Cab Signature validation failed with error: 0x80090008

Hi,
our attestation signing is in-place and working since quite a while without any modifications now. Yesterday Microsofts attestation server responded with
Cab Signature validation failed with error: 0x80090008
on a cab submission. The cab was successfully created and signed however:

Cabinet Maker - Lossless Data Compression Tool

PASS 1: Checking directive file(s)

1: .OPTION EXPLICIT
2: .Set CabinetFileCountThreshold=0
==> Setting variable CabinetFileCountThreshold to ‘0’
3: .Set FolderFileCountThreshold=0
==> Setting variable FolderFileCountThreshold to ‘0’
4: .Set FolderSizeThreshold=0
==> Setting variable FolderSizeThreshold to ‘0’
5: .Set MaxCabinetSize=0
==> Setting variable MaxCabinetSize to ‘0’
6: .Set MaxDiskFileCount=0
==> Setting variable MaxDiskFileCount to ‘0’
7: .Set MaxDiskSize=0
==> Setting variable MaxDiskSize to ‘0’
8: .Set CompressionType=MSZIP
==> Setting variable CompressionType to ‘MSZIP’
9: .Set Cabinet=on
==> Setting variable Cabinet to ‘on’
10: .Set Compress=on
==> Setting variable Compress to ‘on’
11: .Set CabinetNameTemplate=MyDriver.cab
==> Setting variable CabinetNameTemplate to ‘MyDriver.cab’
12: .Set DestinationDir=MyDriver
==> Setting variable DestinationDir to ‘MyDriver’
13: “MyDriver.inf”
==> FileSpec src=MyDriver.inf dst=
CopyCommand: MyDriver.inf to MyDriver\MyDriver.inf
14: “MyDriver.sys”
==> FileSpec src=MyDriver.sys dst=
CopyCommand: MyDriver.sys to MyDriver\MyDriver.sys
15: “MyDriver.cat”
==> FileSpec src=MyDriver.cat dst=
CopyCommand: MyDriver.cat to MyDriver\MyDriver.cat
16: “MyDriver.pdb”
==> FileSpec src=MyDriver.pdb dst=
CopyCommand: MyDriver.pdb to MyDriver\MyDriver.pdb
PASS 2: Processing directive file(s)

1: .OPTION EXPLICIT
2: .Set CabinetFileCountThreshold=0
==> Setting variable CabinetFileCountThreshold to ‘0’
3: .Set FolderFileCountThreshold=0
==> Setting variable FolderFileCountThreshold to ‘0’
4: .Set FolderSizeThreshold=0
==> Setting variable FolderSizeThreshold to ‘0’
5: .Set MaxCabinetSize=0
==> Setting variable MaxCabinetSize to ‘0’
6: .Set MaxDiskFileCount=0
==> Setting variable MaxDiskFileCount to ‘0’
7: .Set MaxDiskSize=0
==> Setting variable MaxDiskSize to ‘0’
8: .Set CompressionType=MSZIP
==> Setting variable CompressionType to ‘MSZIP’
9: .Set Cabinet=on
==> Setting variable Cabinet to ‘on’
10: .Set Compress=on
==> Setting variable Compress to ‘on’
11: .Set CabinetNameTemplate=MyDriver.cab
==> Setting variable CabinetNameTemplate to ‘MyDriver.cab’
12: .Set DestinationDir=MyDriver
==> Setting variable DestinationDir to ‘MyDriver’
13: “MyDriver.inf”
==> FileSpec src=MyDriver.inf dst=
0.00% - raw=0 compressed=0
14: “MyDriver.sys”
==> FileSpec src=MyDriver.sys dst=
32.49% - raw=458,752 compressed=78,885
15: “MyDriver.cat”
==> FileSpec src=MyDriver.cat dst=
32.49% - raw=458,752 compressed=78,885
16: “MyDriver.pdb”
==> FileSpec src=MyDriver.pdb dst=
100.00% - raw=1,411,826 compressed=328,406
99.82% [flushing current folder]
** MyDriver\MyDriver.inf placed in cabinet MyDriver.cab(1) on disk Disk 1
** MyDriver\MyDriver.sys placed in cabinet MyDriver.cab(1) on disk Disk 1
** MyDriver\MyDriver.cat placed in cabinet MyDriver.cab(1) on disk Disk 1
** MyDriver\MyDriver.pdb placed in cabinet MyDriver.cab(1) on disk Disk 1
100.00% [flushing current folder]
Total files: 4
Bytes before: 1,411,826
Bytes after: 328,406
After/Before: 23.26% compression
Time: 0.26 seconds ( 0 hr 0 min 0.26 sec)
Throughput: 5202.78 Kb/second
Done Adding Additional Store
Successfully signed: C:\Jenkins\workspace\MyCompany\MyDriver-Windows\BuildSystem..\build\Cab\x64\Release\disk1\MyDriver.cab

