Hi,
We have found that we can install Process Hacker 2.39124 on Windows 10 1809 17763.316 in a VMWare VM with secure boot enabled. We think that the secure boot is working correctly because it will prevent our counter-signed filter driver from being installed whereas it will allow our Microsoft cross-signed driver to be installed. Does anyone know why the Process Hacker driver kprocesshacker.sys which is only counter-signed, is able to get installed with secure boot enabled?
Thanks,
Ian.
IanM wrote:
We have found that we can install Process Hacker 2.39124 on Windows 10 1809 17763.316 in a VMWare VM with secure boot enabled. We think that the secure boot is working correctly because it will prevent our counter-signed filter driver from being installed whereas it will allow our Microsoft cross-signed driver to be installed. Does anyone know why the Process Hacker driver kprocesshacker.sys which is only counter-signed, is able to get installed with secure boot enabled?
It is grandfathered. To avoid invalidating the millions of driver
packages that exist in the wild, a driver signed and cross-signed with a
certificate issued prior to July 2015 is accepted without attestation or
WHQL. The Process Hacker driver was signed in March of 2016, and the
certificate they used was issued in 2013.
Thanks very much Tim. We were aware of the grandfathering issue and I don’t think it applies to the driver in Process Hacker 2.39124. However, in our attempt to double-check that, we have noticed that the driver is cross-signed using a “Microsoft Code Verification Root” certificate (below). This is different to the root of the certificate that we get when we cross sign (“Microsoft Root Certificate Authority 2010”).
The “Microsoft Code Verification Root” certificate isn’t mentioned here but do you think it’s just that the documentation is out of date?
C:\Users\Admin\Desktop>signtool.exe verify /v /all /kp processhacker-2.39-bin\kprocesshacker.sys
Verifying: processhacker-2.39-bin\kprocesshacker.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): C2B8C1B34F09A91EFE196F646EF7F9A11190FB8E
Signing Certificate Chain:
Issued to: DigiCert High Assurance EV Root CA
Issued by: DigiCert High Assurance EV Root CA
Expires: Mon Nov 10 01:00:00 2031
SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
Issued to: DigiCert High Assurance Code Signing CA-1
Issued by: DigiCert High Assurance EV Root CA
Expires: Tue Feb 10 13:00:00 2026
SHA1 hash: E308F829DC77E80AF15EDD4151EA47C59399AB46
Issued to: Wen Jia Liu
Issued by: DigiCert High Assurance Code Signing CA-1
Expires: Wed Jan 04 13:00:00 2017
SHA1 hash: 32387AEC09EB287F202E98398189B460F4C61A0D
The signature is timestamped: Mon Mar 28 19:21:05 2016
Timestamp Verified by:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Mon Nov 10 01:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Issued to: DigiCert Assured ID CA-1
Issued by: DigiCert Assured ID Root CA
Expires: Wed Nov 10 01:00:00 2021
SHA1 hash: 19A09B5A36F4DD99727DF783C17A51231A56C117
Issued to: DigiCert Timestamp Responder
Issued by: DigiCert Assured ID CA-1
Expires: Tue Oct 22 01:00:00 2024
SHA1 hash: 614D271D9102E30169822487FDE5DE00A352B01D
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 14:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: DigiCert High Assurance EV Root CA
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 20:55:33 2021
SHA1 hash: 2F2513AF3992DB0A3F79709FF8143B3F7BD2D143
Issued to: DigiCert High Assurance Code Signing CA-1
Issued by: DigiCert High Assurance EV Root CA
Expires: Tue Feb 10 13:00:00 2026
SHA1 hash: E308F829DC77E80AF15EDD4151EA47C59399AB46
Issued to: Wen Jia Liu
Issued by: DigiCert High Assurance Code Signing CA-1
Expires: Wed Jan 04 13:00:00 2017
SHA1 hash: 32387AEC09EB287F202E98398189B460F4C61A0D
Signature Index: 1
Hash of file (sha256): 4EE2A56C1592FF0E951B452C0DE064EBA05B7C98E3ADD04C8AA3B4A84EB797A5
Signing Certificate Chain:
Issued to: DigiCert High Assurance EV Root CA
Issued by: DigiCert High Assurance EV Root CA
Expires: Mon Nov 10 01:00:00 2031
SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
Issued to: DigiCert SHA2 High Assurance Code Signing CA
Issued by: DigiCert High Assurance EV Root CA
Expires: Sun Oct 22 13:00:00 2028
SHA1 hash: F7E0F449F1A2594F88856C0758F8E6F627E5F5A2
Issued to: Wen Jia Liu
Issued by: DigiCert SHA2 High Assurance Code Signing CA
Expires: Wed Jan 04 13:00:00 2017
SHA1 hash: 190D956129DDE6972D46F46EF98BD86B982E6633
The signature is timestamped: Mon Mar 28 19:21:05 2016
Timestamp Verified by:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Mon Nov 10 01:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Issued to: DigiCert SHA2 Assured ID Timestamping CA
Issued by: DigiCert Assured ID Root CA
Expires: Tue Jan 07 13:00:00 2031
SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297
Issued to: DigiCert SHA2 Timestamp Responder
Issued by: DigiCert SHA2 Assured ID Timestamping CA
Expires: Tue Jan 07 01:00:00 2025
SHA1 hash: C636F4DDA87CEE3D8263BF9A2514B4533468D75E
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 14:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: DigiCert High Assurance EV Root CA
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 20:55:33 2021
SHA1 hash: 2F2513AF3992DB0A3F79709FF8143B3F7BD2D143
Issued to: DigiCert SHA2 High Assurance Code Signing CA
Issued by: DigiCert High Assurance EV Root CA
Expires: Sun Oct 22 13:00:00 2028
SHA1 hash: F7E0F449F1A2594F88856C0758F8E6F627E5F5A2
Issued to: Wen Jia Liu
Issued by: DigiCert SHA2 High Assurance Code Signing CA
Expires: Wed Jan 04 13:00:00 2017
SHA1 hash: 190D956129DDE6972D46F46EF98BD86B982E6633
Successfully verified: processhacker-2.39-bin\kprocesshacker.sys
Number of signatures successfully Verified: 2
Number of warnings: 0
Number of errors: 0
IanM wrote:
Thanks very much Tim. We were aware of the grandfathering issue and I don’t think it applies to the driver in Process Hacker 2.39124.
Why? It looks to me like the timing is right, and there’s no other good
explanation.
However, in our attempt to double-check that, we have noticed that the driver is cross-signed using a “Microsoft Code Verification Root” certificate (below). This is different to the root of the certificate that we get when we cross sign (“Microsoft Root Certificate Authority 2010”).
I suspect that’s just an artifact of which cross-certificate you end up
matching. My cert is from Digicert, and I end up with “Microsoft Code
Verification Root”.
The “Microsoft Code Verification Root” certificate isn’t mentioned here but do you think it’s just that the documentation is out of date?
Isn’t mentioned where?