the utility will ask you to specify a password for the key, let it be P@ ss0 wrd.

Based on the created certificate, we will create a public key for the software publisher certificate (PKCS).

cert2spc C:\DriverCert\myDrivers.cer C:\DriverCert\myDrivers.spc

Let's combine the public key (.spc) and the private key (.pvk) in one Personal Information Exchange format certificate file (.pfx).

pvk2pfx -pvk C:\DriverCert\myDrivers.pvk -pi P@ss0wrd -spc C:\DriverCert\myDrivers.spc -pfx C:\DriverCert\myDrivers.pfx -po P@ss0wrd

Advice. You can create a self-signed Code Signing certificate without using third-party tools using the PowerShell 5.0 cmdlet - .

$cert = New-SelfSignedCertificate -Subject “Winitpro” -Type CodeSigningCert -CertStoreLocation cert:\LocalMachine\My

Then you need to export this certificate to a pfx file with a password:

$CertPassword = ConvertTo-SecureString -String “P@ss0wrd” -Force –AsPlainText
Export-PfxCertificate -Cert $cert -FilePath C:\DriverCert\myDrivers.pfx -Password $CertPassword

Advice. Although the certificate has a limited validity period, the expiration of a CodeSigning certificate means that you will not be able to create new signatures. A driver already signed by this certificate is valid indefinitely (or old signatures are valid for the specified timestamp).

Generating a CAT driver file

Let's create a directory C:\ DriverCert\ xg and copy into it all the files from the directory into which the archive with the driver was originally unpacked (c:\tools\drv1\). Make sure that among the files there are files with the extension . sys And . inf(in our case xg20grp.sys and xg20gr).

Let's go to the directory:

cd C:\WinDDK\7600.16385.1\bin\selfsign

Based on the inf file, using the inf2cat.exe utility (part of the Windows Driver Kit -WDK), we will generate a cat file for our platform (contains information about all files of the driver package).

inf2cat.exe /driver:"C:\DriverCert\xg" /os:7_X64 /verbose

To make sure that the procedure was completed correctly, check that the log contains the following messages:

Signability test complete.
And
Catalog generation complete.

Advice. In my case, the Inf2Cat.exe command returned the error:

Signability test failed.

22.9.7: DriverVer set to incorrect date (must be postdated to 4/21/2009 for newest OS) in \hdx861a.inf

To fix the error, you need to find the line with DriverVer= in the section and replace it with:

After executing the command, the g20gr.cat file should be updated in the driver directory

Sign the driver with a self-signed certificate

Go to directory:

cd "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64"

Let's sign the set of driver files with the certificate we created, and use the Globalsign resource as a timestamp service. The following command will digitally sign a CAT file using a certificate stored in a password-protected PFX file.

signtool sign /f C:\DriverCert\myDrivers.pfx /p P@ss0wrd /t http://timestamp.globalsign.com/scripts/timstamp.dll /v "C:\DriverCert\xg\xg20gr.cat"

If the file is signed successfully, the following message should appear:

Successfully signed: C:\DriverCert\xg\xg20gr.cat
Number of files successfully Signed: 1

Note. The digital signature of the driver is contained in the .cat file, which is referenced by the driver .inf file. Using the following command you can check the digital signature of the driver in the cat file:

SignTool verify /v /pa c:\DriverCert\xg\xg20gr.cat

Lido in the file properties on the Digital Signatures tab.

The CAT file contains digital signatures (fingerprints) of all files that are located in the driver directory (files that are specified in the INF file in the section CopyFiles). If any of these files have been modified, the checksum of the files will not match the data in the CAT file, as a result, the installation of such a driver will fail.

Installing a certificate

Because The certificate we created is self-signed; the system does not trust it by default. Let's add our certificate to the local certificate store. This can be done using the commands:

certmgr.exe -add C:\DriverCert\myDrivers.cer -s -r localMachine ROOT
certmgr.exe -add C:\DriverCert\myDrivers.cer -s -r localMachine TRUSTEDPUBLISHER

Or from the graphical wizard for adding certificates (the certificate must be placed in the storage Trusted Publishers And Trusted Root Certification Authorities local machine). In a domain, you can centrally .

Note. You can check the presence of the certificate we created in the trusted ones by opening the certificate management snap-in (certmgr.msc) and checking the presence of the certificate we created (issued for winitpro) in the appropriate stores.

Note. When checking the certificate store using the utility, this certificate will be displayed as untrusted, because it is not listed with the list of Microsoft root certificates (this list is needed periodically).

Installing a driver certified by a self-signed certificate

Let's try again to install the driver we signed by running the command:

Pnputil –i –a C:\DriverCert\xg20\xg20gr.inf

Now during the driver installation process, a warning window about the missing digital signature of the driver will not appear.

Successfully installed the driver on a device on the system.
Driver package added successfully.

In Windows 7, this warning appears. about whether you are sure you want to install this driver (in Windows 10 x64 1803 this pop-up window does not appear). By clicking " Install", you will install the driver on the system.

