Sign cat file that uses Winusb.sys as kernel-mode code

I'm trying to make an USB driver to be installable in Windows 8, this USB driver uses only WinUSB.

According to this post Signed INF driver works on the computer where it was signed, not others and also this website Practical Windows Code and Driver Signing all I have to do is to generate an .inf file, to generate a .cat file and sign this .cat file, but I'm having trouble with the signing part, the other steps are ok.

The sites I listed above makes clear that to sign a catalog file which the driver uses only WinUSB is not necessary to purchase any certification from any authorized Certification Authority.

The kernel modules you are using have already been signed by Microsoft and you will have no trouble getting them loaded into the kernel after the driver package is installed.

I have the SignTool.exe in a folder along with the mscvr-cross-gdroot-g2.crt. In a subfolder, let's say MyFolder I have my driver package.


├─ remsir.cat ├─ remsir.inf │ ├─┐ amd64\ │ ├ WdfCoInstaller01011.dll │ ├ WinUSBCoInstaller2.dll │ ├ WUDFUpdate_01011.dll │ └─┐ i386\ ├ WdfCoInstaller01011.dll ├ WinUSBCoInstaller2.dll ├ WUDFUpdate_01011.dll

So, basically I'm stuck at this point:

SignTool.exe sign /v /ac "mscvr-cross-gdroot-g2.crt" /n "Pololu Corporation" /t http://tsa.starfieldtech.com MyFolder\remsir.cat

This command line was copied from the other questions, but it isn't working for me. I tried to change some of the parameters but still without success, it doesn't matter what I do I always get the error message:

SignTool Error: No certificates were found that met all the given criteria.

First of all, I not really sure if I should change any of the parameters from this command line. They aren't really clear for me what they mean.

So.. Do I have to change any of the parameters in that command line? Do I have to install the mscvr-cross-gdroot-g2.crt or even the Pololu Corporation? If yes, how?


You need to buy a signing certificate from some company like GlobalSign. Yes, Windows trusts the winusb components of your driver, but Windows 8 will not allow you to install the INF file unless it is signed by a real certificate.

Your quote from me is:

The kernel modules you are using have already been signed by Microsoft and you will have no trouble getting them loaded into the kernel <strong>after the driver package is installed.</strong>

This quote is still true. The point is that you will not even be able to install the driver package unless you sign the INF file.

The Pololu Corporation you saw in my examples is the name of my company and that part needs to be changed to be your company name. It needs to exactly match the company name embedded in the certificate you purchase.

<strong>Edit 1: Windows 8 doesn't require an INF file for WinUSB actually</strong>

If you are able to change the firmware of the device then you can avoid buying a certificate for your WinUSB device. For Windows 8 support, you should follow these instructions from the USB Core Team to get your device loaded without needing an INF file:


Because you aren't supplying the INF file or the SYS files, I strongly expect that you won't need to sign anything for Windows 8.

For Windows 7 and earlier, you would need to supply an INF file to associate your device with WinUSB, but the INF file would not need to be signed because those versions do not require it.



Install an .inf file that uses WinUSB as kernel-mode code.


I solved my problem, not exactly as my initial idea of signing the .cat file.

My answer may be disappointing for most of people and I may receive lots of critics for not using the best practices and etc. It's inelegant and sounds more like an workaround than a really solution. But considering the main business of the company and the hurry for using the driver in Windows 8 I've reached a solution that is satisfactory for the company.

The main difference between Windows 7 to Windows 8 when talking about installing an unsigned driver is that Windows 7 shows an annoying red warning message that recommends the user to not install the unsigned driver, and Windows 8, under normal circumstances just doesn't install it anyway.

We coexisted all this time with this warning in Windows 7, so what I've done is to reconfigure Windows 8 to act like Windows 7.

<strong>Step 1:</strong>

At the end of my software's installation the installer runs a program that verifies the Windows' version, if it is Windows 8 it prompts a dialog asking for installing the drivers and advices that it will demand to reboot the Windows. If the user agrees, it will run a batch file that does:

    <li>Adds to HKLM..RunOnce a path for Batch File 2</li> <li>Disable Driver Signature Enforcement</li> <li>Restart the computer</li> </ul>

    <strong>Step 2:</strong>

    When the user logs on it will run the second batch file, that was set to run into the RunOnce. It will do:

      <li>Run the DPInst.exe </li> <li>Enable the Driver Signature Enforcement</li> <li>Restart the computer.</li> </ul>

      At this point the driver will be installed and the original settings are restored. The annoying red warning message remains, just like it was in Windows 7, and life goes on..


  • java.lang.ClassNotFoundException: org.bouncycastle.asn1.ASN1Encodable
  • Multiple inputs into Statsmodels ARIMA in Python
  • Using Pandas To Find the Number Of Periods Since the Rolling High
  • Timestamp Validation in Adobe Reader / Acrobat fails: Document was changed or damaged
  • Why is django manage.py syncdb failing to create new columns on my development server?
  • ImportError: cannot import name Pubnub
  • HttpListener.IsSupported is false on XP SP3
  • Python delete lines of text line #1 till regex
  • Calculate time difference in hh:mm:ss with simple javascript/jquery
  • How can I display the parent menu item's description using Wordpress walkers?
  • Selenium to click on a javascript button corresponding to a text
  • calculate gradient output for Theta update rule
  • Authentication in Play! and RestEasy
  • How do I configure context broker accept post requests from my remote sensor?
  • nonblocking BIO_do_connect blocked when there is no internet connected
  • What's the purpose of QString?
  • Assign variable to the value in HTML
  • jQuery ready not fired after rails link_to is clicked
  • Blackberry - Custom EditField Cursor
  • Content-Length header not returned from Pylons response
  • Get data from AJAX - How to
  • Ajax Loaded meta Tags
  • Xamarin Forms - UWP Fonts
  • FB SDK and cURL: Unknown SSL protocol error in connection to graph.facebook.com:443
  • Using $this when not in object context
  • Jenkins: How To Build multiple projects from a TFS repository?
  • Spring security and special characters
  • How do I fake an specific browser client when using Java's Net library?
  • How reduce the height of an mschart by breaking up the y-axis
  • Bug in WPF DataGrid
  • How would I use PHP exceptions to define a redirect?
  • Running a C# exe file
  • Perl system calls when running as another user using sudo
  • JSON with duplicate key names losing information when parsed
  • Arrow is showed instead of the material design version hamburger icon. Why doesn't syncState in
  • Apache 2.4 - remove | delete | uninstall
  • Run Powershell script from inside other Powershell script with dynamic redirection to file
  • Arrays break string types in Julia
  • Free memory of cv::Mat loaded using FileStorage API
  • C# - Getting references of reference