Kernel mode code sign problem

Hi

I have a problem signing an NDIS driver to work on x64 machine. I’d already read a ton of stuff on the topic (including this forum).

The verification passes OK but the OS don’t want to load the driver:

c:\Certificate>signtool verify /v /kp /c qosservice.cat qosservice.sys

Verifying: QoSService.sys

File is signed in catalog: qosservice.cat

Signing Certificate Chain:
Issued to: Microsoft Code Verification Root

Issued by: Microsoft Code Verification Root

Expires: 2025-11-01 15:54:03

SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

Issued by: Microsoft Code Verification Root

Expires: 2021-02-22 21:35:17

SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B

Issued to: VeriSign Class 3 Code Signing 2010 CA

Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

Expires: 2020-02-08 01:59:59

SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: MyCompany, Inc.

Issued by: VeriSign Class 3 Code Signing 2010 CA

Expires: 2013-04-10 01:59:59

SHA1 hash: BE835A26296FF9C11BF301352001E9D0670120F4

The signature is timestamped: 2012-04-16 08:57:45

Timestamp Verified by:
Issued to: Thawte Timestamping CA

Issued by: Thawte Timestamping CA

Expires: 2021-01-01 01:59:59

SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA

Issued by: Thawte Timestamping CA

Expires: 2013-12-04 01:59:59

SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: VeriSign Time Stamping Services Signer - G2

Issued by: VeriSign Time Stamping Services CA

Expires: 2012-06-15 01:59:59

SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

Successfully verified: QoSService.sys

Number of files successfully Verified: 1

Number of warnings: 0

Number of errors: 0

I had compared the output with the VirtualBox driver by Oracle:

c:\Certificate>signtool verify /v /kp /c Oracle\VBoxNetFlt.cat Oracle\VBoxNetFlt.sys

Verifying: Oracle\VBoxNetFlt.sys

File is signed in catalog: Oracle\VBoxNetFlt.cat

Signing Certificate Chain:
Issued to: Microsoft Code Verification Root

Issued by: Microsoft Code Verification Root

Expires: 2025-11-01 15:54:03

SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: Class 3 Public Primary Certification Authority

Issued by: Microsoft Code Verification Root

Expires: 2016-05-23 19:11:29

SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

Issued by: Class 3 Public Primary Certification Authority

Expires: 2021-11-08 01:59:59

SHA1 hash: 32F30882622B87CF8856C63DB873DF0853B4DD27

Issued to: VeriSign Class 3 Code Signing 2010 CA

Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

Expires: 2020-02-08 01:59:59

SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: Oracle Corporation

Issued by: VeriSign Class 3 Code Signing 2010 CA

Expires: 2014-02-08 01:59:59

SHA1 hash: A88FD9BDAA06BC0F3C491BA51E231BE35F8D1AD5

The signature is timestamped: 2012-03-14 19:26:29

Timestamp Verified by:
Issued to: Thawte Timestamping CA

Issued by: Thawte Timestamping CA

Expires: 2021-01-01 01:59:59

SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA

Issued by: Thawte Timestamping CA

Expires: 2013-12-04 01:59:59

SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: VeriSign Time Stamping Services Signer - G2

Issued by: VeriSign Time Stamping Services CA

Expires: 2012-06-15 01:59:59

SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

Successfully verified: Oracle\VBoxNetFlt.sys

Number of files successfully Verified: 1

Number of warnings: 0

Number of errors: 0

The difference I see is that MS cross-certificate I use is issued to the

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: Microsoft Code Verification Root
Expires: 2021-02-22 21:35:17
SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B

while Vbox has this ‘Verisign Class 3 Public Primary CA - G5’ certificate original and the
cross-certificate is issued to:

Issued to: Class 3 Public Primary Certification Authority
Issued by: Microsoft Code Verification Root
Expires: 2016-05-23 19:11:29
SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408

Same difference is while inspecting driver embedded certificate with CertMgr.
But I can’t find the cross-certificate I see in VBox anywhere. Not sure also if that’s the problem.

The result while installing is well-known Error “0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.”

I can see this error while doing regular (no \kp) verification on target machine:

c:\Certificate>Tools\signtool verify /v /c NDIS\qosservice.cat NDIS\qosservice.sys

Verifying: NDIS\QoSService.sys
File is signed in catalog: NDIS\qosservice.cat
Hash of file (sha1): 4A9CED08595CEB145947F24B3ECDA103DD3BF419

Signing Certificate Chain:
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Thu Jul 17 01:59:59 2036
SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5

Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Sat Feb 08 01:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: MyCompany, Inc.
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Wed Apr 10 01:59:59 2013
SHA1 hash: BE835A26296FF9C11BF301352001E9D0670120F4

The signature is timestamped: Mon Apr 16 11:12:26 2012
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 01:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Wed Dec 04 01:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: Fri Jun 15 01:59:59 2012
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

however doing the same on build machine gives slightly different results:

C:\Documents and Settings\XPMUser\Desktop\Certificate>Tools\signtool verify /v
/c IWantToBelieve\qosservice.cat IWantToBelieve\qosservice.sys

Verifying: IWantToBelieve\QoSService.sys
File is signed in catalog: IWantToBelieve\qosservice.cat
Hash of file (sha1): 61CD104A5FA2A1CE741880214FEEB819AEA18F02

Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: Wed Aug 02 01:59:59 2028
SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: Class 3 Public Primary Certification Authority
Expires: Mon Nov 08 01:59:59 2021
SHA1 hash: 32F30882622B87CF8856C63DB873DF0853B4DD27

Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority -
G5
Expires: Sat Feb 08 01:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: MyCompany, Inc.
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Wed Apr 10 01:59:59 2013
SHA1 hash: BE835A26296FF9C11BF301352001E9D0670120F4

The signature is timestamped: Mon Apr 16 11:34:55 2012
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 01:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Wed Dec 04 01:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: Fri Jun 15 01:59:59 2012
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

SignTool Error: This catalog is not valid for the current OS version. You may
use the /o option to verify against a different OS version.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

Setupapi.log look like this:

>> [Build Driver List - unknown device]
>> Section start 2012/04/16 11:13:42.366
cmd: C:\Windows\Explorer.EXE
cpy: Policy is set to make all digital signatures equal.
dvi: Enumerating INFs from path list ‘C:\Windows\inf’
inf: Opened INF: ‘C:\Windows\System32\DriverStore\FileRepository\netvwifibus.inf_amd64_neutral_9d0740f32ce81d24\netvwifibus.inf’ ([strings.0409])
dvi: No [Manufacturer] section in INF ‘C:\Windows\System32\DriverStore\FileRepository\netvwifibus.inf_amd64_neutral_9d0740f32ce81d24\netvwifibus.inf’.
inf: Opened PNF: ‘C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_2bb3bef50040d245\netsf.inf’ ([strings])
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.398
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_2bb3bef50040d245\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_2bb3bef50040d245\QoSService.cat
! sig: Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 11:13:42.427
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.431
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_2bb3bef50040d245\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_2bb3bef50040d245\QoSService.cat
sig: Success: File is signed in Authenticode™ catalog.
sig: Error 0xe0000241: The INF was signed with an Authenticode™ catalog from a trusted publisher.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 11:13:42.464
inf: Opened PNF: ‘C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf’ ([strings])
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.470
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\QoSService.cat
! sig: Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 11:13:42.485
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.487
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\QoSService.cat
sig: Success: File is signed in Authenticode™ catalog.
sig: Error 0xe0000241: The INF was signed with an Authenticode™ catalog from a trusted publisher.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 11:13:42.507
inf: Opened PNF: ‘C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf’ ([strings])
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.512
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\QoSService.cat
! sig: Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 11:13:42.527
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.529
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\QoSService.cat
sig: Success: File is signed in Authenticode™ catalog.
sig: Error 0xe0000241: The INF was signed with an Authenticode™ catalog from a trusted publisher.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 11:13:42.546
inf: Opened PNF: ‘C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_25db8f2c0b8d38a3\netsf.inf’ ([strings])
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.550
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_25db8f2c0b8d38a3\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_25db8f2c0b8d38a3\QoSService.cat
! sig: Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 11:13:42.559
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.560
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_25db8f2c0b8d38a3\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_25db8f2c0b8d38a3\QoSService.cat
sig: Success: File is signed in Authenticode™ catalog.
sig: Error 0xe0000241: The INF was signed with an Authenticode™ catalog from a trusted publisher.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 11:13:42.572
inf: Opened PNF: ‘C:\Windows\System32\DriverStore\FileRepository\vmnetsrv.inf_amd64_neutral_1c69589b1fc8fefc\vmnetsrv.inf’ ([strings])
inf: Opened PNF: ‘C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf’ ([strings])
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.577
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\QoSService.cat
! sig: Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 11:13:42.586
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.587
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\QoSService.cat
sig: Success: File is signed in Authenticode™ catalog.
sig: Error 0xe0000241: The INF was signed with an Authenticode™ catalog from a trusted publisher.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 11:13:42.599
inf: Opened PNF: ‘C:\Windows\System32\DriverStore\FileRepository\vboxnetflt.inf_amd64_neutral_6933343d550240d8\vboxnetflt.inf’ ([strings])
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.602
sig: Key = vboxnetflt.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\vboxnetflt.inf_amd64_neutral_6933343d550240d8\vboxnetflt.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\vboxnetflt.inf_amd64_neutral_6933343d550240d8\VBoxNetFlt.cat
! sig: Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 11:13:42.610
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.612
sig: Key = vboxnetflt.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\vboxnetflt.inf_amd64_neutral_6933343d550240d8\vboxnetflt.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\vboxnetflt.inf_amd64_neutral_6933343d550240d8\VBoxNetFlt.cat
sig: Success: File is signed in Authenticode™ catalog.
sig: Error 0xe0000241: The INF was signed with an Authenticode™ catalog from a trusted publisher.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 11:13:42.624
inf: Opened PNF: ‘C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf’ ([strings])
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.629
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\QoSService.cat
! sig: Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 11:13:42.637
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.638
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\QoSService.cat
sig: Success: File is signed in Authenticode™ catalog.
sig: Error 0xe0000241: The INF was signed with an Authenticode™ catalog from a trusted publisher.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 11:13:42.650
inf: Opened PNF: ‘C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_fcbee985548df706\netsf.inf’ ([strings])
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.654
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_fcbee985548df706\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_fcbee985548df706\QoSService.cat
! sig: Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 11:13:42.662
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.663
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_fcbee985548df706\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_fcbee985548df706\QoSService.cat
sig: Success: File is signed in Authenticode™ catalog.
sig: Error 0xe0000241: The INF was signed with an Authenticode™ catalog from a trusted publisher.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 11:13:42.675
inf: Opened PNF: ‘C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf’ ([strings])
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.679
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\QoSService.cat
! sig: Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 11:13:42.687
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.689
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\QoSService.cat
sig: Success: File is signed in Authenticode™ catalog.
sig: Error 0xe0000241: The INF was signed with an Authenticode™ catalog from a trusted publisher.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 11:13:42.701
inf: Opened PNF: ‘C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf’ ([strings])
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.704
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\QoSService.cat
! sig: Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 11:13:42.712
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.713
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_a7e024df58be94b9\QoSService.cat
sig: Success: File is signed in Authenticode™ catalog.
sig: Error 0xe0000241: The INF was signed with an Authenticode™ catalog from a trusted publisher.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 11:13:42.726
inf: Opened PNF: ‘C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_aa869d38e78d75ce\netsf.inf’ ([strings])
sig: {_VERIFY_FILE_SIGNATURE} 11:13:42.729
sig: Key = netsf.inf
sig: FilePath = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_aa869d38e78d75ce\netsf.inf
sig: Catalog = C:\Windows\System32\DriverStore\FileRepository\netsf.inf_amd64_neutral_aa869d38e78d75ce\QoSService.cat
! sig: Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 11:13:42.738