If for some reason the driver does not install, a detailed driver installation log is contained in the file C:\Windows\inf\setupapi.dev.log. This log will allow you to get more detailed information about the installation error. In most cases, the error “Driver package failed signature validation” appears - most likely this means that the driver certificate has not been added to the trusted certificates.

If the driver installation was successful, the setupapi.dev.log file will contain lines like this:

>>> >>> Section start 2018/07/22 23:32:57.015 cmd: Pnputil -i -a c:\DriverCert\xg\xg20gr.inf ndv: Flags: 0x00000000 ndv: INF path: C:\WINDOWS\System32 \DriverStore\FileRepository\xg20gr.inf_amd64_c5955181485ee80a\xg20gr.inf inf: (SetupCopyOEMInf: C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181485ee80a\xg2 0gr.inf) 23:32:57.046 inf: Copy style: 0x00000000 inf: Driver Store Path: C:\WINDOWS\System32\DriverStore\FileRepository\xg20gr.inf_amd64_c5955181485ee80a\xg20gr.inf inf: Published Inf Path: C:\WINDOWS\INF\oem23.inf inf: (SetupCopyOEMInf exit (0x00000000)) 2 3:32: 57.077<<< Section end 2018/07/22 23:32:57.155 <<<

As you can see, to install the self-signed driver, we did not even have to disable driver digital signature checking using bcdedit.exe, as described (commands bcdedit.exe /set loadoptions DISABLE_INTEGRITY_CHECKS and bcdedit.exe /set testsigning ON).

How to resolve the "third-party inf does not contain signature information" error in Windows 10?

inf from a third party does not contain win 10 signature information. What should I do?

When installing and connecting new devices in Windows 10, the error “ inf from a third party does not contain signature information". This means that the driver that is trying to install with this device has not been tested for compatibility with this version of Windows 10. According to the operating system developers, such a driver should not be installed.

Error window "third party inf does not contain win 10 signature information"

But what can we do? After all, a device without a driver will not work. There is an exit! This is a temporary disabling of driver signature verification in Windows 10. You will learn how to do this in this article.

Why is the driver not digitally signed?

Most often, this situation occurs with computer devices (flash drives, web cameras, etc.). purchased in China. There, manufacturers do not care much about compatibility and obtaining a digital signature from Microsoft.

Also, driver signature errors can occur with older devices that have not been tested for compatibility with Windows 10 simply because they were created long before it was introduced.

But if the driver does not have a digital signature, this does not mean that it will not work correctly or harm the operating system.

You can try to install it by disabling this very check, and in case of problems, remove the faulty driver via .

How to install an unsigned driver in Windows 10?

To do this, open the Windows 10 settings by clicking on the notification icon in the lower right corner of the screen and select “ All parameters«.

Update and security in Windows 10

In the window that opens on the left, select the “ Recovery" and in the paragraph " Special download options» select « Reboot now«.

After a few moments, the system will display a window with a choice of actions, where you need to select “ Troubleshooting«.

Windows 10 Advanced Boot Options

In the next window, click " Boot Options" and further " Reboot«.

Windows 10 download options

List of download options

The computer will restart and then a menu will be displayed in which you need to select “ Disable mandatory driver signature verification» at the touch of a button F7 on keyboard.

Disabling driver signature verification in Windows 10

After this, the operating system will load, but with driver signature verification already disabled. You can try to install a driver during installation of which the message “third-party inf does not contain signature information” previously appeared.

A warning message will be displayed in which you need to click " Install this driver anyway". After this, the driver will be installed.

Window warning about a missing driver signature

It is worth noting that driver signature verification will remain disabled until the first system reboot. As soon as you reboot it, the verification will be enabled again and you will not be able to install an unsigned driver.

The best way to thank the author of the article is to repost it on your page

Driver is a program that allows the computer to interact with equipment and devices. Without drivers, the normal operation of equipment connected to a PC, such as a video adapter or printer, is impossible.

In most cases, drivers come with Windows, or you can find them by going to Windows Update in Control Panel and checking for updates. If Windows doesn't have the driver you need, you can usually find one on the manufacturer's website

When you connect a new device to your computer, Windows tries to find and install a driver for that device. Sometimes you may see a notification that the driver is not signed, has been modified after signing, or cannot be installed by Windows. You can always decide whether to install an unsigned or modified driver.

Signed driver is a device driver that has a digital signature. Digital signature is an electronic security label that can indicate the publisher of the software, as well as whether the driver has been modified since it was signed. If the driver is signed by the publisher and the authenticity of the signature is confirmed by a certification authority, then you can be sure that the driver was released by this publisher and has not been modified.

Note: 64-bit versions of Windows OS block the installation of drivers without a valid digital signature (or modified after it has been applied). This message only appears when you try to install such a driver on a 64-bit version of Windows. If you receive messages like these while installing a driver, visit the device manufacturer's website to obtain a digitally signed device driver.

