error code 52 for one signed driver

Hi,

I have an strange problem. I’ve recently written a wdm driver. It depends
on one
kernel dll. I can successfully install the unsigned driver in test mode in
windows 7
64.
Finally, I signed the driver. However, Installing the signed driver I’ve
got error code 52 that says windows can not verify the digital signature
for the driver.

How can it be possible? How can I resolve this issue?

I would be very appreciated for your helpful comments.

Almost certainly mistake number 1, but I digress.

Well, let’s see… you either didn’t sign it correctly, you signed it with the wrong sort of certificate, or you signed the driver but not the driver install package.

Perhaps you can provide us info about what you signed, what you signed it with and how you signed it… what command you used or if you did it from within the Win8+ IDE. The output of signtool verifying the signature would help.

Peter
OSR
@OSRDrivers

Thanks for your attention.

I only signed the driver and the sort of certificate is correct. What do
you mean by signing the driver install package? One company signed the
driver for me.

On Sun, Nov 16, 2014 at 6:00 PM, wrote:

>


>
> Almost certainly mistake number 1, but I digress.
>
>


>
> Well, let’s see… you either didn’t sign it correctly, you signed it with
> the wrong sort of certificate, or you signed the driver but not the driver
> install package.
>
> Perhaps you can provide us info about what you signed, what you signed it
> with and how you signed it… what command you used or if you did it from
> within the Win8+ IDE. The output of signtool verifying the signature would
> help.
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

I create .cat file with int2cat.exe (in the package unsigned driver and
.inf file exist). Is it correct?

On Mon, Nov 17, 2014 at 2:38 PM, elahe shekuhi wrote:

> Thanks for your attention.
>
> I only signed the driver and the sort of certificate is correct. What do
> you mean by signing the driver install package? One company signed the
> driver for me.
>
> On Sun, Nov 16, 2014 at 6:00 PM, wrote:
>
>>


>>
>> Almost certainly mistake number 1, but I digress.
>>
>>


>>
>> Well, let’s see… you either didn’t sign it correctly, you signed it
>> with the wrong sort of certificate, or you signed the driver but not the
>> driver install package.
>>
>> Perhaps you can provide us info about what you signed, what you signed it
>> with and how you signed it… what command you used or if you did it from
>> within the Win8+ IDE. The output of signtool verifying the signature would
>> help.
>>
>> Peter
>> OSR
>> @OSRDrivers
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>

Yes… now you must sign the CAT file.

Peter
OSR
@OSRDrivers

Yes, I signed it with sign tool. Installing the driver I’ve got error code
52. It is very strange.

On Mon, Nov 17, 2014 at 5:29 PM, wrote:

>


>
> Yes… now you must sign the CAT file.
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

>I create .cat file with int2cat.exe (in the package unsigned driver and .inf file exist). Is it correct?

Yes


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

You must sign the driver first , then create the *.cat file from the *.inf referring to the signed driver , then sign the *.cat file.

Christiaan

Yes, I signed it with sign tool. Installing the driver I’ve got error code 52. It is very strange.

On Mon, Nov 17, 2014 at 5:29 PM, wrote:



Yes… now you must sign the CAT file.

Peter
OSR
@OSRDrivers


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

elahe shekuhi wrote:

Yes, I signed it with sign tool.

HOW did you sign it? Please show us the exact command. You also might
try “signtool verify /kp /v”, and make sure that the chain ends at the
Microsoft Code Verification Root. If not, then it isn’t properly signed.

Remember that you muse use a Class 3 Code-Signing Certificate (there are
many types of certificates that won’t work for KMCS), and you must use
the /ac parameter to specify the correct “cross certificate” for the
certificate authority that issued your certificate.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Christiaan Ghijselinck wrote:

You must sign the driver first , then create the *.cat file from the
*.inf referring to the signed driver , then sign the *.cat file.

Well, if you always install using a CAT file, then it’s not necessary to
sign the SYS file at all. The kernel will find the CAT file and use it
instead.

In my case, I like to copy replacement binaries in by hand without going
through the full install process. When I do that, the CAT file is
invalidated, so the checksums don’t match. Because of that, I do
exactly as you say: sign the SYS, build the CAT, then sign the CAT.

