Hi all, I signed my driver with my EV. But now I found it doesn’t work on Win7
I used following command to sign my driver
Inf2cat.exe /driver:“mydriver\64bit” /os:7_X64,10_X64,8_X64,6_3_X64
signtool.exe sign /ac D:\MSCV-VSClass3.cer /s my /sha1 xxxxxxxxxx /t http://timestamp.verisign.com/scripts/timstamp.dll /v “myriver\drvxxx.cat”
The signed driver is OK on Win8.1 x64. But on Win7 x64, it doesn’t work. On device manager->device->properties->General, get Code 52, but on perperties-> driver page, digital signer item can see my company information.
Does I missed something?
Thanks
I found error in setupapi.dev
“A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.”
How can I fix this error?
Finally, I found KB3033929 can fix this issue .
But Can I fix this issue by change my signtool command or using different version, without this KB? Tell every customer to update the KB doesn’t make sense.
>>> But Can I fix this issue by change my signtool command or using different version, without this KB? Tell every customer to
>> update the KB doesn’t make sense.
You need to sign with a non-EV SHA 1 certificate. For Vista , you need this anyway since there is no KB update available for it.
----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Tuesday, September 20, 2016 12:56 PM
Subject: RE:[ntdev] Sign x64 driver for Windows 7
> Finally, I found KB3033929 can fix this issue .
> But Can I fix this issue by change my signtool command or using different version, without this KB? Tell every customer to update
> the KB doesn’t make sense.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>
Hi Christiaan Ghijselinck, so EV can’t sign driver with SHA1 by using /fd sha1 , I need a SHA1 only CA
certificate, right?
What should I do to check the signed .cat is by sha1 or sha256? In the digital signatures page, the digest algorithm is sha1,and I also add sha256, but still doesn’t work without the KB.
Thank you.
> What should I do to check the signed .cat is by sha1 or sha256? In the digital signatures page, the digest algorithm is sha1,and I
also add sha256, but still doesn’t work without the KB.
The essential problem is that Win 7 does not recognize EV certificates without that KB
----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Tuesday, September 20, 2016 3:51 PM
Subject: RE:[ntdev] Sign x64 driver for Windows 7
> Hi Christiaan Ghijselinck, so EV can’t sign driver with SHA1 by using /fd sha1 , I need a SHA1 only CA
> certificate, right?
> What should I do to check the signed .cat is by sha1 or sha256? In the digital signatures page, the digest algorithm is sha1,and I
> also add sha256, but still doesn’t work without the KB.
> Thank you.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>
xxxxx@gmail.com wrote:
Hi Christiaan Ghijselinck, so EV can’t sign driver with SHA1 by using /fd sha1 , I need a SHA1 only CA
certificate, right?
Correct. The /fd parameter just chooses how the file’s digest is
created. Your certificate is still SHA256, and that’s the problem.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
You will need to add a SHA-1 Certificate along with the EV if you do not want them to install KB3033929
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, September 20, 2016 6:57 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Sign x64 driver for Windows 7
Finally, I found KB3033929 can fix this issue .
But Can I fix this issue by change my signtool command or using different version, without this KB? Tell every customer to update the KB doesn’t make sense.
NTDEV is sponsored by OSR
Visit the list online at: http:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>
I see, I need a SHA-1 certificate.
Thank you everyone.
And there is another question…
I got a SHA-1 certificate. When I signed the .cat with the .pfx, get error.
Signtool Error: The provided cross certificate would not be present in the certificate chain.
I remember that can be fix with cross this .cer
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR1575
But it has expired , is there another way to fix this error?
Thanks
By using SHA-1 CA certificate, still can’t work without KB. The signature algorithm of the CA is SHA1RSA.Here is the command
signtool.exe sign /ac D:\ms_xs.crt /f “D:\my.pfx” /p xxxx /tr http://timestamp.wosign.com/rfc3161 /v “E:\x64\xxx.cat”
Totally do not understand what should I do.
On Sep 20, 2016, at 8:15 PM, xxxxx@gmail.com wrote:
And there is another question…
I got a SHA-1 certificate. When I signed the .cat with the .pfx, get error.Signtool Error: The provided cross certificate would not be present in the certificate chain.
I remember that can be fix with cross this .cer
Well, you need the cross certificate that matches the SHA-1 certificate you got. You can’t use any old cross-certificate. You can either look at Microsoft’s list, or check with the certificate authority.
—
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
On Sep 20, 2016, at 11:18 PM, xxxxx@gmail.com wrote:
By using SHA-1 CA certificate, still can’t work without KB. The signature algorithm of the CA is SHA1RSA.Here is the command
signtool.exe sign /ac D:\ms_xs.crt /f “D:\my.pfx” /p xxxx /tr http://timestamp.wosign.com/rfc3161 /v “E:\x64\xxx.cat”
Totally do not understand what should I do.
Where did you buy your certificate, exactly? Are you sure your CA has a Microsoft cross-certificate?
—
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
As I remember, there have been CA certificates using SHA1 when the customer certificate was still SHA2. You need to check EVERY level of the key chain to verify ONLY SHA1 is used. Like Tim said, you also need to use a cross certificate that matches your CA, not all CA’s have certificates compatible with kernel signing. I recommend turning on the verbose option in signtool so it prints the whole certificate chain.
Looking at the list of valid kernel signing cross certificates at https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing I don’t see one for wosign.com. I looked at a cross certificate on the wosign website under code signing (https://wosign.com/english/WoSign_Kernel_CodeSigning.htm), but the issuer was not the correct Microsoft kernel signing root. The Issuer looked like StartCom, which does have a cross certificate at the above Microsoft site, but I don’t know if you can have two levels of cross certificates.
A lot of the CA’s have been amazingly ignorant about what the signing key parameters must be for the different flavors of Windows kernel code signing.
Jan
On 9/20/16, 11:18 PM, “xxxxx@lists.osr.com on behalf of xxxxx@gmail.com” wrote:
By using SHA-1 CA certificate, still can’t work without KB. The signature algorithm of the CA is SHA1RSA.Here is the command
signtool.exe sign /ac D:\ms_xs.crt /f “D:\my.pfx” /p xxxx /tr http://timestamp.wosign.com/rfc3161 /v “E:\x64\xxx.cat”
Totally do not understand what should I do.
It sounds like you are missing the cross sign certificate from MS. Check out this link https://msdn.microsoft.com/en-us/library/windows/hardware/dn653569(v=vs.85).aspx and for the certificates check this link https://msdn.microsoft.com/windows/hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, September 21, 2016 2:19 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Sign x64 driver for Windows 7
By using SHA-1 CA certificate, still can’t work without KB. The signature algorithm of the CA is SHA1RSA.Here is the command signtool.exe sign /ac D:\ms_xs.crt /f “D:\my.pfx” /p xxxx /tr http://timestamp.wosign.com/rfc3161 /v “E:\x64\xxx.cat”
Totally do not understand what should I do.
NTDEV is sponsored by OSR
Visit the list online at: http:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>