However the submission fails:

Attestation Submission

Create Product
* Create JSON
* Submit
* PID: 13516439312521993
Create Submission
* Create JSON
* Submit
* SID: 1152921505693904224
Upload File
SurfaceDevCenterManager v1.0.0.1
Upload Option
Fetch Submission Info
initialPackage Url: https://ingestionpackagesprod1.blob.core.windows.net/ingestion/8dd9b14c-b526-418d-b28c-7473bc191452?sv=2018-03-28&sr=b&sig=ddZCqSNDym%2FCW1oSqlBHFVs%2Blmj4wDUZbp8U1Z4fb80%3D&se=2021-09-15T08:47:08Z&sp=rwl&rscd=attachment%3B filename%3Dinitial_1152921505693904224.cab
Uploading Submission Package
0% 0% 0% 1% 2% 3% 4% 5% 6% 7% 8% 9% 10% 10% 11% 12% 13% 14% 15% 16% 17% 18% 19% 20% 21% 21% 22% 23% 24% 25% 26% 27% 28% 29% 30% 31% 32% 32% 33% 34% 35% 36% 37% 38% 39% 40% 41% 42% 42% 43% 44% 45% 46% 47% 48% 49% 50% 51% 52% 53% 53% 54% 55% 56% 57% 58% 59% 60% 61% 62% 63% 64% 64% 65% 66% 67% 68% 69% 70% 71% 72% 73% 74% 75% 75% 76% 77% 78% 79% 80% 81% 82% 83% 84% 85% 85% 86% 87% 88% 89% 90% 91% 92% 93% 94% 95% 96% 96% 97% 98% 99%100%100%
Correlation Id: dd921df9-979a-4701-874f-4db46492a002
Return: 0 (SUCCESS)
Commit Submission
SurfaceDevCenterManager v1.0.0.1
Commit Option
Sending Commit
Commit OK
Correlation Id: 2d3da553-e551-42f4-88a2-6b633b747eec
Return: 0 (SUCCESS)
Wait for Submission to complete
* Dev Center URL: https://developer.microsoft.com/en-us/dashboard/hardware/driver/13516439312521993
* PID: 13516439312521993
* SID: 1152921505693904224
SurfaceDevCenterManager v1.0.0.1
Wait Option
Step: packageInfoValidation
State: notStarted
Step: preparation
State: failed
Error Report:
Cab Signature validation failed with error: 0x80090008

the xml pointed to initialPackage Url reads

AuthenticationFailed Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:450d03e8-c01e-004e-6270-a96e4b000000 Time:2021-09-14T13:57:05.3472930Z Signature did not match. String to sign used was rwl 2021-09-15T13:52:24Z /blob/ingestionpackagesprod1/ingestion/1d2089e7-f8fd-4036-aebd-e2020fb57fc6 2018-03-28 attachment;

Any hints or ideas what could have been gone wrong are highly appreciated!
Thanks,
Hagen

The only thing I can add is that 0x80090008 is NTE_BAD_ALGID – Invalid algorithm specified. Is this a new certificate, or is it the same old certificate?

Hi Hagen,
I am getting the same response. I have raised a ticked and contacted our account manager in Microsoft regarding this. I will keep you posted about any updates.

Ok I have a solution. Actually, Tim is right. It turned out the problem is with the signing options in signtool.exe.
Till yesterday my sign toll parameters were : /a /tr http://timestapprovider /td sha256 … etc
But as from today Microsoft wants to add : /a /fd sha256 /tr http://timestampprovider /td sha256 …etc
So this “/fd sha256” made it work.
I have just successfully signed a driver.
Hope this helps.
Cheers.