Turning this upside down, until Windows 8, you don’t actually have to
sign the CAT file. The CAT file signature was only used for the
install-time warning, which you could override. Signing the SYS alone
was enough to get the driver loaded. This has changed in Windows 8.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tim Roberts wrote :

>Well, if you always install using a CAT file, then it’s not necessary to sign the SYS file at all. The kernel will find the CAT file and use it instead.

Do you mean that , for example 64 bit Windows 7 , will load THAT *.sys driver file at boot time ? I was always persuaded that the driver had to be signed.

>In my case, I like to copy replacement binaries in by hand without going through the full install process.

I am practicising this myself. I think that Microsoft “trusts” that the driver belongs to the original package ( to shorten boot time ) , although there is a way back to the *inf via the ClassID in the \Enum or Enum\Root registry hives.

Regards ,

Christiaan

----- Original Message -----
From: Tim Roberts
To: Windows System Software Devs Interest List
Sent: Monday, November 17, 2014 6:57 PM
Subject: Re: [ntdev] error code 52 for one signed driver

Christiaan Ghijselinck wrote:

You must sign the driver first , then create the *.cat file from the *.inf referring to the signed driver , then sign the *.cat file.

Well, if you always install using a CAT file, then it’s not necessary to sign the SYS file at all. The kernel will find the CAT file and use it instead.

In my case, I like to copy replacement binaries in by hand without going through the full install process. When I do that, the CAT file is invalidated, so the checksums don’t match. Because of that, I do exactly as you say: sign the SYS, build the CAT, then sign the CAT.

Turning this upside down, until Windows 8, you don’t actually have to sign the CAT file. The CAT file signature was only used for the install-time warning, which you could override. Signing the SYS alone was enough to get the driver loaded. This has changed in Windows 8.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thanks for the attention and useful comments.

Tim, I try “signtool verify /kp /v *.cat”, and found that the chain
doesn’t end at the
Microsoft Code Verification Root. Then .cat file wasn’t signed correctly,
was it?

On Mon, Nov 17, 2014 at 10:33 PM, Christiaan Ghijselinck <
xxxxx@compaqnet.be> wrote:

Tim Roberts wrote :

>>Well, if you always install using a CAT file, then it’s not necessary
to sign the SYS file at all. The kernel will find the CAT file and use it
instead.
Do you mean that , for example 64 bit Windows 7 , will load THAT *.sys
driver file at boot time ? I was always persuaded that the driver had to
be signed.

>>In my case, I like to copy replacement binaries in by hand without
going through the full install process.

I am practicising this myself. I think that Microsoft “trusts” that the
driver belongs to the original package ( to shorten boot time ) , although
there is a way back to the *inf via the ClassID in the \Enum or
Enum\Root registry hives.

Regards ,

Christiaan

----- Original Message -----
*From:* Tim Roberts
> To: Windows System Software Devs Interest List
> Sent: Monday, November 17, 2014 6:57 PM
> Subject: Re: [ntdev] error code 52 for one signed driver
>
> Christiaan Ghijselinck wrote:
>
>
> You must sign the driver first , then create the *.cat file from the
> *.inf referring to the signed driver , then sign the *.cat file.
>
>
> Well, if you always install using a CAT file, then it’s not necessary to
> sign the SYS file at all. The kernel will find the CAT file and use it
> instead.
>
> In my case, I like to copy replacement binaries in by hand without going
> through the full install process. When I do that, the CAT file is
> invalidated, so the checksums don’t match. Because of that, I do exactly
> as you say: sign the SYS, build the CAT, then sign the CAT.
>
> Turning this upside down, until Windows 8, you don’t actually have to sign
> the CAT file. The CAT file signature was only used for the install-time
> warning, which you could override. Signing the SYS alone was enough to get
> the driver loaded. This has changed in Windows 8.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Dear Tim,

When I should use /ac parameter? for signing .cat file? just /as
parameter is enough? Thanks for very useful comments.

