Microsoft KB Archive/269651

= &quot;Digital Signature Not Found&quot; Error Message When You Install a Driver or Update =

Article ID: 269651

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q269651



SYMPTOMS
When you install a Windows 2000 service pack, hotfix, or other system update, you may receive the following error message:

Digital Signature Not Found

The Microsoft digital signature affirms that software has been tested with Windows and that the software has not been altered since it was tested.

The software you are about to install does not contain a Microsoft digital signature. Therefore, there is no guarantee that this software works correctly with Windows.

Unknown software package

If you want to search for Microsoft digitally signed software, visit the Windows Update Web site at http://windowsupdate.microsoft.com to see if one is available.

Do you want to continue the installation?

If you then click More Information, you may receive the following error message:

Microsoft Windows

Windows did not find a Microsoft signature associated with the software package you want to install.

When you click OK, you may receive a series of error messages that are similar to the first error message that is listed in this article, and you may then receive the following error message:

Service Pack Setup Error

The form specified for the subject is not one supported or known by the specified trust provider.

If you then click OK, you may receive the following error message:

Service Pack Setup Error

Service Pack was not installed.



CAUSE
This problem may occur if Windows 2000 is not correctly reading the digital signature of the software package and the following two local computer policies are blocking the installation:
 * Unsigned driver installation behavior
 * Unsigned non-driver installation behavior

When these two policies are set to Do not allow installation, service packs and other updates cannot be properly installed. 

MORE INFORMATION
Because third-party drivers (whether signed or unsigned) can only be installed by an administrator, driver signing policy (in its present form as of April 2003) is not a security issue. In Windows versions earlier than Windows Server 2003, driver signing was misleading because Windows versions earlier than Windows Server 2003 sent mixed messages about when a driver package was safe, depending on the corresponding device's class.

In earlier versions of Windows (including Windows 2000), Microsoft grouped SetupAPI activities into two categories:
 * Device installations under the purview of Windows Hardware Quality Labs (WHQL), based on the device’s ClassGUID being listed in %windir%\Inf\Certclas.inf. These installations are subject to driver signing policy.
 * Everything else (driver installations with ClassGUIDs that are not listed in Certclas.inf and all other SetupAPI-based installations). These installations are subject to non-driver signing policy.

The default behavior for the first category is that a signed driver means no user interface. For the second category, no user interface (that is, Ignore) is the default, regardless of whether the driver was signed. Therefore, users might think that the drivers they are installing are safe, when, in fact, they are unsigned.

This is why in Windows Server 2003, Microsoft introduced the ability for device classes outside the purview of WHQL to be signed with an Authenticode signature. That way, at least the conscientious vendor could protect their users from spoofing, tampering, and repudiation threats. The user is notified that a driver is being installed, if it was signed, and if so, by whom. In Windows Server 2003, all device installations are subject to driver signing policy. The remaining SetupAPI-based installations are subject to non-driver signing policy. Turning non-driver signing policy to anything other than Ignore (the default) will have undesirable side-effects, such as displaying the driver signing user interface when the user downloads or installs ActiveX controls, IExpress packages, service packs, and hotfixes.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack



WORKAROUND
To work around this problem (and prevent the driver signing dialogs from displaying), temporarily set the following policies to &quot;silently succeed&quot; during the service pack or update installation:
 * Unsigned driver installation behavior
 * Unsigned non-driver installation behavior

To change the system policy:  Click Start, click Run, type mmc in the Open box, and then click OK. On the Console menu, click Add/Remove Snap-in. Click Add, click Group Policy in the list of available stand alone snap-ins, and then click Add. Click Finish, click Close, and then click OK. Double-click the following items to expand them: <ul> Console Root</li> Local Computer Policy</li> Computer Configuration</li> Windows Settings</li> Security Settings</li> Local Policies</li> Security Options</li></ul>

</li> On the right side of the console are the following two policies, and these can be changed as needed by a member of the administrator's security group on that computer: <ul> Unsigned driver installation behavior</li> Unsigned non-driver installation behavior</li></ul>

Note the values of these settings if you want to restore them after you install the service pack or driver package.</li> After the service pack or driver package installation is complete, restore the driver signing and non-driver signing policies to their previous settings.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.

Additional query words: kbSetup

Keywords: kbbug kberrmsg kbfix kbsetup kbwin2000sp3fix KB269651

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.