Cross-certificate signing for Windows 10 with secure boot off

I used to sign a driver inside VS 2019 (actually, I call the MSBuild via command line, but the result is the same) using a Code Signing Certificate and a Cross-Certificate.

My signing certificate is about to expire, so I needed to replace him using a new one. I was able to sign the driver using the approach with Cross-certificate using VS 2019. I’ve also tried using signtool lonely after the compilation and the output indicates that everything is ok.

However, when I install the driver in machine running Windows 10 Pro 1909 (64 bits), I get the following error in setupapi.dev.log:

---------xxxxxxxxxx---------
!!! dvi: Device not started: Device has problem: 0x34 (CM_PROB_UNSIGNED_DRIVER), problem status: 0xc0000428.
---------xxxxxxxxxx---------

As far as I searched about this error, it seems to be related to the driver signature. I’ve read that Windows 10 (64 bits) imposed some constraints to cross-certificate driver signature. If i understood correctly, these constraints are not applyed in case “Secure Boot” is disabled. However, even disabling “Secure Boot”, the error still occurs. I’ve also looked in Windows Event Viewer - Code Integrity but the logs do not say much more:

---------xxxxxxxxxx---------
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\windows\System32\drivers\MYDRIVER.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
---------xxxxxxxxxx---------

I ran signtool to verify the driver file (using parameters /v and /kp) and got no errors as shown in the following output:

---------xxxxxxxxxx---------
Verifying: C:\windows\System32\drivers\MYDRIVER.sys

Signature Index: 0 (Primary Signature)
Hash of file (sha256): E5483F16BFB05A3E2AFD4552A9BE52AC43889AC81D71B35CCF207F3B5001091C

Signing Certificate Chain:
Issued to: GlobalSign Root CA
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 09:00:00 2028
SHA1 hash: B1BC968BD4F49D622AA89A81F2150152A41D829C

    Issued to: GlobalSign
    Issued by: GlobalSign Root CA
    Expires:   Fri Jan 28 09:00:00 2028
    SHA1 hash: 0BBFAB97059595E8D1EC48E89EB8657C0E5AAE71

        Issued to: GlobalSign Code Signing Root R45
        Issued by: GlobalSign
        Expires:   Sat Mar 17 21:00:00 2029
        SHA1 hash: 4C5D80D2CD06B1A493C49B2E9BED4A57C2F873E5

            Issued to: GlobalSign GCC R45 CodeSigning CA 2020
            Issued by: GlobalSign Code Signing Root R45
            Expires:   Sat Jul 27 21:00:00 2030
            SHA1 hash: 7A2146EDB29E2EAD64AFBE7CEAD0B6085D437A32

                Issued to: MYORG
                Issued by: GlobalSign GCC R45 CodeSigning CA 2020
                Expires:   Wed Jul 13 17:08:18 2022
                SHA1 hash: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

The signature is timestamped: Fri Sep 10 16:32:10 2021
Timestamp Verified by:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Nov 09 21:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

    Issued to: DigiCert SHA2 Assured ID Timestamping CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Tue Jan 07 09:00:00 2031
    SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297

        Issued to: DigiCert Timestamp 2021
        Issued by: DigiCert SHA2 Assured ID Timestamping CA
        Expires:   Sun Jan 05 21:00:00 2031
        SHA1 hash: E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3

Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 10:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

    Issued to: GlobalSign
    Issued by: Microsoft Code Verification Root
    Expires:   Wed Jun 04 14:47:53 2025
    SHA1 hash: 814A5BB5E9093011E121E75169008F6F4667363D

        Issued to: GlobalSign Code Signing Root R45
        Issued by: GlobalSign
        Expires:   Sat Mar 17 21:00:00 2029
        SHA1 hash: 4C5D80D2CD06B1A493C49B2E9BED4A57C2F873E5

            Issued to: GlobalSign GCC R45 CodeSigning CA 2020
            Issued by: GlobalSign Code Signing Root R45
            Expires:   Sat Jul 27 21:00:00 2030
            SHA1 hash: 7A2146EDB29E2EAD64AFBE7CEAD0B6085D437A32

                Issued to: MYORG
                Issued by: GlobalSign GCC R45 CodeSigning CA 2020
                Expires:   Wed Jul 13 17:08:18 2022
                SHA1 hash: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

File has page hashes.

Successfully verified: C:\windows\System32\drivers\MYDRIVER.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
---------xxxxxxxxxx---------

I intend to no more use cross-certificates in the future, but there are some issues with other systems that force me to stay using that approach for a while.

Any tips to solve this issue would be of great interest.

Best Regards,
Lucas

Cross-signing has never worked on recent versions of Windows.

Get your driver attestation signed, and all will be well. You don’t need to run any tests, just upload the driver, check some boxes, and download the signed package.

Peter

Cross-signing has never worked on recent versions of Windows.

What do you mean by “recent” vesions? I have just tried to sign a non-PNP driver with cross-signature, loaded a fully updated Win10 21H1 in a VM (VirtualBox, no Secure Boot), and installed the driver. It installed and loaded absolutely fine.

@“Peter_Viscarola_(OSR)” said:
Cross-signing has never worked on recent versions of Windows.

Hmm, I’m pretty sure it works as long as secure boot is off.

I’m pretty sure it works as long as secure boot is off.

Thats entirely possible. Thanks for the correction.

Peter

Hi, thanks for the responses.

According to MS documentation, cross-signed drivers are still permitted if ANY of the following are true:

  • The PC was upgraded from an earlier release of Windows to Windows 10, version 1607.
  • Secure Boot is off in the BIOS.
  • Drivers was signed with an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA.

Secure boot is off in the BIOS in my tests and it should suffice as pointed by @CaptainFlint and @david_mk85 and the documentation. My chain do not meet the above requirements as pointed in my original post and I get error when installing the driver. I do not believe that the documentation is wrong, but the chain that you used to cross-sign respects the above constraint ?

Is there any other way that allow me to identify why I am getting error when installing the driver ?

I’ve already tried to get some error messages in setupapi.dev.log and Windows Event Viewer - Code Integrity, but as pointed by signtool the .sys seems to be properly signed. Should I also verify the .cat ?

Best Regards

According to MS documentation

Well, let’s be clear: The documentation can absolutely not be trusted on this topic. How many years has the documentation been saying that Attestation Signing doesn’t work on Windows Server??

Peter