Can't install our app - "certificate in chain-of-trust is failing validation"

Visitor

A user of our app reported an install problem. I asked them to start setup from the command line with the verbose logging option, and this seems to be where the problem is:

DIFXAPP: INFO:   ENTER:  DriverPackageInstallW
DIFXAPP: INFO:   RETURN: DriverPackageInstallW  (0xE0000247)
DIFXAPP: ERROR: encountered while installing driver package 'C:\Program Files\AcmeWidgets\WidgetApp\widget-driver.inf'
DIFXAPP: ERROR: InstallDriverPackages failed with error 0xE0000247
DIFXAPP: RETURN: InstallDriverPackages() 3758096967 (0xE0000247)
CustomAction MsiInstallDrivers returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 21:00:47: InstallFinalize. Return value 3.
MSI (s) (50:CC) [...]: Note: 1: 2265 2:  3: -2147287035 

This seems like it might be related: https://stackoverflow.com/a/28862880/264540, but it just suggests that there's some issue with our cert: "...most of the time when this error occurs there is a problem with the certificate used to sign the driver package on 64-bit Windows."

 

Our driver is signed (Digicert EV Code Signing Certificate), and our Windows 10 and other Windows 11 users are able to install the app with no apparent issues. Multiple users with Windows 11 Insider Preview builds have reported this (but so far, no Windows 11 retail users have).

 

While investigating, I saw a message (or description of the error code) that mentioned a certificate in the chain-of-trust failing validation. We're using the same signing certificate as we did prior to Windows 11, and I haven't dumped the cert out to look at the intermediates, but I expect that it's something like: "Microsoft <-- Digicert <-- AcmeWidgets", so I don't know why any of these could be failing validation.

I've also seen cases where the OS refuses to run our (signed) WidgetSetup.msi. I don't yet know why setup won't launch at all for some users, and for other users it's the driver install step that fails.

 

Can anyone explain why this happens with Windows 11 Insider Preview, and what we can do about it?

 

If there's some root or intermediate certificate that was accidentally excluded from an insider build, at least I could refer our users to instructions on manually installing the missing cert...

 

Thanks.

0 Replies