Cross signing with Global Sign certificate for Vista 64

B_Z · March 16, 2007, 7:58pm

Hello,

We are working on getting a signed version of our USB driver for Vista 64
using a certificate from GlobalSign. However, I have encountered what I
think is a problem with the cross signing.

The PFX used was created by exporting from the local store. We would
prefer to use the PFX format since it will integrate more easily with our
automated build environment.

signtool.exe sign /f COMPANY.pfx /p PASSWORD /d “COMPANY USB Driver”
/du “http://www.COMPANY.com”
/t “http://timestamp.verisign.com/scripts/timestamp.dll” USBDRIVER.sys

Done Adding Additional Store
Successfully signed and timestamped: USBDRIVER.sys

signtool verify /v USBDRIVER.sys

Verifying: USBDRIVER.sys
SHA1 hash of file: CA39295FB7F292F40180FE7A3633D92CD6E07627
SignTool Error: The signing certificate is not valid for the requested
usage.
This error sometimes means that you are using the wrong verification
policy. Consider using the /pa option.
Signing Certificate Chain:
Issued to: GlobalSign Root CA
Issued by: GlobalSign Root CA
Expires: 2014/01/28 4:00:00 AM
SHA1 hash: 2F173F7DE99667AFA57AF80AA2D1B12FAC830338

Issued to: GlobalSign Primary Object Publishing CA
Issued by: GlobalSign Root CA
Expires: 2014/01/27 3:00:00 AM
SHA1 hash: 987FD000DCB121517D72453EE5176EB92B1363B9

Issued to: GlobalSign ObjectSign CA
Issued by: GlobalSign Primary Object Publishing CA
Expires: 2014/01/27 2:00:00 AM
SHA1 hash: 4A19146D67BD20843A3A0713587557BF519213CC

Issued to: COMPANY
Issued by: GlobalSign ObjectSign CA
Expires: 2010/02/21 6:44:04 AM
SHA1 hash: F71EFF41AC5CC21DE3F488F68E4CBEDD4A57A5ED

The signature is timestamped: 2007/03/16 3:19:29 PM
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: 2020/12/31 3:59:59 PM
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: 2013/12/03 3:59:59 PM
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: VeriSign Time Stamping Services Signer
Issued by: VeriSign Time Stamping Services CA
Expires: 2008/12/03 3:59:59 PM
SHA1 hash: 817E78267300CB0FE5D631357851DB366123A690

SignTool Error: File not valid: USBDRIVER.sys

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

Using the /pa verify option does not produce a better result.

It looks like i still need to cross-sign with the MS certificate for
GlobalSign which I have downloaded from the MS site (MSCV-GlobalSign.cer).
I read on this list that the /ac option is used for cross-signing, however
that option does not seem to be present in the version of signtool that I
have (5.2.3790.2568 from the 2003 SP2 Platform SDK).

Do I need to use a different method with this version of signtool?
Or shuold I try to get a different version of signtool?

Thanks

Gianluca_Varenni · March 16, 2007, 8:48pm

You need to use the version of signtool that comes with the WDK. Some
earlier versions might probably work, but I’m not completely from which
version.
Personally, I’ve successfully used version 6.0.5600.16384, which was the one
shipped with some of WDK betas, the official one from WDK v6000 is
6.0.600.16386.

Hope it helps
GV

----- Original Message -----
From: “B Z”
To: “Windows System Software Devs Interest List”
Sent: Friday, March 16, 2007 4:58 PM
Subject: [ntdev] Cross signing with Global Sign certificate for Vista 64

