Driver signing issue on update

NTDEV
1

Hi all,

I’m currently facing a strange issue about signed driver.

I have signed a new version of a WDM driver with a GlobalSign certificate and the previous version was also signed but with an other certificate.

If I install the new version, everything is fine and the warning about unknown publisher is removed, so I suppose my driver is properly signed, but if I install the new version to upgrade the previous one, I get the warning “unknown publisher” again.

Is it possible that there ii a conflict between the certificate or inf/cat of the new/old version?

Regards

2

Hmmmm… Has the DriverVer directive changed between the INF of the old and the new drivers? If not, the installer won’t actually pick-up the new driver package.

Peter
OSR
@OSRDrivers

3

Yes, the DriverVer has been properly updated from 1.05.00 to 1.06.00, with
updated date.

But at the end the new driver is properly installed and replace the old
one. My concern is about the Warning “Windows can’t verify the publisher of
this driver software” which is display on update and not on a clean install.

On Wed, Nov 26, 2014 at 3:02 PM, wrote:

>


>
> Hmmmm… Has the DriverVer directive changed between the INF of the old
> and the new drivers? If not, the installer won’t actually pick-up the new
> driver package.
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

4

xxxxx@gmail.com wrote:

I’m currently facing a strange issue about signed driver.

I have signed a new version of a WDM driver with a GlobalSign certificate and the previous version was also signed but with an other certificate.

If I install the new version, everything is fine and the warning about unknown publisher is removed, so I suppose my driver is properly signed, but if I install the new version to upgrade the previous one, I get the warning “unknown publisher” again.

Is it possible that there ii a conflict between the certificate or inf/cat of the new/old version?

It’s possible that your new certificate needs a different
cross-certificate. Try checking the certificate chain using
signtool verify /v /kp xxxxx.cat
If the chain does not end with the Microsoft Code Verification Root,
then you are not using the correct cross certificate.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

5

THanks for the feedback.

My old and new driver both end with the same Microsoft Code Verification
Root and the whole cross certificate chain is the same except the last one:
mine that has been updated.

On Wed, Nov 26, 2014 at 6:23 PM, Tim Roberts wrote:

> xxxxx@gmail.com wrote:
> > I’m currently facing a strange issue about signed driver.
> >
> > I have signed a new version of a WDM driver with a GlobalSign
> certificate and the previous version was also signed but with an other
> certificate.
> >
> > If I install the new version, everything is fine and the warning about
> unknown publisher is removed, so I suppose my driver is properly signed,
> but if I install the new version to upgrade the previous one, I get the
> warning “unknown publisher” again.
> >
> > Is it possible that there ii a conflict between the certificate or
> inf/cat of the new/old version?
>
> It’s possible that your new certificate needs a different
> cross-certificate. Try checking the certificate chain using
> signtool verify /v /kp xxxxx.cat
> If the chain does not end with the Microsoft Code Verification Root,
> then you are not using the correct cross certificate.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

6

May be you need to update the Globalsign root certificates on the system where you install and test your driver. You can compare the root certificates shown in the certification path of your signed driver with the root certificates installed on your test system.

Christiaan

----- Original Message -----
From: snorky snorky
To: Windows System Software Devs Interest List
Sent: Thursday, November 27, 2014 9:20 AM
Subject: Re: [ntdev] Driver signing issue on update

THanks for the feedback.

My old and new driver both end with the same Microsoft Code Verification Root and the whole cross certificate chain is the same except the last one: mine that has been updated.

On Wed, Nov 26, 2014 at 6:23 PM, Tim Roberts wrote:

xxxxx@gmail.com wrote:
> I’m currently facing a strange issue about signed driver.
>
> I have signed a new version of a WDM driver with a GlobalSign certificate and the previous version was also signed but with an other certificate.
>
> If I install the new version, everything is fine and the warning about unknown publisher is removed, so I suppose my driver is properly signed, but if I install the new version to upgrade the previous one, I get the warning “unknown publisher” again.
>
> Is it possible that there ii a conflict between the certificate or inf/cat of the new/old version?

It’s possible that your new certificate needs a different
cross-certificate. Try checking the certificate chain using
signtool verify /v /kp xxxxx.cat
If the chain does not end with the Microsoft Code Verification Root,
then you are not using the correct cross certificate.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

7

They matches.

