I used to sign a driver inside VS 2019 (actually, I call the MSBuild via command line, but the result is the same) using a Code Signing Certificate and a Cross-Certificate.
My signing certificate is about to expire, so I needed to replace him using a new one. I was able to sign the driver using the approach with Cross-certificate using VS 2019. I’ve also tried using signtool lonely after the compilation and the output indicates that everything is ok.
However, when I install the driver in machine running Windows 10 Pro 1909 (64 bits), I get the following error in setupapi.dev.log:
---------xxxxxxxxxx---------
!!! dvi: Device not started: Device has problem: 0x34 (CM_PROB_UNSIGNED_DRIVER), problem status: 0xc0000428.
---------xxxxxxxxxx---------
As far as I searched about this error, it seems to be related to the driver signature. I’ve read that Windows 10 (64 bits) imposed some constraints to cross-certificate driver signature. If i understood correctly, these constraints are not applyed in case “Secure Boot” is disabled. However, even disabling “Secure Boot”, the error still occurs. I’ve also looked in Windows Event Viewer - Code Integrity but the logs do not say much more:
---------xxxxxxxxxx---------
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\windows\System32\drivers\MYDRIVER.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
---------xxxxxxxxxx---------
I ran signtool to verify the driver file (using parameters /v and /kp) and got no errors as shown in the following output:
---------xxxxxxxxxx---------
Verifying: C:\windows\System32\drivers\MYDRIVER.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha256): E5483F16BFB05A3E2AFD4552A9BE52AC43889AC81D71B35CCF207F3B5001091C
Signing Certificate Chain:
Issued to: GlobalSign Root CA
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 09:00:00 2028
SHA1 hash: B1BC968BD4F49D622AA89A81F2150152A41D829C
Issued to: GlobalSign
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 09:00:00 2028
SHA1 hash: 0BBFAB97059595E8D1EC48E89EB8657C0E5AAE71
Issued to: GlobalSign Code Signing Root R45
Issued by: GlobalSign
Expires: Sat Mar 17 21:00:00 2029
SHA1 hash: 4C5D80D2CD06B1A493C49B2E9BED4A57C2F873E5
Issued to: GlobalSign GCC R45 CodeSigning CA 2020
Issued by: GlobalSign Code Signing Root R45
Expires: Sat Jul 27 21:00:00 2030
SHA1 hash: 7A2146EDB29E2EAD64AFBE7CEAD0B6085D437A32
Issued to: MYORG
Issued by: GlobalSign GCC R45 CodeSigning CA 2020
Expires: Wed Jul 13 17:08:18 2022
SHA1 hash: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
The signature is timestamped: Fri Sep 10 16:32:10 2021
Timestamp Verified by:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Nov 09 21:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Issued to: DigiCert SHA2 Assured ID Timestamping CA
Issued by: DigiCert Assured ID Root CA
Expires: Tue Jan 07 09:00:00 2031
SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297
Issued to: DigiCert Timestamp 2021
Issued by: DigiCert SHA2 Assured ID Timestamping CA
Expires: Sun Jan 05 21:00:00 2031
SHA1 hash: E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 10:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: GlobalSign
Issued by: Microsoft Code Verification Root
Expires: Wed Jun 04 14:47:53 2025
SHA1 hash: 814A5BB5E9093011E121E75169008F6F4667363D
Issued to: GlobalSign Code Signing Root R45
Issued by: GlobalSign
Expires: Sat Mar 17 21:00:00 2029
SHA1 hash: 4C5D80D2CD06B1A493C49B2E9BED4A57C2F873E5
Issued to: GlobalSign GCC R45 CodeSigning CA 2020
Issued by: GlobalSign Code Signing Root R45
Expires: Sat Jul 27 21:00:00 2030
SHA1 hash: 7A2146EDB29E2EAD64AFBE7CEAD0B6085D437A32
Issued to: MYORG
Issued by: GlobalSign GCC R45 CodeSigning CA 2020
Expires: Wed Jul 13 17:08:18 2022
SHA1 hash: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
File has page hashes.
Successfully verified: C:\windows\System32\drivers\MYDRIVER.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
---------xxxxxxxxxx---------
I intend to no more use cross-certificates in the future, but there are some issues with other systems that force me to stay using that approach for a while.
Any tips to solve this issue would be of great interest.
Best Regards,
Lucas