I found that if one just follows the procedures listed in the microsoft
kernel mode signing document noted upthread, everything more or less
works. The OP needs to just follow the recipe.
On Wed, May 7, 2008 at 9:05 PM, Gianluca Varenni
> wrote: > > I think the problem is option /kp of “signtool verify”. /kp means > that signtool verifies the driver signature with the kernel-mode > signing policy. I might be totally wrong, but I think it tells you > the signature is invalid because it’s just a test signature (it’s > not a case that in order to use test signing, you need to use a test > certificate and put the machine into test mode). > > Try to remove option /kp and see if it validates the binary. Also, > you do not need to test sign the binary and the binary. Just sign > the CAT file. > > > Have a nice day > > GV > > – > Gianluca Varenni, Windows DDK MVP > > CACE Technologies > http://www.cacetech.comhttp:</http:> > > > > ----- Original Message ----- From: > mailto:xxxxx> > To: “Windows System Software Devs Interest List” > > > Sent: Wednesday, May 07, 2008 5:54 PM > > Subject: RE:[ntdev] How to make windows installer find the driver > automatically > > > Following are my steps using a self-signed cert. > Individual signs on binaries and CATS came out o.k > But sign check when CAT VS Driver failed. > PS: I have to sign teh driver also becuase it is 2k8/x64 driver. > Anyways not signing teh driver and repeating this steps also > gives the same result. > > Let me knwo if I missed again something. > > > 1) generate self signed cert? > Makecert -r -pe -ss mycer -n “CN=mycer” mycer.cer > > 2)Installed this cer on ths same machine > certmgr.exe -add mycer.cer -s -r localMachine root > certmgr.exe -add mycer.cer -s -r localMachine trustedpublisher > > Invoked certmgr and checked mycer was listed in ROOT and > Trustedpublisher CAs’. > > 3) generate my binaries > > 4) sign my binaries with above generated and installed cert > > SignTool sign /s mycer /t > http://timestamp.verisign.com/scripts/timestamp.dll mysys.sys > outpuut: > Done Adding Additional Store > Successfully signed and timestamped:mycer.sys > > – Not sure why it is adding additional store ? > Anyways successfully signed and timed. > > 5) generate catalogs > Inf2cat.exe /driver:. > /os:Server2003_X86,Server2003_X64,Vista_X86,Vista_X64 > > IS THE ABOVE SYNTAX FOR /DRIVER O.K? > ALL MY .SYS, .INF ARE IN pwd. > also THERE ARE OTHER FILES AND SUB-DIRS NOT REFERENCED BY THE > INF’S IN THIS DIR* > THERE ARE MULTIPLE INF’S IN THIS DIR ALSO* > > 6) SIGN TEH cats too > > SignTool sign /s mycer /t > http://timestamp.verisign.com/scripts/timestamp.dll mycat.cat > Done Adding Additional Store > Successfully signed and timestamped: mycat. > > 7) verify signed driver - Went to file properties and says cert > is o.k. > 8) verify signed cats - Went to file properties and says cert is > o.k. > > 9) verifying signed cats vs binaries > signtool verify /kp /v /c mycat.cat mysys.sys > > Verifying: mysys.sys > File is signed in catalog: mycat.cat > SignTool Error: WinVerifyTrust returned error: 0x800B0109 > > A certificate chain processed, but terminated in a root > certificate which is not trusted by the trust provider. >* > >>>>>>>>>>>> > Above is the error > 1) I am using self-signed cert which is installed root and > trustedpublisher CA’s. > 2) Not sure why there is a CA chain for my certificate above. > 3) I tried not doing time-stamp, got same error. > <<<<<<<<<<<<<<< > Signing Certificate Chain: > Issued to: mycer > Issued by: mycer > Expires: 12/31/2039 4:59:59 PM > SHA1 hash: D575A14F73C939CCD7547C6F6CD6B0B5DC1C6BD1 > > The signature is timestamped: 5/7/2008 5:34:12 PM > Timestamp Verified by: > Issued to: Thawte Timestamping CA > Issued by: Thawte Timestamping CA > Expires: 12/31/2020 4:59:59 PM > SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656 > > Issued to: VeriSign Time Stamping Services CA > Issued by: Thawte Timestamping CA > Expires: 12/3/2013 4:59:59 PM > SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D > > Issued to: VeriSign Time Stamping Services Signer - G2 > Issued by: VeriSign Time Stamping Services CA > Expires: 6/14/2012 4:59:59 PM > SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE > > SignTool Error: File not valid: mysys.sys > > Number of files successfully Verified: 0 > Number of warnings: 0 > Number of errors: 1 > > > Will debug more. > > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer > > > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer > > > > > – > Mark Roddy</mailto:xxxxx>
Mark Roddy wrote:
> I found that if one just follows the procedures listed in the
> microsoft kernel mode signing document noted upthread, everything more
> or less works. The OP needs to just follow the recipe.
