Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Cab Signature validation failed with error: 0x80090008

HagenHagen Member Posts: 53

Hi,
our attestation signing is in-place and working since quite a while without any modifications now. Yesterday Microsofts attestation server responded with
Cab Signature validation failed with error: 0x80090008
on a cab submission. The cab was successfully created and signed however:

Cabinet Maker - Lossless Data Compression Tool

PASS 1: Checking directive file(s)

1: .OPTION EXPLICIT
2: .Set CabinetFileCountThreshold=0
==> Setting variable CabinetFileCountThreshold to '0'
3: .Set FolderFileCountThreshold=0
==> Setting variable FolderFileCountThreshold to '0'
4: .Set FolderSizeThreshold=0
==> Setting variable FolderSizeThreshold to '0'
5: .Set MaxCabinetSize=0
==> Setting variable MaxCabinetSize to '0'
6: .Set MaxDiskFileCount=0
==> Setting variable MaxDiskFileCount to '0'
7: .Set MaxDiskSize=0
==> Setting variable MaxDiskSize to '0'
8: .Set CompressionType=MSZIP
==> Setting variable CompressionType to 'MSZIP'
9: .Set Cabinet=on
==> Setting variable Cabinet to 'on'
10: .Set Compress=on
==> Setting variable Compress to 'on'
11: .Set CabinetNameTemplate=MyDriver.cab
==> Setting variable CabinetNameTemplate to 'MyDriver.cab'
12: .Set DestinationDir=MyDriver
==> Setting variable DestinationDir to 'MyDriver'
13: "MyDriver.inf"
==> FileSpec src=MyDriver.inf dst=
CopyCommand: MyDriver.inf to MyDriver\MyDriver.inf
14: "MyDriver.sys"
==> FileSpec src=MyDriver.sys dst=
CopyCommand: MyDriver.sys to MyDriver\MyDriver.sys
15: "MyDriver.cat"
==> FileSpec src=MyDriver.cat dst=
CopyCommand: MyDriver.cat to MyDriver\MyDriver.cat
16: "MyDriver.pdb"
==> FileSpec src=MyDriver.pdb dst=
CopyCommand: MyDriver.pdb to MyDriver\MyDriver.pdb

PASS 2: Processing directive file(s)

1: .OPTION EXPLICIT
2: .Set CabinetFileCountThreshold=0
==> Setting variable CabinetFileCountThreshold to '0'
3: .Set FolderFileCountThreshold=0
==> Setting variable FolderFileCountThreshold to '0'
4: .Set FolderSizeThreshold=0
==> Setting variable FolderSizeThreshold to '0'
5: .Set MaxCabinetSize=0
==> Setting variable MaxCabinetSize to '0'
6: .Set MaxDiskFileCount=0
==> Setting variable MaxDiskFileCount to '0'
7: .Set MaxDiskSize=0
==> Setting variable MaxDiskSize to '0'
8: .Set CompressionType=MSZIP
==> Setting variable CompressionType to 'MSZIP'
9: .Set Cabinet=on
==> Setting variable Cabinet to 'on'
10: .Set Compress=on
==> Setting variable Compress to 'on'
11: .Set CabinetNameTemplate=MyDriver.cab
==> Setting variable CabinetNameTemplate to 'MyDriver.cab'
12: .Set DestinationDir=MyDriver
==> Setting variable DestinationDir to 'MyDriver'
13: "MyDriver.inf"
==> FileSpec src=MyDriver.inf dst=
0.00% - raw=0 compressed=0
14: "MyDriver.sys"
==> FileSpec src=MyDriver.sys dst=
32.49% - raw=458,752 compressed=78,885
15: "MyDriver.cat"
==> FileSpec src=MyDriver.cat dst=
32.49% - raw=458,752 compressed=78,885
16: "MyDriver.pdb"
==> FileSpec src=MyDriver.pdb dst=
100.00% - raw=1,411,826 compressed=328,406
99.82% [flushing current folder]
** MyDriver\MyDriver.inf placed in cabinet MyDriver.cab(1) on disk Disk 1
** MyDriver\MyDriver.sys placed in cabinet MyDriver.cab(1) on disk Disk 1
** MyDriver\MyDriver.cat placed in cabinet MyDriver.cab(1) on disk Disk 1
** MyDriver\MyDriver.pdb placed in cabinet MyDriver.cab(1) on disk Disk 1
100.00% [flushing current folder]
Total files: 4
Bytes before: 1,411,826
Bytes after: 328,406
After/Before: 23.26% compression
Time: 0.26 seconds ( 0 hr 0 min 0.26 sec)
Throughput: 5202.78 Kb/second
Done Adding Additional Store
Successfully signed: C:\Jenkins\workspace\MyCompany\MyDriver-Windows\BuildSystem..\build\Cab\x64\Release\disk1\MyDriver.cab

However the submission fails:

Attestation Submission

Create Product

* Create JSON
* Submit
* PID: 13516439312521993

Create Submission

* Create JSON
* Submit
* SID: 1152921505693904224

Upload File

SurfaceDevCenterManager v1.0.0.1

0% 0% 0% 1% 2% 3% 4% 5% 6% 7% 8% 9% 10% 10% 11% 12% 13% 14% 15% 16% 17% 18% 19% 20% 21% 21% 22% 23% 24% 25% 26% 27% 28% 29% 30% 31% 32% 32% 33% 34% 35% 36% 37% 38% 39% 40% 41% 42% 42% 43% 44% 45% 46% 47% 48% 49% 50% 51% 52% 53% 53% 54% 55% 56% 57% 58% 59% 60% 61% 62% 63% 64% 64% 65% 66% 67% 68% 69% 70% 71% 72% 73% 74% 75% 75% 76% 77% 78% 79% 80% 81% 82% 83% 84% 85% 85% 86% 87% 88% 89% 90% 91% 92% 93% 94% 95% 96% 96% 97% 98% 99%100%100%
Correlation Id: dd921df9-979a-4701-874f-4db46492a002
Return: 0 (SUCCESS)

Commit Submission

SurfaceDevCenterManager v1.0.0.1

Commit Option
Sending Commit
Commit OK

Correlation Id: 2d3da553-e551-42f4-88a2-6b633b747eec
Return: 0 (SUCCESS)

Wait for Submission to complete

* Dev Center URL: https://developer.microsoft.com/en-us/dashboard/hardware/driver/13516439312521993
* PID: 13516439312521993
* SID: 1152921505693904224

SurfaceDevCenterManager v1.0.0.1

Wait Option
Step: packageInfoValidation
State: notStarted
Step: preparation
State: failed
Error Report:

Cab Signature validation failed with error: 0x80090008

the xml pointed to initialPackage Url reads


AuthenticationFailed

Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:450d03e8-c01e-004e-6270-a96e4b000000 Time:2021-09-14T13:57:05.3472930Z


Signature did not match. String to sign used was rwl 2021-09-15T13:52:24Z /blob/ingestionpackagesprod1/ingestion/1d2089e7-f8fd-4036-aebd-e2020fb57fc6 2018-03-28 attachment;

Any hints or ideas what could have been gone wrong are highly appreciated!
Thanks,
Hagen

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,093

    The only thing I can add is that 0x80090008 is NTE_BAD_ALGID -- Invalid algorithm specified. Is this a new certificate, or is it the same old certificate?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • dakatadakata Member Posts: 2

    Hi Hagen,
    I am getting the same response. I have raised a ticked and contacted our account manager in Microsoft regarding this. I will keep you posted about any updates.

  • dakatadakata Member Posts: 2

    Ok I have a solution. Actually, Tim is right. It turned out the problem is with the signing options in signtool.exe.
    Till yesterday my sign toll parameters were : /a /tr http://timestapprovider /td sha256 ... etc
    But as from today Microsoft wants to add : /a /fd sha256 /tr http://timestampprovider /td sha256 ..etc
    So this "/fd sha256" made it work.
    I have just successfully signed a driver.
    Hope this helps.
    Cheers.

  • HagenHagen Member Posts: 53

    Thanks, Tim, dakata,
    for your hints! And yes, the problem also resided on our side. My problem was that the .cab was signed with a non-EV certificate, when switching to the correct one, it's accepted again. The strange thing here is that it actually was accepted at all until now...!

    Thanks for your help!
    Cheers,
    Hagen.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,093

    In the past, you could use a non-EV certificate to sign your dashboard submissions, as long as the non-EV certificate had been registered with the account. I've seen posts that say they were eliminating this option, but I didn't think it had happened already.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • CaptainFlintCaptainFlint Member Posts: 66

    According to this, you still should be able to do it.

  • HagenHagen Member Posts: 53

    Thanks, then maybe it's now accepted because of also removing the remains of the previous kernel signing, including cross certificate and time stamping.
    So that means the non-EV signature would still be accepted, maybe the "issued to" would need to match? In that case the dongle wouldn't be needed on the build machine, or?

  • CaptainFlintCaptainFlint Member Posts: 66

    Well, I don't know the exact list of requirements. The certificate itself must be added to the dashboard account, that's for sure. If that certificate is not EV, then also a EV one must be added (not necessarily used), and it must not be expired at the day you send the submission (of course, the same applies to the certificate you signed the cab with). Using SHA-2 algorithm for signing seems to be mandatory, as @dakata pointed out. Also, some people here reported that the dashboard failed to accept the SHA-384 certificates, no matter what algorithm is used for signing, some details can be found here.

    Apart from that, I'm not aware of any restrictions. (Which, of course, does not mean that there are none…)

  • HagenHagen Member Posts: 53

    Great, thanks for your comments!

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,093

    So that means the non-EV signature would still be accepted, maybe the "issued to" would need to match?

    They don't check the data in the certificate. The certificate just has to be registered with the account. They assume that if you can log in, then you have the legal authority to add new certificates. That's in one of the documents you sign when you set up a dashboard account.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 15 November 2021 Live, Online
Writing WDF Drivers TBD Live, Online
Developing Minifilters 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online