What am I missing !!! ??? Please help

Hi,

Can you please show all the commands that you perform in order to sign the driver?
Please show the output of the sign command as well.

Thanks,

Nuno

Sure!!!

The commands are:

Tools\stampinf.exe -f NDIS\netsf.inf -d * -v 4.2.3.5
Tools\stampinf.exe -f NDIS\netsf_m.inf -d * -v 4.2.3.5

Tools\selfsign\inf2cat /driver:NDIS /os:7_x64 /v

Tools\signtool sign /v /n “MyCompany, Inc.” /t http://timestamp.verisign.com/scripts/timstamp.dll /s my /ac “VeriSign Class 3 Public Primary Certification Authority - G5.cer” NDIS\QoSService.Sys
Tools\signtool sign /v /n “MyCompany, Inc.” /t http://timestamp.verisign.com/scripts/timstamp.dll /s my /ac “VeriSign Class 3 Public Primary Certification Authority - G5.cer” NDIS\QoSService.cat

Tools\signtool verify /v /kp /c NDIS\qosservice.cat NDIS\qosservice.sys
Tools\signtool verify /v /pa /c NDIS\qosservice.cat NDIS\qosservice.sys
Tools\signtool verify /v /c NDIS\qosservice.cat NDIS\qosservice.sys
Tools\CertMgr.exe NDIS\qosservice.cat
Tools\CertMgr.exe NDIS\qosservice.sys

and the full output is:

C:\Documents and Settings\XPMUser\Desktop\Certificate>del NDIS\QoSService.cat

C:\Documents and Settings\XPMUser\Desktop\Certificate>Tools\stampinf.exe -f NDIS\netsf.inf -d * -v 4.2.3.5
Stamping NDIS\netsf.inf [Version] section with DriverVer=04/16/2012,4.2.3.5

C:\Documents and Settings\XPMUser\Desktop\Certificate>Tools\stampinf.exe -f NDIS\netsf_m.inf -d * -v 4.2.3.5
Stamping NDIS\netsf_m.inf [Version] section with DriverVer=04/16/2012,4.2.3.5

C:\Documents and Settings\XPMUser\Desktop\Certificate>Tools\selfsign\inf2cat /driver:NDIS /os:7_x64 /v
Processing directory (C:\Documents and Settings\XPMUser\Desktop\Certificate\NDIS) file (netsf.inf)
Processing directory (C:\Documents and Settings\XPMUser\Desktop\Certificate\NDIS) file (netsf_m.inf)
Processing directory (C:\Documents and Settings\XPMUser\Desktop\Certificate\NDIS) file (qosservice.sys)
Parsing INF: C:\Documents and Settings\XPMUser\Desktop\Certificate\NDIS\netsf.inf
Parsing INF: C:\Documents and Settings\XPMUser\Desktop\Certificate\NDIS\netsf_m.inf
Finished parsing INFs
Processing INF: C:\Documents and Settings\XPMUser\Desktop\Certificate\NDIS\netsf.inf
Processing INF: C:\Documents and Settings\XPMUser\Desktop\Certificate\NDIS\netsf_m.inf
Finished processing INFs
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…
Testing driver package…

Signability test complete.