On Mon, Nov 17, 2014 at 11:01 PM, elahe shekuhi wrote:

> Thanks for the attention and useful comments.
>
> Tim, I try “signtool verify /kp /v *.cat”, and found that the chain
> doesn’t end at the
> Microsoft Code Verification Root. Then .cat file wasn’t signed correctly,
> was it?
>
>
>
> On Mon, Nov 17, 2014 at 10:33 PM, Christiaan Ghijselinck <
> xxxxx@compaqnet.be> wrote:
>
>>
>> Tim Roberts wrote :
>>
>> >>Well, if you always install using a CAT file, then it’s not necessary
>> to sign the SYS file at all. The kernel will find the CAT file and use it
>> instead.
>> Do you mean that , for example 64 bit Windows 7 , will load THAT *.sys
>> driver file at boot time ? I was always persuaded that the driver had to
>> be signed.
>>
>> >>In my case, I like to copy replacement binaries in by hand without
>> going through the full install process.
>>
>> I am practicising this myself. I think that Microsoft “trusts” that the
>> driver belongs to the original package ( to shorten boot time ) , although
>> there is a way back to the *inf via the ClassID in the \Enum or
>> Enum\Root registry hives.
>>
>> Regards ,
>>
>> Christiaan
>>
>>
>> ----- Original Message -----
>> From: Tim Roberts
>> To: Windows System Software Devs Interest List
>> Sent: Monday, November 17, 2014 6:57 PM
>> Subject: Re: [ntdev] error code 52 for one signed driver
>>
>> Christiaan Ghijselinck wrote:
>>
>>
>> You must sign the driver first , then create the *.cat file from the
>> *.inf referring to the signed driver , then sign the *.cat file.
>>
>>
>> Well, if you always install using a CAT file, then it’s not necessary to
>> sign the SYS file at all. The kernel will find the CAT file and use it
>> instead.
>>
>> In my case, I like to copy replacement binaries in by hand without going
>> through the full install process. When I do that, the CAT file is
>> invalidated, so the checksums don’t match. Because of that, I do exactly
>> as you say: sign the SYS, build the CAT, then sign the CAT.
>>
>> Turning this upside down, until Windows 8, you don’t actually have to
>> sign the CAT file. The CAT file signature was only used for the
>> install-time warning, which you could override. Signing the SYS alone was
>> enough to get the driver loaded. This has changed in Windows 8.
>>
>> –
>> Tim Roberts, xxxxx@probo.com
>> Providenza & Boekelheide, Inc.
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>

>>When I should use /ac parameter?

Did you read the necessary documents about Microsoft Code driver signing ? I think the best thing you can do is post your full signtool command line here …

Christiaan

----- Original Message -----
From: elahe shekuhi
To: Windows System Software Devs Interest List
Sent: Monday, November 17, 2014 8:39 PM
Subject: Re: [ntdev] error code 52 for one signed driver

Dear Tim,

When I should use /ac parameter? for signing .cat file? just /as parameter is enough? Thanks for very useful comments.

On Mon, Nov 17, 2014 at 11:01 PM, elahe shekuhi wrote:

Thanks for the attention and useful comments.

Tim, I try “signtool verify /kp /v *.cat”, and found that the chain doesn’t end at the
Microsoft Code Verification Root. Then .cat file wasn’t signed correctly, was it?

On Mon, Nov 17, 2014 at 10:33 PM, Christiaan Ghijselinck wrote:

Tim Roberts wrote :

>>Well, if you always install using a CAT file, then it’s not necessary to sign the SYS file at all. The kernel will find the CAT file and use it instead.

Do you mean that , for example 64 bit Windows 7 , will load THAT *.sys driver file at boot time ? I was always persuaded that the driver had to be signed.

>>In my case, I like to copy replacement binaries in by hand without going through the full install process.

I am practicising this myself. I think that Microsoft “trusts” that the driver belongs to the original package ( to shorten boot time ) , although there is a way back to the *inf via the ClassID in the \Enum or Enum\Root registry hives.

Regards ,

Christiaan

----- Original Message -----
From: Tim Roberts
To: Windows System Software Devs Interest List
Sent: Monday, November 17, 2014 6:57 PM
Subject: Re: [ntdev] error code 52 for one signed driver

Christiaan Ghijselinck wrote:

You must sign the driver first , then create the *.cat file from the *.inf referring to the signed driver , then sign the *.cat file.

Well, if you always install using a CAT file, then it’s not necessary to sign the SYS file at all. The kernel will find the CAT file and use it instead.

