Pb with signtool

OSR_Community_User · February 3, 2011, 1:26pm

Hello,

I saw a site to load a driver for AMD64.
http://codefromthe70s.org/kernelsigning.aspx

Visits the website !

I try to create a certificate with MakeCert and I try to import and replace
SHA1 signtool the parameter, its not working, same error

C:\sys>signtool.exe sign /ac mscv-vsclass3.cer /sha1 ca40385b9971ab32d1ad4c93225
688dbc168c867 vfums.sys
SignTool Error: No certificates were found that met all the given criteria.

Why ?

Tim_Roberts · February 3, 2011, 1:46pm

xxxxx@sivaller.no-ip.org wrote:

I saw a site to load a driver for AMD64.
http://codefromthe70s.org/kernelsigning.aspx
Visits the website !

I try to create a certificate with MakeCert and I try to import and replace
SHA1 signtool the parameter, its not working, same error

C:\sys>signtool.exe sign /ac mscv-vsclass3.cer /sha1 ca40385b9971ab32d1ad4c93225
688dbc168c867 vfums.sys
SignTool Error: No certificates were found that met all the given criteria.

Well, there are a couple of problems here.

First, how did you import your certificate into your certificate store?
The error seems to indicate that it could not find a certificate with
that SHA thumbprint in your certificate store. Have you triple-checked
the thumbprint? Did you try searching by name instead of by
thumbprint? (The thumbprint is more reliable, and that’s what I use,
but the name would be a good test.)

Second, you are trying to use the Verisign cross-certificate, but that
only works with a certificate that came from Verisign. If you created
the certificate yourself with MakeCert, then of course it was not
created by Verisign. You can’t use a self-signed certificate to satisfy
KMCS.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Mark_S_Edwards · February 3, 2011, 1:49pm

So you create a local certificate and then try cross-signing with the
Microsoft/Verisign cross certificate. Not surprising that
fails. The msvc-vsclass3.cer cross certificate can only be used with
class 3 code signing certificates issued by Verisign.

I think you’ve mixed up two sections from the KMCS walkthrough
document linked to on that web page. One section is how to create a
local certificate in order to sign drivers for local testing
purposes. That’s the bit where MakeCert is used. The section which
describes use of the cross-certificate is part of the release signing
process. The two are very different things and should not be mixed.

When you get to actually doing release signing with a valid Verisign
cert, please search the ntdev archives for issues related to Verisign
now issuing certificates from a new root and the requirement to use
two new intermediate Verisign certs on the signing machine.

Mark.

At 18:25 03/02/2011, xxxxx@sivaller.no-ip.org wrote:

Hello,

I saw a site to load a driver for AMD64.
http://codefromthe70s.org/kernelsigning.aspx

Visits the website !

I try to create a certificate with MakeCert and I try to import and replace
SHA1 signtool the parameter, its not working, same error

C:\sys>signtool.exe sign /ac mscv-vsclass3.cer /sha1
ca40385b9971ab32d1ad4c93225
688dbc168c867 vfums.sys
SignTool Error: No certificates were found that met all the given criteria.

Why ?