Errors:
None

Warnings:
None

Catalog generation complete.
C:\Documents and Settings\XPMUser\Desktop\Certificate\NDIS\qosservice.cat

C:\Documents and Settings\XPMUser\Desktop\Certificate>Tools\signtool sign /v /n “MyCompany, Inc.” /t http://timestamp.verisign.com/scripts/timstamp.dll /s my /ac “VeriSign Class 3 Public Primary Certification Authority - G5.cer” NDIS\QoSService.Sys
The following certificate was selected:
Issued to: MyCompany, Inc.

Issued by: VeriSign Class 3 Code Signing 2010 CA

Expires: Wed Apr 10 01:59:59 2013

SHA1 hash: BE835A26296FF9C11BF301352001E9D0670120F4

Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root

Issued by: Microsoft Code Verification Root

Expires: Sat Nov 01 15:54:03 2025

SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

Issued by: Microsoft Code Verification Root

Expires: Mon Feb 22 21:35:17 2021

SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B

Issued to: VeriSign Class 3 Code Signing 2010 CA

Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

Expires: Sat Feb 08 01:59:59 2020

SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: MyCompany, Inc.

Issued by: VeriSign Class 3 Code Signing 2010 CA

Expires: Wed Apr 10 01:59:59 2013

SHA1 hash: BE835A26296FF9C11BF301352001E9D0670120F4

Done Adding Additional Store

Number of files successfully Signed: 1

Number of warnings: 1

Number of errors: 0

SignTool Error: The specified timestamp server either could not be reached
or returned an invalid response.
This may happen if you specify an RFC 3161 timestamp URL but used
the /t option or you specified a legacy Authenticode timestamp URL
but used the /tr option.
SignTool Warning: Signing succeeded, but an error occurred while attempting to

timestamp: NDIS\QoSService.sys

C:\Documents and Settings\XPMUser\Desktop\Certificate>Tools\signtool sign /v /n “MyCompany, Inc.” /t http://timestamp.verisign.com/scripts/timstamp.dll /s my /ac “VeriSign Class 3 Public Primary Certification Authority - G5.cer” NDIS\QoSService.cat
The following certificate was selected:
Issued to: MyCompany, Inc.

Issued by: VeriSign Class 3 Code Signing 2010 CA

Expires: Wed Apr 10 01:59:59 2013

SHA1 hash: BE835A26296FF9C11BF301352001E9D0670120F4

Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root

Issued by: Microsoft Code Verification Root

Expires: Sat Nov 01 15:54:03 2025

SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

Issued by: Microsoft Code Verification Root

Expires: Mon Feb 22 21:35:17 2021

SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B

Issued to: VeriSign Class 3 Code Signing 2010 CA

Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

Expires: Sat Feb 08 01:59:59 2020

SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: MyCompany, Inc.

Issued by: VeriSign Class 3 Code Signing 2010 CA

Expires: Wed Apr 10 01:59:59 2013

SHA1 hash: BE835A26296FF9C11BF301352001E9D0670120F4

Done Adding Additional Store

Number of files successfully Signed: 1

Number of warnings: 1

Number of errors: 0

SignTool Error: The specified timestamp server either could not be reached
or returned an invalid response.
This may happen if you specify an RFC 3161 timestamp URL but used
the /t option or you specified a legacy Authenticode timestamp URL
but used the /tr option.
SignTool Warning: Signing succeeded, but an error occurred while attempting to

timestamp: NDIS\qosservice.cat

C:\Documents and Settings\XPMUser\Desktop\Certificate>Tools\signtool verify /v /kp /c NDIS\qosservice.cat NDIS\qosservice.sys

Verifying: NDIS\QoSService.sys

File is signed in catalog: NDIS\qosservice.cat

Hash of file (sha1): 8CB861048223208DF9F1CAA5C99E59330538C988

Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority

Issued by: Class 3 Public Primary Certification Authority

Expires: Wed Aug 02 01:59:59 2028

SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

Issued by: Class 3 Public Primary Certification Authority

Expires: Mon Nov 08 01:59:59 2021

SHA1 hash: 32F30882622B87CF8856C63DB873DF0853B4DD27

Issued to: VeriSign Class 3 Code Signing 2010 CA

Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

Expires: Sat Feb 08 01:59:59 2020

SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: MyCompany, Inc.

