I have same driver for 2k8_R2_x64 and 2k8 Sp2 x64. My driver is BOOT start driver.
‘Embedded Signature Verification’ WLK test fails for 2k8_sp2_x64 but passes for the other. So on failing config I changed after install in services section registry ‘start’ value to other than 0, then it passes.
[A] = “This same driver passes on 2k8_R2_x64.”
I have another BOOT start driver but that passes everywhere. Only difference between that and mine is
I started using latest Win8 WDK to build the failing driver (ofcourse I use msbuild ‘WLH’ etc and anyways [A] happens).
Our signifing infrastrucre might have updated to use latest windows signtool etc (I am awaiting details on this, like what version of signtool used, parameters passed etc. But then [A] happens).
o/p below.
Ofcourse it is a signed driver (and [A] happens)
When I run below all comes up good
SignTool Verify /v /kp DriverFileName.sys
Please let me what else to look for while I await on 2).
The same happens to a 2k8_sp2_x86 driver. Seems like it is somethig related to signtool vs. 2k8_sp2_* config.
Runtime Index: 3779089280
Process Name: C:\WLK.…\Tasks…\embeddedsignature.exe
Process ID: 2684
Thread ID: 2584
Context _ _
Context Index: 1305374785
Current: My_BOOT_START_DRV
Parent: WTTLOG
Start Test 8/3/2012 11:38:59.045 AM My_BOOT_START_DRV
*****
Error 8/3/2012 11:39:02.045 AM The Driver D:\Windows\system32\DRIVERS\My_BOOT_START_DRV.sys is not a signed driver
******
File: Line: 0
Error Type:
Error Code: 0x0
Error Text: Error 0x00000000
End Test 8/3/2012 11:39:02.045 AM My_BOOT_START_DRV
Result: Fail
The embedded signature test not only checks for the presence of a signature but that the binaries are embed signed. This helps with the speed of loading the drivers during boot for boot load drivers.
*****
Issue Resolution
Use SignTool to Validate your signature:
SignTool Verify /v /kp DriverFileName.sys
******
The TOP certificate in the chain should be: Microsoft Code Verification Root
Are you building with a target of w8 or the minimum target os with the win8 wdk? Are you signing with a sha1 or sha2 cert? Are you using the wdk to sign automatically or your own signing logic?
d
debt from my phone
From: xxxxx@yahoo.com
Sent: 8/7/2012 7:54 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] WHCK/WLK ‘Embedded Signature Verification’ fails
Hi
I have same driver for 2k8_R2_x64 and 2k8 Sp2 x64. My driver is BOOT start driver.
‘Embedded Signature Verification’ WLK test fails for 2k8_sp2_x64 but passes for the other. So on failing config I changed after install in services section registry ‘start’ value to other than 0, then it passes.
[A] = “This same driver passes on 2k8_R2_x64.”
I have another BOOT start driver but that passes everywhere. Only difference between that and mine is
I started using latest Win8 WDK to build the failing driver (ofcourse I use msbuild ‘WLH’ etc and anyways [A] happens).
Our signifing infrastrucre might have updated to use latest windows signtool etc (I am awaiting details on this, like what version of signtool used, parameters passed etc. But then [A] happens).
o/p below.
Ofcourse it is a signed driver (and [A] happens)
When I run below all comes up good
SignTool Verify /v /kp DriverFileName.sys
Please let me what else to look for while I await on 2).
The same happens to a 2k8_sp2_x86 driver. Seems like it is somethig related to signtool vs. 2k8_sp2_* config.
Runtime Index: 3779089280
Process Name: C:\WLK.…\Tasks…\embeddedsignature.exe
Process ID: 2684
Thread ID: 2584
Context _ _
Context Index: 1305374785
Current: My_BOOT_START_DRV
Parent: WTTLOG
Start Test 8/3/2012 11:38:59.045 AM My_BOOT_START_DRV
*****
Error 8/3/2012 11:39:02.045 AM The Driver D:\Windows\system32\DRIVERS\My_BOOT_START_DRV.sys is not a signed driver
******
File: Line: 0
Error Type:
Error Code: 0x0
Error Text: Error 0x00000000
End Test 8/3/2012 11:39:02.045 AM My_BOOT_START_DRV
Result: Fail
The embedded signature test not only checks for the presence of a signature but that the binaries are embed signed. This helps with the speed of loading the drivers during boot for boot load drivers.
*****
Issue Resolution
Use SignTool to Validate your signature:
SignTool Verify /v /kp DriverFileName.sys
******
The TOP certificate in the chain should be: Microsoft Code Verification Root
C:\Program Files (x86)\Microsoft Visual Studio 11.0\Common7\
Tools\…..\VC\vcvarsall.bat" x86_amd64
msbuild drv.VcxProj /p:Configuration=“Windows Vista Release” /t:build /p:platform=x64
my Vcxproj below.
Windows Vista Release
Windows Vista Debug I use the same binary generated here from all of above both for sp2 and R2 x64. Ofcourse on R2 it passes (and ofcourse the binary has embedded signature, else it wouldn’t even load on R2 and even Sp2 x64 maybe)
My signtool /verify dump
Verifying: MyDrv.sys
Signature Index: 0 (Primary Signature) Hash of file (sha1): 42D36504E0AFC40D484118DF55C40835974E7FF6
Signing Certificate Chain: Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Post the output of signtool verify /kp /v /c [cat file] [signed file]
Nik Twerdochlib
Software Developer
+1.601.607.8309 O
+1.866.522.8678 F
BOMGAR | The Box That’s Revolutionizing Remote Support™
One of the Fastest-Growing Technology Companies in America | Technology Fast 500™
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Thursday, August 09, 2012 5:50 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] WHCK/WLK ‘Embedded Signature Verification’ fails
Also I am using signtool.exe from ‘Windows8 Signtool Preview’ version 1.0.
Verifying: MyDrv.sys
File is signed in catalog: MyDrv.cat
Hash of file (sha1): 9EFF0A82BEC4CE8BA05241B6C0909535F669DB93
Signing Certificate Chain:
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Wed Jul 16 16:59:59 2036
SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Fri Feb 07 16:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F
Issued to: Mycompany
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Sat May 30 16:59:59 2015
SHA1 hash: 954830B1FD7C08820D58BDE167523B58DED768EA
The signature is timestamped: Thu Aug 09 11:15:48 2012
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 16:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Tue Dec 03 16:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Issued to: Symantec Time Stamping Services Signer - G3
Issued by: VeriSign Time Stamping Services CA
Expires: Mon Dec 31 16:59:59 2012
SHA1 hash: 8FD99D63FB3AFBD534A4F6E31DACD27F59504021
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: Microsoft Code Verification Root
Expires: Mon Feb 22 12:35:17 2021
SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B
Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Fri Feb 07 16:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F
Issued to: Mycompany
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Sat May 30 16:59:59 2015
SHA1 hash: 954830B1FD7C08820D58BDE167523B58DED768EA
Successfully verified: MyDrv.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0