Windows 7 Certificate Requirements for Kernel Code

Having renewed an EV code signing certificate, the new certificate no longer works for Windows 7 kernel driver signing. The new certificate has been accepted for Windows 10 attestation signing. The old certificate, from the same supplier, worked for both Windows 7 and the Windows 10 attestation signing portal.

The only relevant change appears to be in the distinguished name, which lacks a stateOrProvinceName attribute in the new certificate, as well as the less important postalCode and street attributes. The old, working certificate contained the name of the UK county in the stateOrProvinceName attibute.

Is the distinguished name stateOrProvinceName (ST/SP/S) attribute required for Windows 7 kernel driver signing?

Best regards

Chris Read

The kernel doesn’t examine your certificate at all, except perhaps for the expiration date. It just looks for the Microsoft Code Verification Root at the end of your cross-signing chain.

Is it possible that your new EV cert needs a different cross certificate? If you do “signtool verify -v -kp” on your package, do you actually see the Microsoft Code Verification Root?

In addition to what Tim Roberts said:

You should run the signtool as mentioned on a computer that has no additional certificates installed.

Some time ago I had a problem that a kernel driver was not loaded on customer machines, but on my development machine everything was fine, and the signtool command reported that the signature was good and valid.

The problem was that a cross certificate had not been used for signing, and thus was missing in the chain of certificates attached to the kernel driver.

However, the missing cert was available in the cert store of my Windows machine, so signtool found it there and said that everything was OK, even though it actually was not.

This is a good point. The criteria is not “does signtool verify pass?”, the criteria needs to be very specific: “does signtool verify -kp -v show the Microsoft Code Verification Root at the root of a chain?”

Here is a valid signed file that will not be accepted as a kernel driver:

C:\tmp>signtool verify -v -kp Sample.sys                          
                                                                      
Verifying: Sample.sys                                             
Signature Index: 0 (Primary Signature)                                
Hash of file (sha1): B114D2810B90FB5C7984C890016B41C7A2AE081F         
                                                                      
Signing Certificate Chain:                                            
    Issued to: DigiCert High Assurance EV Root CA                     
    Issued by: DigiCert High Assurance EV Root CA                     
    Expires:   Sun Nov 09 17:00:00 2031                               
    SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25               
                                                                      
        Issued to: DigiCert EV Code Signing CA (SHA2)                 
        Issued by: DigiCert High Assurance EV Root CA                 
        Expires:   Sun Apr 18 05:00:00 2027                           
        SHA1 hash: 60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3           
                                                                      
            Issued to: Providenza & Boekelheide, Inc.                 
            Issued by: DigiCert EV Code Signing CA (SHA2)             
            Expires:   Fri Sep 01 05:00:00 2017                       
            SHA1 hash: D44E6DD817081ECC8F5F34EADF2FFF0ABA865E84       
                                                                      
The signature is timestamped: Wed Sep 02 12:14:49 2015                
Timestamp Verified by:                                                
    Issued to: DigiCert Assured ID Root CA                            
    Issued by: DigiCert Assured ID Root CA                            
    Expires:   Sun Nov 09 17:00:00 2031                               
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43               
                                                                      
        Issued to: DigiCert Assured ID CA-1                           
        Issued by: DigiCert Assured ID Root CA                        
        Expires:   Tue Nov 09 17:00:00 2021                           
        SHA1 hash: 19A09B5A36F4DD99727DF783C17A51231A56C117           
                                                                      
            Issued to: DigiCert Timestamp Responder                   
            Issued by: DigiCert Assured ID CA-1                       
            Expires:   Mon Oct 21 17:00:00 2024                       
            SHA1 hash: 614D271D9102E30169822487FDE5DE00A352B01D       
                                                                      
SignTool Error: Signing Cert does not chain to a Microsoft Root Cert. 
                                                                      
Number of files successfully Verified: 0                              
Number of warnings: 0                                                 
Number of errors: 1                                                   

Here is a driver signed and cross-signed:

C:\Dev\Sample\driver>signtool verify -kp -v Release64\Sample.sys

Verifying: Release64\Sample.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): F98B41B8ED05D7BD830DB8B56E19C8B112E77F19

Signing Certificate Chain:
    Issued to: DigiCert High Assurance EV Root CA
    Issued by: DigiCert High Assurance EV Root CA
    Expires:   Sun Nov 09 17:00:00 2031
    SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25

        Issued to: DigiCert EV Code Signing CA (SHA2)
        Issued by: DigiCert High Assurance EV Root CA
        Expires:   Sun Apr 18 05:00:00 2027
        SHA1 hash: 60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3

            Issued to: Providenza & Boekelheide, Inc.
            Issued by: DigiCert EV Code Signing CA (SHA2)
            Expires:   Fri Sep 20 05:00:00 2019
            SHA1 hash: BA6F8BBD05D3B8F1FA982A52E17854789F9B0786

The signature is timestamped: Thu May 31 11:11:14 2018
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   Thu Dec 31 16:59:59 2020
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   Wed Dec 30 16:59:59 2020
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   Tue Dec 29 16:59:59 2020
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires:   Sat Nov 01 06:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: DigiCert High Assurance EV Root CA
        Issued by: Microsoft Code Verification Root
        Expires:   Thu Apr 15 12:55:33 2021
        SHA1 hash: 2F2513AF3992DB0A3F79709FF8143B3F7BD2D143

            Issued to: DigiCert EV Code Signing CA (SHA2)
            Issued by: DigiCert High Assurance EV Root CA
            Expires:   Sun Apr 18 05:00:00 2027
            SHA1 hash: 60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3

                Issued to: Providenza & Boekelheide, Inc.
                Issued by: DigiCert EV Code Signing CA (SHA2)
                Expires:   Fri Sep 20 05:00:00 2019
                SHA1 hash: BA6F8BBD05D3B8F1FA982A52E17854789F9B0786

File has page hashes.

Successfully verified: Release64\Sample.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

You are correct. The new DigiCert EV certificate does not chain back to Microsoft Code Verification Root. Hopefully, DigiCert will still sign an EV certificate which does…

The ST attribute was a red herring.

Many thanks for all the help.

Chris Read

Well, the key is that you need to find a new cross certificate. Here’s Microsoft’s list:
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing
but you may be able to find it on DigiCert’s web site as well.