Windows 7 driver signing problem

Hey guys, I’ve some problems with signing a driver for Windows 7.

I just have a simple mini-filter driver and tried to sign it with a certificate from Comodo.
The driver installs and runs without any problems on Windows 8 to Windows 10, only Windows 7 reports an error, when trying to install it.

I cross-signed the driver as shown below:

signtool.exe sign /v /p password /ac “C:\comodorsacertificationauthority_kmod.crt” /f “C:\cert.pfx”
/tr http://timestamp.comodoca.com/rfc3161 “C:\Users\name\desktop\drv.sys”
The following certificate was selected:
Issued to: xxx xxxxx
Issued by: COMODO RSA Code Signing CA
Expires: Mon Oct 31 01:59:59 2016
SHA1 hash: *hash here*

Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 15:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: COMODO RSA Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Mon Apr 12 00:16:20 2021
SHA1 hash: 106870659C069F248C8C0A05ACD871CABEB3CC38

Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Tue May 09 01:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47

Issued to: xxx xxxxx
Issued by: COMODO RSA Code Signing CA
Expires: Mon Oct 31 01:59:59 2016
SHA1 hash: *hash here*

Done Adding Additional Store
Successfully signed and timestamped: C:\Users\name\desktop\drv.sys

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>fltmc load drv

Error: 0x80070241

Could not translate error code. Code: 0x80070241, Reason:
7a

Obviously, I run the cmd prompt with admin rights.
In the windows event log (code integrity) I get the following errors: (translated from german)
The image of the file (drv.sys) could not be validated, because the record of image hashes could not be found on the system.

Any ideas on what I’m doing wrong? I already spent days on figuring out what I’m doing wrong, without success. :confused:

I would appreciate any kind of help. Thanks!

Are the appriorate COMODO root certificates installed on Win 7 ?

Christiaan

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Sunday, August 21, 2016 6:02 PM
Subject: [ntdev] Windows 7 driver signing problem

> Hey guys, I’ve some problems with signing a driver for Windows 7.
>
> I just have a simple mini-filter driver and tried to sign it with a certificate from Comodo.
> The driver installs and runs without any problems on Windows 8 to Windows 10, only Windows 7 reports an error, when trying to
> install it.
>
> I cross-signed the driver as shown below:
>
> signtool.exe sign /v /p password /ac “C:\comodorsacertificationauthority_kmod.crt” /f “C:\cert.pfx”
> /tr http://timestamp.comodoca.com/rfc3161 “C:\Users\name\desktop\drv.sys”
> The following certificate was selected:
> Issued to: xxx xxxxx
> Issued by: COMODO RSA Code Signing CA
> Expires: Mon Oct 31 01:59:59 2016
> SHA1 hash: hash here
>
> Cross certificate chain (using machine store):
> Issued to: Microsoft Code Verification Root
> Issued by: Microsoft Code Verification Root
> Expires: Sat Nov 01 15:54:03 2025
> SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
>
> Issued to: COMODO RSA Certification Authority
> Issued by: Microsoft Code Verification Root
> Expires: Mon Apr 12 00:16:20 2021
> SHA1 hash: 106870659C069F248C8C0A05ACD871CABEB3CC38
>
> Issued to: COMODO RSA Code Signing CA
> Issued by: COMODO RSA Certification Authority
> Expires: Tue May 09 01:59:59 2028
> SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
>
> Issued to: xxx xxxxx
> Issued by: COMODO RSA Code Signing CA
> Expires: Mon Oct 31 01:59:59 2016
> SHA1 hash: hash here
>
> Done Adding Additional Store
> Successfully signed and timestamped: C:\Users\name\desktop\drv.sys
>
> Number of files successfully Signed: 1
> Number of warnings: 0
> Number of errors: 0
>
> C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>fltmc load drv
>
> Error: 0x80070241
>
> Could not translate error code. Code: 0x80070241, Reason:
> 7a
>
> Obviously, I run the cmd prompt with admin rights.
> In the windows event log (code integrity) I get the following errors: (translated from german)
> The image of the file (drv.sys) could not be validated, because the record of image hashes could not be found on the system.
>
> Any ideas on what I’m doing wrong? I already spent days on figuring out what I’m doing wrong, without success. :confused:
>
> I would appreciate any kind of help. Thanks!
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

It might be your signing key is SHA2, and the copy of Win 7 you are using does not have the SHA2 support patch. Search previous messages on this list for the way to determine this and fix it. Win 7 as it comes off the install DVD didn’t work with SHA2 keys under certain condition, like I believe drivers that required checking the signature of the binary using an embedded signature.

Jan

On 8/21/16, 9:02 AM, “xxxxx@lists.osr.com on behalf of xxxxx@gmail.com” wrote:

Hey guys, I’ve some problems with signing a driver for Windows 7.