Issued by: VeriSign Class 3 Code Signing 2010 CA

Expires: Wed Apr 10 01:59:59 2013

SHA1 hash: BE835A26296FF9C11BF301352001E9D0670120F4

File is not timestamped.

Cross Certificate Chain:
Issued to: Microsoft Code Verification Root

Issued by: Microsoft Code Verification Root

Expires: Sat Nov 01 15:54:03 2025

SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

Issued by: Microsoft Code Verification Root

Expires: Mon Feb 22 21:35:17 2021

SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B

Issued to: VeriSign Class 3 Code Signing 2010 CA

Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

Expires: Sat Feb 08 01:59:59 2020

SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: MyCompany, Inc.

Issued by: VeriSign Class 3 Code Signing 2010 CA

Expires: Wed Apr 10 01:59:59 2013

SHA1 hash: BE835A26296FF9C11BF301352001E9D0670120F4

Successfully verified: NDIS\QoSService.sys

Number of files successfully Verified: 1

Number of warnings: 0

Number of errors: 0

C:\Documents and Settings\XPMUser\Desktop\Certificate>Tools\signtool verify /v /pa /c NDIS\qosservice.cat NDIS\qosservice.sys

Verifying: NDIS\QoSService.sys

File is signed in catalog: NDIS\qosservice.cat

Hash of file (sha1): 8CB861048223208DF9F1CAA5C99E59330538C988

Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority

Issued by: Class 3 Public Primary Certification Authority

Expires: Wed Aug 02 01:59:59 2028

SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

Issued by: Class 3 Public Primary Certification Authority

Expires: Mon Nov 08 01:59:59 2021

SHA1 hash: 32F30882622B87CF8856C63DB873DF0853B4DD27

Issued to: VeriSign Class 3 Code Signing 2010 CA

Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

Expires: Sat Feb 08 01:59:59 2020

SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: MyCompany, Inc.

Issued by: VeriSign Class 3 Code Signing 2010 CA

Expires: Wed Apr 10 01:59:59 2013

SHA1 hash: BE835A26296FF9C11BF301352001E9D0670120F4

File is not timestamped.

Successfully verified: NDIS\QoSService.sys

Number of files successfully Verified: 1

Number of warnings: 0

Number of errors: 0

C:\Documents and Settings\XPMUser\Desktop\Certificate>Tools\signtool verify /v /c NDIS\qosservice.cat NDIS\qosservice.sys

Verifying: NDIS\QoSService.sys

File is signed in catalog: NDIS\qosservice.cat

Hash of file (sha1): 8CB861048223208DF9F1CAA5C99E59330538C988

Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority

Issued by: Class 3 Public Primary Certification Authority

Expires: Wed Aug 02 01:59:59 2028

SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

Issued by: Class 3 Public Primary Certification Authority

Expires: Mon Nov 08 01:59:59 2021

SHA1 hash: 32F30882622B87CF8856C63DB873DF0853B4DD27

Issued to: VeriSign Class 3 Code Signing 2010 CA

Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

Expires: Sat Feb 08 01:59:59 2020

SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: MyCompany, Inc.

Issued by: VeriSign Class 3 Code Signing 2010 CA

Expires: Wed Apr 10 01:59:59 2013

SHA1 hash: BE835A26296FF9C11BF301352001E9D0670120F4

File is not timestamped.

Number of files successfully Verified: 0

Number of warnings: 0

Number of errors: 1

SignTool Error: This catalog is not valid for the current OS version. You may

use the /o option to verify against a different OS version.