Thanks, Tim, dakata,
for your hints! And yes, the problem also resided on our side. My problem was that the .cab was signed with a non-EV certificate, when switching to the correct one, it’s accepted again. The strange thing here is that it actually was accepted at all until now…!

Thanks for your help!
Cheers,
Hagen.

In the past, you could use a non-EV certificate to sign your dashboard submissions, as long as the non-EV certificate had been registered with the account. I’ve seen posts that say they were eliminating this option, but I didn’t think it had happened already.

According to this, you still should be able to do it.

Thanks, then maybe it’s now accepted because of also removing the remains of the previous kernel signing, including cross certificate and time stamping.
So that means the non-EV signature would still be accepted, maybe the “issued to” would need to match? In that case the dongle wouldn’t be needed on the build machine, or?

Well, I don’t know the exact list of requirements. The certificate itself must be added to the dashboard account, that’s for sure. If that certificate is not EV, then also a EV one must be added (not necessarily used), and it must not be expired at the day you send the submission (of course, the same applies to the certificate you signed the cab with). Using SHA-2 algorithm for signing seems to be mandatory, as @dakata pointed out. Also, some people here reported that the dashboard failed to accept the SHA-384 certificates, no matter what algorithm is used for signing, some details can be found here.

Apart from that, I’m not aware of any restrictions. (Which, of course, does not mean that there are none…)

Great, thanks for your comments!

So that means the non-EV signature would still be accepted, maybe the “issued to” would need to match?

They don’t check the data in the certificate. The certificate just has to be registered with the account. They assume that if you can log in, then you have the legal authority to add new certificates. That’s in one of the documents you sign when you set up a dashboard account.

Great, thanks for your comments!
Now, after continuing to sign now all of a sudden Microsofts SurfaceDevCenterManager fails now with an unhandled bad request exception (requestInvalidForCurrentState) at submission for attestation signing.

SurfaceDevCenterManager v1.0.0.1

Commit Option
Sending Commit
ERROR (DevCenterErrorDetails)
Code: requestInvalidForCurrentState
HttpCode:
Message: Bad request
Correlation Id: 22a44af3-cfdb-4295-89ee-1d918a7de594
Correlation Id: 22a44af3-cfdb-4295-89ee-1d918a7de594
Return: -16 (COMMIT_API_FAILED)
Wait for Submission to complete
* Dev Center URL: https://developer.microsoft.com/en-us/dashboard/hardware/driver/13785258987806821
* PID: 13785258987806821
* SID: 1152921505693962903
SurfaceDevCenterManager v1.0.0.1
Wait Option
Unhandled Exception:
System.NullReferenceException: Object reference not set to an instance of an object.
at SurfaceDevCenterManager.Program.d__6.MoveNext() in C:\Jenkins\workspace\MyCompany\MyDriver-Windows\SDCM\SurfaceDevCenterManager\Program.cs:line 658
— End of stack trace from previous location where exception was thrown —
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at SurfaceDevCenterManager.Program.Main(String args) in C:\Jenkins\workspace\MyCompany\MyDriver-Windows\SDCM\SurfaceDevCenterManager\Program.cs:line 60
Last Command:
ERROR (DevCenterErrorDetails)
Code:
HttpCode:
Message:
Correlation Id: dcf56053-97dd-427b-9db9-5f335005993d
Request Id: 532a23f1-aed0-4de9-888c-a19a95fee300
Method: GET
Url: https://manage.devcenter.microsoft.com/v2.0/my/hardware/products/13785258987806821/submissions/1152921505693962903
Content: {}
Correlation Id: dcf56053-97dd-427b-9db9-5f335005993d
Return: -2 (UNHANDLED_EXCEPTION)
Download File
SurfaceDevCenterManager v1.0.0.1
Download Option C:\Jenkins\workspace\MyCompany\MyDriver-Windows\BuildSystem..\build\Cab\x64\Release\disk1\MyDriver.cab.signed.zip
Fetch Submission Info
Correlation Id: 71b78c31-fb1c-47e6-83bc-fc7e3c400aed
Return: 0 (SUCCESS)
Done

Any hints or ideas what could have caused this are very welcome,
Thanks,
Hagen.