In my case, I like to copy replacement binaries in by hand without going through the full install process. When I do that, the CAT file is invalidated, so the checksums don’t match. Because of that, I do exactly as you say: sign the SYS, build the CAT, then sign the CAT.

Turning this upside down, until Windows 8, you don’t actually have to sign the CAT file. The CAT file signature was only used for the install-time warning, which you could override. Signing the SYS alone was enough to get the driver loaded. This has changed in Windows 8.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Christiaan Ghijselinck wrote:

>>Well, if you always install using a CAT file, then it’s not
necessary to sign the SYS file at all. The kernel will find the CAT
file and use it instead.
Do you mean that , for example 64 bit Windows 7 , will load THAT
*.sys driver file at boot time ? I was always persuaded that the
driver had to be signed.

When the kernel loads a driver, it has an entry in the registry that
points to the original driver package in the driver store. If the
driver being loaded matches the one in the CAT file, and the CAT file is
signed, then the driver need not be signed. If the SYS file has been
changed, then the CAT file is invalid, so the signature must come from
the SYS.

>>In my case, I like to copy replacement binaries in by hand without
going through the full install process.

I am practicising this myself. I think that Microsoft “trusts” that
the driver belongs to the original package ( to shorten boot time ) ,
although there is a way back to the *inf via the ClassID in the
\Enum or Enum\Root registry hives.

No, there’s no trust. Once you replace the SYS file, the chain back to
the driver store is broken. The SYS file stands alone and must be signed.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

elahe shekuhi wrote:

When I should use /ac parameter? for signing .cat file? just /as
parameter is enough?

I don’t know what /as is.

In the user-mode world, when you load a signed package, the system can
use the Internet to go validate that the certificate was issued by a
legitimate certificate authority. So, you can have certificates issued
by many vendors.

In the kernel world, we can’t take the time to do that. Instead of
having a very long list of certificate authorities, the kernel trusts
exactly one: the Microsoft Code Signing Root. If you have certificate
issued by Joe Blow’s Authority, then Joe Blow is asserting that you are
who you say you are, but the kernel doesn’t know Joe Blow. So,
Microsoft issues “cross-certificates” for each of the major certificate
authorities that are issued by the Microsoft Code Signing Root. With
that, there is a complete chain. You are trusted by Joe Blow’s
authority, Joe Blow’s authority is trusted by the Microsoft Code Signing
Root, and the MCSR is trusted by the kernel.

So, when you sign a driver, you must also include the cross-certificate
that links to the root. The 8.1 WDK includes cross certificates for all
of the major vendors, and if you use the vcxproj method of signing, it
will figure out which one you need. You can see their set in \Program
Files (x86)\Windows Kits\8.1\CrossCertificates.

But if you are issuing the “signtool” command on your own, then you must
find the cross certificate you need. You might find yours in the WDK,
otherwise you’ll need to download it from Microsoft
(http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454.aspx), or
from the vendor.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thank you Tim R. for explaining all this. I was not aware that it worked that way.

Regards , Christiaan

>Well, if you always install using a CAT file, then it’s not necessary to sign the SYS file at all.

Not so for boot-time drivers, which require signature in the SYS itself.

But well, we are mixing WHQL signature and KMCS signature again.

Only KMCS can be in SYS itself. WHQL is always in CAT.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

> In the kernel world, we can’t take the time to do that. Instead of

having a very long list of certificate authorities, the kernel trusts
exactly one: the Microsoft Code Signing Root.

What is also important here is that, on boot, there is no cert store.

Without the store, the whole cert chain must be embedded to the SYS itself.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

Hi,

Thanks for the useful comments.
Now I can verify the catalog file and the chain ends at the
Microsoft Code Verification Root. However, after installing the driver I
get the error code 52 again. I’m a little confused.

What is the point I haven’t consider?

On Tue, Nov 18, 2014 at 10:34 AM, Maxim S. Shatskih
wrote:

> > In the kernel world, we can’t take the time to do that. Instead of
> > having a very long list of certificate authorities, the kernel trusts
> > exactly one: the Microsoft Code Signing Root.
>
> What is also important here is that, on boot, there is no cert store.
>
> Without the store, the whole cert chain must be embedded to the SYS itself.
>
> –
> Maxim S. Shatskih
> Microsoft MVP on File System And Storage
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>