C:\Documents and Settings\XPMUser\Desktop\Certificate>Tools\CertMgr.exe NDIS\qosservice.cat
==============No Certificates ==========
==============CTL # 1 ==========
SubjectUsage::
[0] 1.3.6.1.4.1.311.12.1.1
ListIdentifier::
F6 CA D3 2B FB 31 97 44 B8 8A EE 15 E9 82 76 0B ‘…+.1.D…v.’
ThisUpdate::
Mon Apr 16 12:15:58 2012
NextUpdate::
Not Available
SHA1 Thumbprint::
74840396 4A581E81 C3EB5953 212D6AA6 21CD54B8
MD5 Thumbprint::
6C95AF59 22B5C3D4 E51B1D8B 099307FB
----- Entries -----
[0] SubjectIdentifier::
34 00 41 00 39 00 43 00 45 00 44 00 30 00 38 00 ‘4.A.9.C.E.D.0.8.’
35 00 39 00 35 00 43 00 45 00 42 00 31 00 34 00 ‘5.9.5.C.E.B.1.4.’
35 00 39 00 34 00 37 00 46 00 32 00 34 00 42 00 ‘5.9.4.7.F.2.4.B.’
33 00 45 00 43 00 44 00 41 00 31 00 30 00 33 00 ‘3.E.C.D.A.1.0.3.’
44 00 44 00 33 00 42 00 46 00 34 00 31 00 39 00 ‘D.D.3.B.F.4.1.9.’
00 00 ‘…’
[1] SubjectIdentifier::
34 00 45 00 41 00 34 00 34 00 37 00 32 00 32 00 ‘4.E.A.4.4.7.2.2.’
42 00 32 00 32 00 30 00 36 00 42 00 45 00 32 00 ‘B.2.2.0.6.B.E.2.’
44 00 37 00 43 00 35 00 33 00 34 00 35 00 42 00 ‘D.7.C.5.3.4.5.B.’
36 00 38 00 44 00 31 00 43 00 35 00 37 00 36 00 ‘6.8.D.1.C.5.7.6.’
30 00 46 00 45 00 41 00 35 00 43 00 41 00 46 00 ‘0.F.E.A.5.C.A.F.’
00 00 ‘…’
[2] SubjectIdentifier::
38 00 35 00 42 00 45 00 38 00 46 00 43 00 30 00 ‘8.5.B.E.8.F.C.0.’
46 00 37 00 45 00 36 00 38 00 45 00 43 00 41 00 ‘F.7.E.6.8.E.C.A.’
42 00 44 00 39 00 32 00 31 00 32 00 46 00 30 00 ‘B.D.9.2.1.2.F.0.’
42 00 42 00 31 00 39 00 45 00 33 00 36 00 35 00 ‘B.B.1.9.E.3.6.5.’
44 00 44 00 44 00 35 00 36 00 34 00 39 00 39 00 ‘D.D.D.5.6.4.9.9.’
00 00 ‘…’
----- Signer [1] -----
Hash Algorithm:: 1.3.14.3.2.26 (sha1)
Encrypt Algorithm:: 1.2.840.113549.1.1.1 ()
----- Signer [1] Certificate-----
Subject::
[0,0] 2.5.4.6 (C) US
[1,0] 2.5.4.8 (S) X
[2,0] 2.5.4.7 (L) Y
[3,0] 2.5.4.10 (O) MyCompany, Inc.
[4,0] 2.5.4.11 (OU) Digital ID Class 3 - Microsoft Software Validation v2
[5,0] 2.5.4.3 (CN) MyCompany, Inc.
Issuer::
[0,0] 2.5.4.6 (C) US
[1,0] 2.5.4.10 (O) VeriSign, Inc.
[2,0] 2.5.4.11 (OU) VeriSign Trust Network
[3,0] 2.5.4.11 (OU) Terms of use at https://www.verisign.com/rpa (c)10
[4,0] 2.5.4.3 (CN) VeriSign Class 3 Code Signing 2010 CA
SerialNumber::
77 F4 F7 2B AB B9 0F CC 29 C9 6C 36 04 E2 AF 94
SHA1 Thumbprint::
BE835A26 296FF9C1 1BF30135 2001E9D0 670120F4
MD5 Thumbprint::
AAB61A66 29DDF8B1 56D0035F 0F754AAA
NotBefore::
Mon Apr 09 02:00:00 2012
NotAfter::
Wed Apr 10 01:59:59 2013
----- Signer [1] AuthenticatedAttributes -----
[0,0] 1.3.6.1.4.1.311.2.1.12
[1,0] 1.2.840.113549.1.9.3
[2,0] 1.3.6.1.4.1.311.2.1.11
[3,0] 1.2.840.113549.1.9.4
==============No CRLs ==========
==============================================
CertMgr Succeeded

