"Digital Signature Not Found" Error Message When You Install a Driver or Update (269651)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q269651

SYMPTOMS

When you install a Windows 2000 service pack, hotfix, or other system update, you may receive the following error message:
Digital Signature Not Found

The Microsoft digital signature affirms that software has been tested with Windows and that the software has not been altered since it was tested.

The software you are about to install does not contain a Microsoft digital signature. Therefore, there is no guarantee that this software works correctly with Windows.

Unknown software package

If you want to search for Microsoft digitally signed software, visit the Windows Update Web site at http://windowsupdate.microsoft.com to see if one is available.

Do you want to continue the installation?
If you then click More Information, you may receive the following error message:
Microsoft Windows

Windows did not find a Microsoft signature associated with the software package you want to install.
When you click OK, you may receive a series of error messages that are similar to the first error message that is listed in this article, and you may then receive the following error message:
Service Pack Setup Error

The form specified for the subject is not one supported or known by the specified trust provider.
If you then click OK, you may receive the following error message:
Service Pack Setup Error

Service Pack was not installed.

CAUSE

This problem may occur if Windows 2000 is not correctly reading the digital signature of the software package and the following two local computer policies are blocking the installation:
  • Unsigned driver installation behavior
  • Unsigned non-driver installation behavior
When these two policies are set to Do not allow installation, service packs and other updates cannot be properly installed.

MORE INFORMATION

Because third-party drivers (whether signed or unsigned) can only be installed by an administrator, driver signing policy (in its present form as of April 2003) is not a security issue. In Windows versions earlier than Windows Server 2003, driver signing was misleading because Windows versions earlier than Windows Server 2003 sent mixed messages about when a driver package was safe, depending on the corresponding device's class.

In earlier versions of Windows (including Windows 2000), Microsoft grouped SetupAPI activities into two categories:
  • Device installations under the purview of Windows Hardware Quality Labs (WHQL), based on the device's ClassGUID being listed in %windir%\Inf\Certclas.inf. These installations are subject to driver signing policy.
  • Everything else (driver installations with ClassGUIDs that are not listed in Certclas.inf and all other SetupAPI-based installations). These installations are subject to non-driver signing policy.
The default behavior for the first category is that a signed driver means no user interface. For the second category, no user interface (that is, Ignore) is the default, regardless of whether the driver was signed. Therefore, users might think that the drivers they are installing are safe, when, in fact, they are unsigned.

This is why in Windows Server 2003, Microsoft introduced the ability for device classes outside the purview of WHQL to be signed with an Authenticode signature. That way, at least the conscientious vendor could protect their users from spoofing, tampering, and repudiation threats. The user is notified that a driver is being installed, if it was signed, and if so, by whom. In Windows Server 2003, all device installations are subject to driver signing policy. The remaining SetupAPI-based installations are subject to non-driver signing policy. Turning non-driver signing policy to anything other than Ignore (the default) will have undesirable side-effects, such as displaying the driver signing user interface when the user downloads or installs ActiveX controls, IExpress packages, service packs, and hotfixes.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

WORKAROUND

To work around this problem (and prevent the driver signing dialogs from displaying), temporarily set the following policies to "silently succeed" during the service pack or update installation:
  • Unsigned driver installation behavior
  • Unsigned non-driver installation behavior
To change the system policy:
  1. Click Start, click Run, type mmc in the Open box, and then click OK.
  2. On the Console menu, click Add/Remove Snap-in.
  3. Click Add, click Group Policy in the list of available stand alone snap-ins, and then click Add.
  4. Click Finish, click Close, and then click OK.
  5. Double-click the following items to expand them:
    • Console Root
    • Local Computer Policy
    • Computer Configuration
    • Windows Settings
    • Security Settings
    • Local Policies
    • Security Options

  6. On the right side of the console are the following two policies, and these can be changed as needed by a member of the administrator's security group on that computer:
    • Unsigned driver installation behavior
    • Unsigned non-driver installation behavior
    Note the values of these settings if you want to restore them after you install the service pack or driver package.
  7. After the service pack or driver package installation is complete, restore the driver signing and non-driver signing policies to their previous settings.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
Modification Type:MajorLast Reviewed:9/22/2003
Keywords:kbbug kberrmsg kbfix kbsetup kbWin2000sp3fix KB269651
©2003 Microsoft Corporation. All rights reserved.