Here comes the ouput of signtool verify:
For old driver:

Signing Certificate Chain:
Issued to: GlobalSign Root CA
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 13:00:00 2028
SHA1 hash: B1BC968BD4F49D622AA89A81F2150152A41D829C

Issued to: GlobalSign CodeSigning CA - G2
Issued by: GlobalSign Root CA
Expires: Sat Apr 13 11:00:00 2019
SHA1 hash: 9000401777DD2B43393D7B594D2FF4CBA4516B38

Issued to: *******************
Issued by: GlobalSign CodeSigning CA - G2
Expires: Thu May 23 14:05:45 2013
SHA1 hash: 5A54DD907C433D2CBDA9E6555E9C3F61DB2B8534

The signature is timestamped: Fri May 25 13:45:22 2012

Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 00:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Wed Dec 04 00:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: Symantec Time Stamping Services Signer - G3
Issued by: VeriSign Time Stamping Services CA
Expires: Tue Jan 01 00:59:59 2013
SHA1 hash: 8FD99D63FB3AFBD534A4F6E31DACD27F59504021

Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 14:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: GlobalSign Root CA
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 21:05:08 2021
SHA1 hash: CC1DEEBF6D55C2C9061BA16F10A0BFA6979A4A32

Issued to: GlobalSign CodeSigning CA - G2
Issued by: GlobalSign Root CA
Expires: Sat Apr 13 11:00:00 2019
SHA1 hash: 9000401777DD2B43393D7B594D2FF4CBA4516B38

Issued to: ************************
Issued by: GlobalSign CodeSigning CA - G2
Expires: Thu May 23 14:05:45 2013
SHA1 hash: 5A54DD907C433D2CBDA9E6555E9C3F61DB2B8534

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

And here the new driver:

Signing Certificate Chain:
Issued to: GlobalSign Root CA
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 13:00:00 2028
SHA1 hash: B1BC968BD4F49D622AA89A81F2150152A41D829C

Issued to: GlobalSign CodeSigning CA - G2
Issued by: GlobalSign Root CA
Expires: Sat Apr 13 11:00:00 2019
SHA1 hash: 9000401777DD2B43393D7B594D2FF4CBA4516B38

Issued to: ****************************
Issued by: GlobalSign CodeSigning CA - G2
Expires: Sat Jun 27 09:26:31 2015
SHA1 hash: 8825191A402F5501DFD47EFC99649039F7238D68

The signature is timestamped: Fri Nov 14 11:41:12 2014

Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 00:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 00:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 00:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 14:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: GlobalSign Root CA
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 21:05:08 2021
SHA1 hash: CC1DEEBF6D55C2C9061BA16F10A0BFA6979A4A32

Issued to: GlobalSign CodeSigning CA - G2
Issued by: GlobalSign Root CA
Expires: Sat Apr 13 11:00:00 2019
SHA1 hash: 9000401777DD2B43393D7B594D2FF4CBA4516B38

Issued to: ***************************
Issued by: GlobalSign CodeSigning CA - G2
Expires: Sat Jun 27 09:26:31 2015
SHA1 hash: 8825191A402F5501DFD47EFC99649039F7238D68

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

The only stange point I see, is that “GlobalSign Root CA” is not the same
in Signing Certificate and in Cross Certificate, but it is the same for old
or new driver.

On Thu, Nov 27, 2014 at 10:44 AM, Christiaan Ghijselinck <
xxxxx@compaqnet.be> wrote:

May be you need to update the Globalsign root certificates on the system
where you install and test your driver. You can compare the root
certificates shown in the certification path of your signed driver with the
root certificates installed on your test system.

Christiaan

----- Original Message -----
*From:* snorky snorky
> To: Windows System Software Devs Interest List
> Sent: Thursday, November 27, 2014 9:20 AM
> Subject: Re: [ntdev] Driver signing issue on update
>
> THanks for the feedback.
>
> My old and new driver both end with the same Microsoft Code Verification
> Root and the whole cross certificate chain is the same except the last one:
> mine that has been updated.
>
> On Wed, Nov 26, 2014 at 6:23 PM, Tim Roberts wrote:
>
>> xxxxx@gmail.com wrote:
>> > I’m currently facing a strange issue about signed driver.
>> >
>> > I have signed a new version of a WDM driver with a GlobalSign
>> certificate and the previous version was also signed but with an other
>> certificate.
>> >
>> > If I install the new version, everything is fine and the warning about
>> unknown publisher is removed, so I suppose my driver is properly signed,
>> but if I install the new version to upgrade the previous one, I get the
>> warning “unknown publisher” again.
>> >
>> > Is it possible that there ii a conflict between the certificate or
>> inf/cat of the new/old version?
>>
>> It’s possible that your new certificate needs a different
>> cross-certificate. Try checking the certificate chain using
>> signtool verify /v /kp xxxxx.cat
>> If the chain does not end with the Microsoft Code Verification Root,
>> then you are not using the correct cross certificate.
>>
>> –
>> Tim Roberts, xxxxx@probo.com
>> Providenza & Boekelheide, Inc.
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

8

Finally find where is the problem!
My installer is not properly overwriting the previous files. As a result, I have tried to install a broken package …
After installer correction, everything is properly working without any warning popup.

Thanks for your help!

9

If you use DPINST or its related api tools to install your driver you also
get, for free, an uninstall entry in the registry that you can run from
your installer on upgrade to uninstall an existing instance before
installing a new instance.

Mark Roddy

On Tue, Dec 2, 2014 at 8:51 AM, wrote:

> Finally find where is the problem!
> My installer is not properly overwriting the previous files. As a result,
> I have tried to install a broken package …
> After installer correction, everything is properly working without any
> warning popup.
>
> Thanks for your help!
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>