>
> Hello,
>
> We are working on getting a signed version of our USB driver for Vista 64
> using a certificate from GlobalSign. However, I have encountered what I
> think is a problem with the cross signing.
>
> ---------------
>
> The PFX used was created by exporting from the local store. We would
> prefer to use the PFX format since it will integrate more easily with our
> automated build environment.
>
> signtool.exe sign /f COMPANY.pfx /p PASSWORD /d “COMPANY USB Driver”
> /du “http://www.COMPANY.com”
> /t “http://timestamp.verisign.com/scripts/timestamp.dll” USBDRIVER.sys
>
> Done Adding Additional Store
> Successfully signed and timestamped: USBDRIVER.sys
>
> ---------------
>
> signtool verify /v USBDRIVER.sys
>
> Verifying: USBDRIVER.sys
> SHA1 hash of file: CA39295FB7F292F40180FE7A3633D92CD6E07627
> SignTool Error: The signing certificate is not valid for the requested
> usage.
> This error sometimes means that you are using the wrong
> verification
> policy. Consider using the /pa option.
> Signing Certificate Chain:
> Issued to: GlobalSign Root CA
> Issued by: GlobalSign Root CA
> Expires: 2014/01/28 4:00:00 AM
> SHA1 hash: 2F173F7DE99667AFA57AF80AA2D1B12FAC830338
>
> Issued to: GlobalSign Primary Object Publishing CA
> Issued by: GlobalSign Root CA
> Expires: 2014/01/27 3:00:00 AM
> SHA1 hash: 987FD000DCB121517D72453EE5176EB92B1363B9
>
> Issued to: GlobalSign ObjectSign CA
> Issued by: GlobalSign Primary Object Publishing CA
> Expires: 2014/01/27 2:00:00 AM
> SHA1 hash: 4A19146D67BD20843A3A0713587557BF519213CC
>
> Issued to: COMPANY
> Issued by: GlobalSign ObjectSign CA
> Expires: 2010/02/21 6:44:04 AM
> SHA1 hash: F71EFF41AC5CC21DE3F488F68E4CBEDD4A57A5ED
>
> The signature is timestamped: 2007/03/16 3:19:29 PM
> Timestamp Verified by:
> Issued to: Thawte Timestamping CA
> Issued by: Thawte Timestamping CA
> Expires: 2020/12/31 3:59:59 PM
> SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
>
> Issued to: VeriSign Time Stamping Services CA
> Issued by: Thawte Timestamping CA
> Expires: 2013/12/03 3:59:59 PM
> SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
>
> Issued to: VeriSign Time Stamping Services Signer
> Issued by: VeriSign Time Stamping Services CA
> Expires: 2008/12/03 3:59:59 PM
> SHA1 hash: 817E78267300CB0FE5D631357851DB366123A690
>
> SignTool Error: File not valid: USBDRIVER.sys
>
> Number of files successfully Verified: 0
> Number of warnings: 0
> Number of errors: 1
>
>
> ---------------
>
> Using the /pa verify option does not produce a better result.
>
> It looks like i still need to cross-sign with the MS certificate for
> GlobalSign which I have downloaded from the MS site (MSCV-GlobalSign.cer).
> I read on this list that the /ac option is used for cross-signing, however
> that option does not seem to be present in the version of signtool that I
> have (5.2.3790.2568 from the 2003 SP2 Platform SDK).
>
> Do I need to use a different method with this version of signtool?
> Or shuold I try to get a different version of signtool?
>
>
> Thanks
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

B_Z · March 19, 2007, 2:40pm

Thank you!

Using the signtool from the WDK v6000 worked. For anyoene else experiencing the issue, here is how we are invoking signtool :

signtool.exe sign /n “COMPANY” /s “MY” /d “COMPANY USB Driver” /du “http://www.COMPANY.com” /ac MSCV-GlobalSign.cer /u “Code Signing” /t “http://timestamp.verisign.com/scripts/timestamp.dll” USBDRIVER64.sys

I do wish cross signing would work with the /f PFX switch so that it would be more portable among machines, but am glad enough that it is working now.

B_Z · March 19, 2007, 2:51pm

One last note.

We found that signtool verification with the following command line fails on stock Win2k but does succeed on WinXP. Maybe win2k is missing some certificates? Regardless, be mindful when using win2k for code signing and testing.

signtool verify /kp /v USBDRIVER.sys