Electronic – Getting MSP430 USB Driver Signed By Microsoft

microsoftmsp430usb

I am developing a product which utilizes an MSP430 microcontroller with a built-in USB module. I obtained a PID from Texas Instruments and used their tools to generate the descriptors, as well as a .inf file to install the driver software. The obvious issue is that due to the custom nature of these files, a popup is presented (on Windows 7) upon plugging in the USB cable that warns the user that the driver is not signed. I believe on Windows 8 and Windows 10 it simply blocks it and does not indicate this to the user at all.

As this is a full-featured product which my company is planning to release, we need to obtain a driver certificate (I believe in the form of a .cat file?) that we can provide to the customer so that they can install the device driver software without issue.

I have been through quite a bit of the Microsoft documentation (most notably this document) trying to get a grasp of what is required in order to get a driver signed, but unfortunately this is over my head at the moment.

This is what I think I understand so far:

I need to submit my driver (.inf file?) to a Microsoft-authorized certificate authority (CA). There are a number of these out there, so I would need to find one that signs drivers.
After selecting a CA, generally I will need to pay an annual fee (most commonly for 1, 2, or 3 years) for their service. Any drivers I generate during this time will be permanently signed, even after the service expires. If I want to change the driver or create a new one after the service has expired, I will need to buy service for another 1, 2, or 3 years.
After paying the fee, the CA will generate a .cat file which is a certificate assuring that the driver I gave them will not be changed. If it does it will no longer match the .cat file and an error will appear during installation

Is this correct? At the risk of sounding like I'm seeking recommendations for specific CAs (I'm not, mind you), where can I find a list of CAs that are able to do this certification for me? Even better would be their websites and/or prices for different service durations. Has anyone here had direct experience getting a driver for a USB microcontroller-based product signed by a CA, who would be able to help me understand and get through the process? I have already posted to the MSDN forums but it seems pretty dead there – It's been two days and my thread only has a handful of views.

Best Answer

It's not so bad, actually. I've done this a few times at work, writing and signing an .INF/.CAT for a Microchip PIC24FJ64GB002-based USB CDC-ACM-to-I²C interface.

Establish a relationship with a certificate authority. You will need to provide them some basic information which they will validate. If you go for Extended Validation (EV) they will ask for a lot more, but you shouldn't need to go that far. Thawte, Digicert and Comodo are some examples of CAs.
Purchase an Authenticode code-signing certificate from the CA. This is what you need to sign the .CAT file associated with your .INF file. You don't need a kernel-mode certificate for this level of signing.
Install the certificate (goes without saying)
Download the Windows SDK framework and Windows Driver Kit to get the Microsoft tools needed (catalog generation and signing).
Package and sign the drivers:
- Use inf2cat to generate the catalog (.CAT) file for the .INF file
- Use signtool to sign the catalog file

From this point you could make some sort of driver installer, or use dpinst from the SDK to do basic installation automation.

EDIT: Notes from various comments below:

Creating an .INF file to load USBSER.SYS is not creating a kernel-mode driver - you are using USBSER.SYS (built-in, signed and trusted already), not creating something new - and as such does not require an EV signing certificate and WHQL certification. A basic Authenticode certificate is all that is needed.
Starting with Windows 10, you do not need a signed .INF at all for USBSER.SYS devices, as Windows will pick up USB CDC-ACM devices (Class_02) auto-magically. They have also rewritten the driver from scratch and it works much better now (it even handles unexpected device removals and re-insertions without locking up the virtual COM port, which is a huge plus!). That said, you still can use the signed driver approach if you really want to - the signed driver will still 'work'. There are still lots of Win 8.1/8/7 and older machines out there so having a signed driver is still somewhat important for USB CDC-ACM devices.

Further expansion on your questions:

You do not submit anything for signing to the CA - you purchase the code signing certificate, install it on a machine and do the .INF validation and signing yourself.
You do not need to pay an annual fee per se - however, the certificate you buy will have either a 1-, 2- or 3-year validity period. When the cert expires you will need to buy a new one to be able to keep signing - anything previously signed will remain valid but you lose the ability to sign new stuff.
The .CAT is a hash for the .INF - any changes to the .INF will be detected and the certificate will no longer be valid, which means the .INF would behave like an unsigned one.

Best Answer

Related Solutions

Windows – Proper Windows 8-64 bit driver for Arduino Yún (Yun)

Electronic – MSP430F5529 USB communication drivers refuse to install correctly

Related Topic