I just have a simple mini-filter driver and tried to sign it with a certificate from Comodo.
The driver installs and runs without any problems on Windows 8 to Windows 10, only Windows 7 reports an error, when trying to install it.

I cross-signed the driver as shown below:

signtool.exe sign /v /p password /ac “C:\comodorsacertificationauthority_kmod.crt” /f “C:\cert.pfx”
/tr http://timestamp.comodoca.com/rfc3161 “C:\Users\name\desktop\drv.sys”
The following certificate was selected:
Issued to: xxx xxxxx
Issued by: COMODO RSA Code Signing CA
Expires: Mon Oct 31 01:59:59 2016
SHA1 hash: hash here

Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 15:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: COMODO RSA Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Mon Apr 12 00:16:20 2021
SHA1 hash: 106870659C069F248C8C0A05ACD871CABEB3CC38

Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Tue May 09 01:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47

Issued to: xxx xxxxx
Issued by: COMODO RSA Code Signing CA
Expires: Mon Oct 31 01:59:59 2016
SHA1 hash: hash here

Done Adding Additional Store
Successfully signed and timestamped: C:\Users\name\desktop\drv.sys

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>fltmc load drv

Error: 0x80070241

Could not translate error code. Code: 0x80070241, Reason:
7a

Obviously, I run the cmd prompt with admin rights.
In the windows event log (code integrity) I get the following errors: (translated from german)
The image of the file (drv.sys) could not be validated, because the record of image hashes could not be found on the system.

Any ideas on what I’m doing wrong? I already spent days on figuring out what I’m doing wrong, without success. :confused:

I would appreciate any kind of help. Thanks!


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

Thanks for your quick replies!

You were right, the patch for sha2 support was missing, even though SP1 was installed.

I manually installed it and now it works.

Thank you guys!

BR, Nick

Am 22.08.2016 um 00:07 schrieb Jan Bottorff :
>
> It might be your signing key is SHA2, and the copy of Win 7 you are using does not have the SHA2 support patch. Search previous messages on this list for the way to determine this and fix it. Win 7 as it comes off the install DVD didn’t work with SHA2 keys under certain condition, like I believe drivers that required checking the signature of the binary using an embedded signature.
>
> Jan
>
>
> On 8/21/16, 9:02 AM, “xxxxx@lists.osr.com on behalf of xxxxx@gmail.com” wrote:
>
> Hey guys, I’ve some problems with signing a driver for Windows 7.
>
> I just have a simple mini-filter driver and tried to sign it with a certificate from Comodo.
> The driver installs and runs without any problems on Windows 8 to Windows 10, only Windows 7 reports an error, when trying to install it.
>
> I cross-signed the driver as shown below:
>
> signtool.exe sign /v /p password /ac “C:\comodorsacertificationauthority_kmod.crt” /f “C:\cert.pfx”
> /tr http://timestamp.comodoca.com/rfc3161 “C:\Users\name\desktop\drv.sys”
> The following certificate was selected:
> Issued to: xxx xxxxx
> Issued by: COMODO RSA Code Signing CA
> Expires: Mon Oct 31 01:59:59 2016
> SHA1 hash: hash here
>
> Cross certificate chain (using machine store):
> Issued to: Microsoft Code Verification Root
> Issued by: Microsoft Code Verification Root
> Expires: Sat Nov 01 15:54:03 2025
> SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
>
> Issued to: COMODO RSA Certification Authority
> Issued by: Microsoft Code Verification Root
> Expires: Mon Apr 12 00:16:20 2021
> SHA1 hash: 106870659C069F248C8C0A05ACD871CABEB3CC38
>
> Issued to: COMODO RSA Code Signing CA
> Issued by: COMODO RSA Certification Authority
> Expires: Tue May 09 01:59:59 2028
> SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
>
> Issued to: xxx xxxxx
> Issued by: COMODO RSA Code Signing CA
> Expires: Mon Oct 31 01:59:59 2016
> SHA1 hash: hash here
>
> Done Adding Additional Store
> Successfully signed and timestamped: C:\Users\name\desktop\drv.sys
>
> Number of files successfully Signed: 1
> Number of warnings: 0
> Number of errors: 0
>
> C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>fltmc load drv
>
> Error: 0x80070241
>
> Could not translate error code. Code: 0x80070241, Reason:
> 7a
>
> Obviously, I run the cmd prompt with admin rights.
> In the windows event log (code integrity) I get the following errors: (translated from german)
> The image of the file (drv.sys) could not be validated, because the record of image hashes could not be found on the system.
>
> Any ideas on what I’m doing wrong? I already spent days on figuring out what I’m doing wrong, without success. :confused:
>
> I would appreciate any kind of help. Thanks!
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></http:></http:></http:>

Christiaan Ghijselinck wrote:

Are the appriorate COMODO root certificates installed on Win 7 ?

They don’t have to be. That’s the point of the cross-certificate. As
long as the “Microsoft Code Verification Root” is in the chain, that’s
all that is necessary.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.