duncanthrax/scream

Updating drivers for *Scream from `\Scream\Install\driver\x64\Scream.inf`

brunosanson opened this issue ยท 13 comments

My CI project was running on Windows and today (JUL/07/2023) it started to fail:

Run Invoke-WebRequest https://github.com/duncanthrax/scream/releases/download/3.8/Scream3.8.zip -OutFile Scream3.8.zip

PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\TrustedPublisher

Thumbprint                                Subject                                                                      
----------                                -------                                                                      
Device node created. Install is complete when drivers are installed...
Updating drivers for *Scream from D:\a\my-project\my-project\Scream\Install\driver\x64\Scream.inf.
Error: The operation was canceled.

In the last revision, the file scream-master\Install\driver\x64\scream.cat appears with the certificate expired (JUL/07/2023).

Time flies :) I'll get a new signing cert next week.

Any chance of renewing the cert?

Really appreciate the project btw ๐Ÿ™ It's made cross-platform audio testing a breeze.

These days, code signing requires a hardware key store and an extraordinary amout of money. I have ordered a kit from certum.eu, but it hasn't arrived yet. They have special pricing for Open Source projects. I hope that this will work.

Ugh, that's horrible. Thank you for the update!

Thank you @duncanthrax, this is an unfortunate limitation of windows.

I now edited the registry with:

New-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\CI\Policy" -Name "UpgradedSystem" -Value "00000001"  -PropertyType "dword"

But the command:

Scream\Install\helpers\devcon-x64.exe install Scream\Install\driver\x64\Scream.inf *Scream

still fails with:

Device node created. Install is complete when drivers are installed...
Updating drivers for *Scream from C:\Users\Gustl\Downloads\test audio device\Scream\Install\driver\x64\Scream.inf.
devcon-x64.exe failed.

Or does the cert still need to be valid even with this option enabled?

I appreciate the work and I understand if this is not something on the priority list :) Have a nice day ;D

FYI, you can still buy a code signing certificate without a hardware key. We purchased one ourselves from here (sectigo.com) and it's been working fine

@adonisd it seems that since June 1 this year, a hardware key is required. But that isn't the problem, see my next post.

Some bad news. I've jumped through all the burning hoops to get a hardware kit, new cert + the signtool plumbing right. I've used certum.pl, they have an "Open Source" offering for code signing at a very reasonable price (EUR 25 per year).

However, that cert uses a chain which does not allow verification for kernel mode drivers. You'd need the EV mode cert, which isn't available for the Open Source pricing. The EV mode cert comes in at around EUR 250 per year, if you take the 3-year package (749 EUR total). That is a bit too much for me to spend on a hobby project. I have looked for alternatives, but there are none, it seems.

Going forward, I need someone else to sign the driver. Wether that person (or Organization) already has a kernel-capable EV cert, or buys one, does not really matter. It also does not matter whose name is baked into the signature. I don't think any of the Scream users care.

So, if any of you guys have a commercial or philantrophic interest, and you already have an EV cert, or can spare the cash to afford one, let me know.

Hey I might have a stupid way to solve this, on Windows if we set the date to July 4th, we can then install the driver successfully, then we can revert the date back.
Here is a portion of my script that works:

  $currentDate = Get-Date
  
  Write-Host "Current Date: $currentDate";
  $newDate = Get-Date "2023-07-04 12:00:00";
  
  Write-Host "Setting date to: $newDate to circumvent cert issue";
  Set-Date $newDate;
  # ! Scream driver certificate expired on July 5th, to avoid issues while installing driver we set the clock to July 4th, install the driver
  # ! then revert back to the original date/time
  # ? Get Latest release from the github repo
  $gitRepo = "duncanthrax/scream";
  $latest = (Invoke-RestMethod -Method Get -Uri https://api.github.com/repos/$gitRepo/releases/latest | Select-Object -ExpandProperty tag_name);
  # ? Download latest release
  Invoke-Webrequest -Uri https://github.com/duncanthrax/scream/releases/download/$latest/Scream$latest.zip -Out "scream.zip";
  Expand-Archive scream.zip
  # ? Extract the certificate from the driver file
  # ! We need to import the certificate to TrustedPublisher so that we can install the driver unattended.
  $driverFile = 'scream\install\driver\x64\Scream.sys';
  # ? Extract Cert
  $cert = (Get-AuthenticodeSignature $driverFile).SignerCertificate;
  Export-Certificate -Cert $cert -FilePath $PWD\scream\scream.crt
  # ? Install Cert in Cert:\LocalMachine\TrustedPublisher
  Import-Certificate -FilePath $PWD\scream\scream.crt -CertStoreLocation Cert:\LocalMachine\TrustedPublisher
  # ! We need to remove the "pause" at the end of their batch script to make sure we can go ahead unattended.
  Set-Content -Path $PWD\scream\install\install-x64.bat -Value (get-content -Path $PWD\scream\install\install-x64.bat | Select-String -Pattern 'pause' -NotMatch)
  # ? Install the SCREAM WDDM driver
  cmd.exe /c $PWD\scream\install\install-x64.bat
  # ? Cleanup
  rmdir -Force -Recurse .\scream
  rm -Force .\scream.zip
  # ? Enable Audio SRV STARTUP
  Set-Service -Name audiosrv -StartupType Automatic;
  Set-Service -Name audiosrv -Status Running -PassThru;
  # ? Revert back to current date
  Set-Date $currentDate;

If you're not sure about running scripts you can also open an admin command prompt, type "date" and enter a new date (i.e. 2023-07-01, must be typed to match your regional settings obviously) - quickly install the driver - then type "date" again to set the date back to today.

@adonisd I think resyncing is more precise:

net stop w32time; Set-Date (Get-Date "2023-07-04 12:00:00")
# Do installation ...
net start w32time; w32tm /resync /force; $currentDate = Get-Date; Write-Host "Current Date: $currentDate";

For Github Actions, note that you have to disable the time sync for Hyper-V before, see actions/runner-images#8105 (comment) :

      - name: Disable time sync with Hyper-V
        run: |
          Set-Service -Name vmictimesync -Status stopped -StartupType disabled
          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\W32Time\Parameters -Name 'Type' -Value 'NoSync'

@adonisd I think resyncing is more precise:

net stop w32time; Set-Date (Get-Date "2023-07-04 12:00:00")
# Do installation ...
net start w32time; w32tm /resync /force; $currentDate = Get-Date; Write-Host "Current Date: $currentDate";

For Github Actions, note that you have to disable the time sync for Hyper-V before, see actions/runner-images#8105 (comment) :

      - name: Disable time sync with Hyper-V
        run: |
          Set-Service -Name vmictimesync -Status stopped -StartupType disabled
          Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\W32Time\Parameters -Name 'Type' -Value 'NoSync'

It's ridiculous that this is required, but I can confirm this still works on Windows 11 24H2 as of today.

I was wrong. Changing the time no longer works. I misread the output the first time.