>
> On Wed, May 7, 2008 at 9:05 PM, Gianluca Varenni
> > wrote: >> >> I think the problem is option /kp of “signtool verify”. /kp means >> that signtool verifies the driver signature with the kernel-mode >> signing policy. I might be totally wrong, but I think it tells you >> the signature is invalid because it’s just a test signature (it’s >> not a case that in order to use test signing, you need to use a test >> certificate and put the machine into test mode). >> >> Try to remove option /kp and see if it validates the binary. Also, >> you do not need to test sign the binary and the binary. Just sign >> the CAT file. >> >> >> Have a nice day >> >> GV >> >> – >> Gianluca Varenni, Windows DDK MVP >> >> CACE Technologies >> http://www.cacetech.comhttp:</http:> >> >> >> >> ----- Original Message ----- From: >> mailto:xxxxx> >> To: “Windows System Software Devs Interest List” >> > >> Sent: Wednesday, May 07, 2008 5:54 PM >> >> Subject: RE:[ntdev] How to make windows installer find the driver >> automatically >> >> >> Following are my steps using a self-signed cert. >> Individual signs on binaries and CATS came out o.k >> But sign check when CAT VS Driver failed. >> PS: I have to sign teh driver also becuase it is 2k8/x64 driver. >> Anyways not signing teh driver and repeating this steps also >> gives the same result. >> >> Let me knwo if I missed again something. >> >> >> 1) generate self signed cert? >> Makecert -r -pe -ss mycer -n “CN=mycer” mycer.cer >> >> 2)Installed this cer on ths same machine >> certmgr.exe -add mycer.cer -s -r localMachine root >> certmgr.exe -add mycer.cer -s -r localMachine trustedpublisher >> >> Invoked certmgr and checked mycer was listed in ROOT and >> Trustedpublisher CAs’. >> >> 3) generate my binaries >> >> 4) sign my binaries with above generated and installed cert >> >> SignTool sign /s mycer /t >> http://timestamp.verisign.com/scripts/timestamp.dll mysys.sys >> outpuut: >> Done Adding Additional Store >> Successfully signed and timestamped:mycer.sys >> >> – Not sure why it is adding additional store ? >> Anyways successfully signed and timed. >> >> 5) generate catalogs >> Inf2cat.exe /driver:. >> /os:Server2003_X86,Server2003_X64,Vista_X86,Vista_X64 >> >> IS THE ABOVE SYNTAX FOR /DRIVER O.K? >> ALL MY .SYS, .INF ARE IN pwd. >> also THERE ARE OTHER FILES AND SUB-DIRS NOT REFERENCED BY THE >> INF’S IN THIS DIR* >> THERE ARE MULTIPLE INF’S IN THIS DIR ALSO* >> >> 6) SIGN TEH cats too >> >> SignTool sign /s mycer /t >> http://timestamp.verisign.com/scripts/timestamp.dll mycat.cat >> Done Adding Additional Store >> Successfully signed and timestamped: mycat. >> >> 7) verify signed driver - Went to file properties and says cert >> is o.k. >> 8) verify signed cats - Went to file properties and says cert is >> o.k. >> >> 9) verifying signed cats vs binaries >> signtool verify /kp /v /c mycat.cat mysys.sys >> >> Verifying: mysys.sys >> File is signed in catalog: mycat.cat >> SignTool Error: WinVerifyTrust returned error: 0x800B0109 >> >> A certificate chain processed, but terminated in a root >> certificate which is not trusted by the trust provider. >>* >> >>>>>>>>>>>> >> Above is the error >> 1) I am using self-signed cert which is installed root and >> trustedpublisher CA’s. >> 2) Not sure why there is a CA chain for my certificate above. >> 3) I tried not doing time-stamp, got same error. >> <<<<<<<<<<<<<<< >> Signing Certificate Chain: >> Issued to: mycer >> Issued by: mycer >> Expires: 12/31/2039 4:59:59 PM >> SHA1 hash: D575A14F73C939CCD7547C6F6CD6B0B5DC1C6BD1 >> >> The signature is timestamped: 5/7/2008 5:34:12 PM >> Timestamp Verified by: >> Issued to: Thawte Timestamping CA >> Issued by: Thawte Timestamping CA >> Expires: 12/31/2020 4:59:59 PM >> SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656 >> >> Issued to: VeriSign Time Stamping Services CA >> Issued by: Thawte Timestamping CA >> Expires: 12/3/2013 4:59:59 PM >> SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D >> >> Issued to: VeriSign Time Stamping Services Signer - G2 >> Issued by: VeriSign Time Stamping Services CA >> Expires: 6/14/2012 4:59:59 PM >> SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE >> >> SignTool Error: File not valid: mysys.sys >> >> Number of files successfully Verified: 0 >> Number of warnings: 0 >> Number of errors: 1 >> >> >> Will debug more. >> >> >> — >> NTDEV is sponsored by OSR >> >> For our schedule of WDF, WDM, debugging and other seminars visit: >> http://www.osr.com/seminars >> >> To unsubscribe, visit the List Server section of OSR Online at >> http://www.osronline.com/page.cfm?name=ListServer >> >> >> >> — >> NTDEV is sponsored by OSR >> >> For our schedule of WDF, WDM, debugging and other seminars visit: >> http://www.osr.com/seminars >> >> To unsubscribe, visit the List Server section of OSR Online at >> http://www.osronline.com/page.cfm?name=ListServer >> >> >> >> >> – >> Mark Roddy ></mailto:xxxxx>