Install drivers without a digital signature or not

It is impossible to determine with certainty that a file without a valid digital signature came from the specified source and has not been tampered with (possibly by a virus) after it was published. It is advisable to avoid opening a file unless you are confident in the reliability of the source and the safety of the file's contents. Even valid digital signature does not guarantee that the contents of the file are safe. Based on the identity of the file's publisher and where it was downloaded, you can decide whether the contents of the file can be trusted

Selecting an action when installing a driver

When installing a new driver, Windows will display one of the following warnings:

• This driver is not signed
• Windows cannot verify the publisher of this driver
• Windows requires a digitally signed driver

Unfortunately, there are no reliable sources of information that can indicate who published an unsigned driver. Anyone can change the contents of an unsigned driver. The original version of an unsigned driver may indeed have come from the device manufacturer, but if the driver is not signed, then it is possible that someone has modified it. There is no way to know if the driver has been modified by an attacker. Nowadays, most manufacturers sign the drivers they create before they are released.

You should only install an unsigned driver if it was obtained from a manufacturer's licensed disc.

Disabling driver digital signature verification

If you decide to disable digital signature verification, this is how it is done.

Press Win key + R or Start - Run and enter the command gpedit.msc

The Local Group Policy Editor will open. We find User Configuration - Administrative Templates - System - Driver Installation.

In the right half of the window we find Device driver digital signature. Double-click or right-click on this item and select Change.

In this window, select the item Disable. Apply and OK. If you select Turn on, then you can additionally choose how the system should respond to a driver without a digital signature

Of course, the choice is always yours, but you don’t have to reinstall drivers very often, so it’s better to read the warning again and think about it than to look for a problem later.

The ability to disable driver signature verification in Windows 10 can expand your ability to connect additional equipment. But don't forget that this can harm your PC!

What is digital signature of drivers on Windows 10 and why is it needed?

CPU is a special attribute of an electronic document or a label embedded in the program. It allows you to uniquely identify the owner. When it comes to drivers, its main purpose is to determine whether it is licensed and whether any changes have been made to it.
Digital signature is used not only to combat piracy in IT, but also to protect users from hacking, attacks and other troubles associated with the digital environment. The developers of Windows 10 have prudently built into the OS automatic analysis of all downloaded and installed content.

Disable Windows 10 driver digital signature verification

Before you disable digital signing of Windows 10 drivers, evaluate the security of your actions. Are you sure of the source from which you download and install new software? If yes, then we offer different options.

Method 1: Download Windows 10.

This only works once. The next time you reboot, digital signature verification will be enabled again. So what you need to do:

Method 2: Command line.

Here you can disable verification permanently. Follow these steps:

Everything should work. In the lower right corner you will constantly see a reminder that verification is disabled.
You can turn the check back on with the command bcdedit.exe -set TESTSIGNING OFF.

Method 3: Local Group Policy Editor.

This method is only suitable for owners of Windows 10 pro, since you cannot disable digital signature verification using the editor in the home version - it is simply not there. If you have the extended version, do the following:

So, we looked at how to disable mandatory driver signature verification in Windows 10 in different ways. We would like to remind you once again that all of these actions put your computer at risk. So be very careful.

Have a great day!

Starting with Windows 7, for security reasons, Microsoft developers introduced mandatory driver certification. Each driver released by a third-party developer must undergo special testing in the Microsoft laboratory. If the verification is successful, the driver receives an appropriate signature, so it can be installed on the system. As for unsigned drivers, you cannot install them directly, and if you try to do so, Windows will display a message indicating that the file may be corrupted or tampered with.

However, such protection is not any serious obstacle to the installation of drivers that do not have the appropriate digital certificate. So, just today we will get acquainted with a simple way to turn off this very driver signature verification. In the eighth version of Windows this is done as follows. First of all, we need to get into the boot options subsection. To do this, open the Windows console with administrator rights, and then enter and run the following command:

In this case, the computer will reboot, and you will be taken to the action selection menu. Click Diagnostics -> ;

> ;

Restart the computer again by pressing the button.

After the system restarts, you will see a menu with boot options. That's exactly where the line should be. She is the seventh in a row.

To boot Windows with this option, press the 7 or F7 key. Now if you try to run the installation of the left driver, the OS will also display a message, but this time it will be a simple security warning. Just select and the stubborn driver will return to normal mode, at least it should be so, and all you have to do is reboot again and check its functionality.

However, it cannot be ruled out that it will not be possible to install an uncertified driver this way. In this case, you can try another method. Windows 8 has a special "test operating mode". Working in this mode, you can install almost any software, including drivers that do not have a Microsoft certificate. You can activate it as follows. Open a command prompt as an administrator and run these two commands one after the other (for a 64-bit system):

bcdedit.exe /set nointegritychecks ON
bcdedit.exe /set testsigning ON

Each executed command must be accompanied by a message "Operation completed successfully". Now close the console, and restart your computer. If everything is done correctly, the inscription should appear in the lower right corner of your watch "Test mode". Now you can try installing the unsigned driver again. After installing and testing the driver, do not forget to exit test mode. To do this, you need to run the same commands, but only the flag ON ( included) replaced by OFF ( turned off) .

Technically, working in an operating system running in debug mode is no different from working in "normal", however, firstly, such a configuration is generally not supported by Microsoft, and secondly, it reduces the level of security and increases the risk of critical system errors.

Tags: ,