WFP Driver signing

I’ve developed a Windows Filtering Platform driver for a client, and am now
trying to sign it. When I sign it with their cert and try to do a “net
start” command on the service I get a “System Error 577” indicating that the
system can’t verify the digital signature for the file. If I use “signtool
verify /kp /v” on the driver file it shows the correct cross certificate
chain including Microsoft.

The driver was built with WDK 8.1 with VS2013 targeted for Windows 7 with
the signing done as part of a package. The signing shows an SHA1 cert.
I’ve never tried to sign a legacy driver before, so I am hoping it is
something simple I missed. Any suggestions would be appreciated.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

Is any other certificate in the verification path using SHA-256? If so, an un-patched Windows 7 might not be able to verify the signature.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-612252-
xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: 11 July 2016 15:22
To: Windows System Software Devs Interest List
Subject: [ntdev] WFP Driver signing

I’ve developed a Windows Filtering Platform driver for a client, and am
now trying to sign it. When I sign it with their cert and try to do a
“net start” command on the service I get a “System Error 577”
indicating that the system can’t verify the digital signature for the
file. If I use “signtool verify /kp /v” on the driver file it shows
the correct cross certificate chain including Microsoft.

The driver was built with WDK 8.1 with VS2013 targeted for Windows 7
with the signing done as part of a package. The signing shows an SHA1
cert.
I’ve never tried to sign a legacy driver before, so I am hoping it is
something simple I missed. Any suggestions would be appreciated.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com


NTDEV is sponsored by OSR

Visit the list online at:
http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:</http:></http:></http:>

David,

Thanks that was it. The fact that the signtool verify showed SHA1 had me thinking that I was ok without the update, when SHA-256 was liberally scattered through the output.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of David Boyce
Sent: Monday, July 11, 2016 10:27 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] WFP Driver signing

Is any other certificate in the verification path using SHA-256? If so, an un-patched Windows 7 might not be able to verify the signature.

> -----Original Message-----
> From: xxxxx@lists.osr.com
> mailto:xxxxx [mailto:bounce-612252-
> xxxxx@lists.osr.com] On Behalf Of Don Burn
> Sent: 11 July 2016 15:22
> To: Windows System Software Devs Interest List
> Subject: [ntdev] WFP Driver signing
>
> I’ve developed a Windows Filtering Platform driver for a client, and
> am now trying to sign it. When I sign it with their cert and try to do
> a “net start” command on the service I get a “System Error 577”
> indicating that the system can’t verify the digital signature for the
> file. If I use “signtool verify /kp /v” on the driver file it shows
> the correct cross certificate chain including Microsoft.
>
> The driver was built with WDK 8.1 with VS2013 targeted for Windows 7
> with the signing done as part of a package. The signing shows an SHA1
> cert.
> I’ve never tried to sign a legacy driver before, so I am hoping it is
> something simple I missed. Any suggestions would be appreciated.
>
>
> Don Burn
> Windows Driver Consulting
> Website: http://www.windrvr.com
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at:
> http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:



This email message has been delivered safely and archived online by Mimecast.
For more information please visit http://www.mimecast.com



NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></http:></http:></http:></mailto:xxxxx>

The only potential problem with SHA1 cert I see is that on a patched windows system I expect for support for this kind of certificate to expire. I wonder if people dual sign their drivers ?

xxxxx@gfi.com wrote:

The only potential problem with SHA1 cert I see is that on a patched windows system I expect for support for this kind of certificate to expire. I wonder if people dual sign their drivers ?

On systems prior to Windows 10, at least, SHA1 support will never be
removed. I think they’ve actually said that. Too many legacy devices
would break.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.