C:\Documents and Settings\XPMUser\Desktop\Certificate>Tools\CertMgr.exe NDIS\qosservice.sys
----- Signer [1] -----
Hash Algorithm:: 1.3.14.3.2.26 (sha1)
Encrypt Algorithm:: 1.2.840.113549.1.1.1 ()
----- Signer [1] Certificate-----
Subject::
[0,0] 2.5.4.6 (C) US
[1,0] 2.5.4.8 (S) X
[2,0] 2.5.4.7 (L) Y
[3,0] 2.5.4.10 (O) MyCompany, Inc.
[4,0] 2.5.4.11 (OU) Digital ID Class 3 - Microsoft Software Validation v2
[5,0] 2.5.4.3 (CN) MyCompany, Inc.
Issuer::
[0,0] 2.5.4.6 (C) US
[1,0] 2.5.4.10 (O) VeriSign, Inc.
[2,0] 2.5.4.11 (OU) VeriSign Trust Network
[3,0] 2.5.4.11 (OU) Terms of use at https://www.verisign.com/rpa (c)10
[4,0] 2.5.4.3 (CN) VeriSign Class 3 Code Signing 2010 CA
SerialNumber::
77 F4 F7 2B AB B9 0F CC 29 C9 6C 36 04 E2 AF 94
SHA1 Thumbprint::
BE835A26 296FF9C1 1BF30135 2001E9D0 670120F4
MD5 Thumbprint::
AAB61A66 29DDF8B1 56D0035F 0F754AAA
NotBefore::
Mon Apr 09 02:00:00 2012
NotAfter::
Wed Apr 10 01:59:59 2013
----- Signer [1] AuthenticatedAttributes -----
[0,0] 1.3.6.1.4.1.311.2.1.12
[1,0] 1.2.840.113549.1.9.3
[2,0] 1.3.6.1.4.1.311.2.1.11
[3,0] 1.2.840.113549.1.9.4
==============Certificate # 1 ==========
Subject::
[0,0] 2.5.4.6 (C) US
[1,0] 2.5.4.10 (O) VeriSign, Inc.
[2,0] 2.5.4.11 (OU) VeriSign Trust Network
[3,0] 2.5.4.11 (OU) Terms of use at https://www.verisign.com/rpa (c)10
[4,0] 2.5.4.3 (CN) VeriSign Class 3 Code Signing 2010 CA
Issuer::
[0,0] 2.5.4.6 (C) US
[1,0] 2.5.4.10 (O) VeriSign, Inc.
[2,0] 2.5.4.11 (OU) VeriSign Trust Network
[3,0] 2.5.4.11 (OU) (c) 2006 VeriSign, Inc. - For authorized use only
[4,0] 2.5.4.3 (CN) VeriSign Class 3 Public Primary Certification Authority - G5
SerialNumber::
52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7
SHA1 Thumbprint::
495847A9 3187CFB8 C71F840C B7B41497 AD95C64F
MD5 Thumbprint::
4DF6E0FC 400CAE9C 052FAE98 C66D379F
NotBefore::
Mon Feb 08 02:00:00 2010
NotAfter::
Sat Feb 08 01:59:59 2020
==============Certificate # 2 ==========
Subject::
[0,0] 2.5.4.6 (C) US
[1,0] 2.5.4.10 (O) VeriSign, Inc.
[2,0] 2.5.4.11 (OU) VeriSign Trust Network
[3,0] 2.5.4.11 (OU) (c) 2006 VeriSign, Inc. - For authorized use only
[4,0] 2.5.4.3 (CN) VeriSign Class 3 Public Primary Certification Authority - G5
Issuer::
[0,0] 2.5.4.6 (C) US
[1,0] 2.5.4.8 (S) Washington
[2,0] 2.5.4.7 (L) Redmond
[3,0] 2.5.4.10 (O) Microsoft Corporation
[4,0] 2.5.4.3 (CN) Microsoft Code Verification Root
SerialNumber::
61 19 93 E4 00 00 00 00 00 1C
SHA1 Thumbprint::
57534CCC 33914C41 F70E2CBB 2103A1DB 18817D8B
MD5 Thumbprint::
8D913BCB 70530BAF CBEC15BB 74CF73D4
NotBefore::
Tue Feb 22 21:25:17 2011
NotAfter::
Mon Feb 22 21:35:17 2021
==============Certificate # 3 ==========
Subject::
[0,0] 2.5.4.6 (C) US
[1,0] 2.5.4.8 (S) X
[2,0] 2.5.4.7 (L) Y
[3,0] 2.5.4.10 (O) MyCompany, Inc.
[4,0] 2.5.4.11 (OU) Digital ID Class 3 - Microsoft Software Validation v2
[5,0] 2.5.4.3 (CN) MyCompany, Inc.
Issuer::
[0,0] 2.5.4.6 (C) US
[1,0] 2.5.4.10 (O) VeriSign, Inc.
[2,0] 2.5.4.11 (OU) VeriSign Trust Network
[3,0] 2.5.4.11 (OU) Terms of use at https://www.verisign.com/rpa (c)10
[4,0] 2.5.4.3 (CN) VeriSign Class 3 Code Signing 2010 CA
SerialNumber::
77 F4 F7 2B AB B9 0F CC 29 C9 6C 36 04 E2 AF 94
SHA1 Thumbprint::
BE835A26 296FF9C1 1BF30135 2001E9D0 670120F4
MD5 Thumbprint::
AAB61A66 29DDF8B1 56D0035F 0F754AAA
NotBefore::
Mon Apr 09 02:00:00 2012
NotAfter::
Wed Apr 10 01:59:59 2013
==============No CTLs ==========
==============No CRLs ==========
==============================================
CertMgr Succeeded
-------------------------------------------------------------------------------------------------------------

the ‘verify’ command returns slightly different output on target machine then on build one (build one shows that root is: ‘Class 3 Public Primary Certification Authority’ while on target machine it ends up (for some modes) on: ‘VeriSign Class 3 Public Primary Certification Authority - G5’

Hi,

I think you are making the same mistake as I in my first time. You are generating the .cat file before signing the driver. The cat must be signed after, because the cat is a checksum of all the files involved. If the driver is signed after, it will not match the checksum and it will not be matched as verified by the kernel.

  • stamp
  • sign
  • generate cat
  • sign cat
  • verify both files (cat and sys)

Regards,

Nuno

xxxxx@imaginando.net wrote:

Hi,

I think you are making the same mistake as I in my first time. You are generating the .cat file before signing the driver. The cat must be signed after, because the cat is a checksum of all the files involved. If the driver is signed after, it will not match the checksum and it will not be matched as verified by the kernel.

Although I also do things in the order you specify, out of superstition,
I have been assured by people who should know that the signature is not
included in the driver’s checksum, so this should not matter.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

YEEEEEES. It helped for my setup !!!

I was thinking about changing order but I read in a few places that it doesn’t matter.
But it definitely DOES for some setups.

Thanks a lot for help.

I can tell you from recent experience and 4 hours on a conf call with a MS driver engineer, this can be ignored. First it is just a warning (single !). Second what is trying to state is that your driver is not WHQL certified.

There used to be a document in the WDK that had tons of very valuable information. This was converted to MS Help. I did recently find in the DDK help descriptions of the meanings of the ‘!’'s. 1 is info, 2 is a warning, 3 is an error.

I use the same code sign cert from Verisign, and your chain is correct.

Does your driver fail to start after it is loaded? Or are you just concerned about the log message… as I was. I saw this error when testing under Vista. The real issue had to deal with something entirely different, but I saw this as the only possible culprit.

Another thing I have been testing is disabling the existing Verisign G5 root CA that should be installed via MS Update. This will force the certificate chain to be 4 deep instead of 3 deep, thus increasing reliability should one go down.

Nik Twerdochlib
Software Developer

+1.601.607.8309 O
+1.866.522.8678 F

BOMGAR | Enterprise Remote Support™

One of the Fastest-Growing Technology Companies in America | Technology Fast 500™

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Monday, April 16, 2012 1:17 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Kernel mode code sign problem

xxxxx@imaginando.net wrote:

Hi,

I think you are making the same mistake as I in my first time. You are generating the .cat file before signing the driver. The cat must be signed after, because the cat is a checksum of all the files involved. If the driver is signed after, it will not match the checksum and it will not be matched as verified by the kernel.

Although I also do things in the order you specify, out of superstition, I have been assured by people who should know that the signature is not included in the driver’s checksum, so this should not matter.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OK. Now I’m not so sure it was the case :slight_smile: as I had found (I think) another
issue: not every signtool will work - I had found I’m not using the one
from WinDDK. Can it be the case?

Another issue I had was that while installing 64 bit driver the installer
have to be compiled as 64 bit application!!! otherwise the files(.inf,
.cat, .sys) are copied into the mapped directories (WOW64) not the correct
ones?

Having all the issues I’m no longer sure what matters and what doesn’t but
I don;t want to touch my environment as it simply works now :slight_smile:

2012/4/19 Nik Twerdochlib

> I can tell you from recent experience and 4 hours on a conf call with a MS
> driver engineer, this can be ignored. First it is just a warning (single
> !). Second what is trying to state is that your driver is not WHQL
> certified.
>
> There used to be a document in the WDK that had tons of very valuable
> information. This was converted to MS Help. I did recently find in the
> DDK help descriptions of the meanings of the ‘!’'s. 1 is info, 2 is a
> warning, 3 is an error.
>
> I use the same code sign cert from Verisign, and your chain is correct.
>
> Does your driver fail to start after it is loaded? Or are you just
> concerned about the log message… as I was. I saw this error when
> testing under Vista. The real issue had to deal with something entirely
> different, but I saw this as the only possible culprit.
>
> Another thing I have been testing is disabling the existing Verisign G5
> root CA that should be installed via MS Update. This will force the
> certificate chain to be 4 deep instead of 3 deep, thus increasing
> reliability should one go down.
>
>
> Nik Twerdochlib
> Software Developer
>
> +1.601.607.8309 O
> +1.866.522.8678 F
>
> BOMGAR | Enterprise Remote Support™
>
> One of the Fastest-Growing Technology Companies in America | Technology
> Fast 500™
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] On Behalf Of Tim Roberts
> Sent: Monday, April 16, 2012 1:17 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Kernel mode code sign problem
>
> xxxxx@imaginando.net wrote:
> > Hi,
> >
> > I think you are making the same mistake as I in my first time. You are
> generating the .cat file before signing the driver. The cat must be signed
> after, because the cat is a checksum of all the files involved. If the
> driver is signed after, it will not match the checksum and it will not be
> matched as verified by the kernel.
>
> Although I also do things in the order you specify, out of superstition, I
> have been assured by people who should know that the signature is not
> included in the driver’s checksum, so this should not matter.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

>Another issue I had was that while installing 64 bit driver the installer have to be compiled as 64 bit

application!!!

I think so, and I do exactly the same.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com