Hello All,
I am not able to sign the windows 7 64 bit driver with the purchased class 3 certificate (VeriSign). I did the following:
*. Installed/import the purchased certificate *.pfx file on personal
store.
*. Generated a catalog file via Inf2Cat.exe==> dconeamd64.cat
*. Now I did sign the catalog file as
*. Go to C:\Program Files\Microsoft
SDKs\Windows\v6.0\Bin
*. Enter Signtool signwizard
*. Browse to the catalog file
*. Select the store and select the appropriate certificate
*. Add timestamp as
http://timestamp.verisign.com/scripts/timstamp.dll
*. Finish and got message You have successfully signed your file
*. Now verify the .sys file as
signtool verify /pa /v /c dconeamd64.cat dconeusb.sys
Which says Successfully verified: dconeusb.sys
But when I try the same command with switch /KP : I got an error as : Signing Cert does not chain to a Microsot Root Cert.
Also when I try to install the driver on windows 7 it says windows can not verify the driver signature Error Code 52.
I don’t know where I have missed something. Is it must to verify the driver with /KP switch?
Thanks
Ravi Rathore
Thanks!!!
I was following the same. But I did not download the cross certificate. Now after downloading that it works fine.
Even though it worked but still I am not very clear about significance of cross certificate. I hope the link suggest might help.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Hagen Patzke
Sent: Friday, September 16, 2011 7:19 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Problem: SignTool Error: Signing Cert does not chain to a Microsot Root Cert
Please read KMCS_Walkthrough.doc from
http://msdn.microsoft.com/en-us/windows/hardware/gg487328
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Ravi Rathore (RBEI/EST2) wrote:
Thanks!!!
I was following the same. But I did not download the cross certificate. Now after downloading that it works fine.
Even though it worked but still I am not very clear about significance of cross certificate. I hope the link suggest might help.
I can explain the significance of the cross-certificate.
When you sign an executable, the loader can take the time to go search
through all of its certificate stores to find a match for yours, and
then verify that the issuing certificate authority is in the store, and
the authority that issued THAT cert, and so on until it reaches a
trusted authority. However, that is a time-consuming operation, and you
don’t want to take that time every time you load a kernel driver. So,
the KMCS checker has exactly one trusted authority: the Microsoft
Code-Signing Root. This moves the burden of the chaining to the signing
process, not the checking process.
So, when you sign a driver for KMCS, you have to manually ensure that
the signature you embed includes a trust chain of certificates,
beginning with yours, ending at the Microsoft Code-Signing Root. The
chain includes your cert, plus one or more certs from the company you
bought your cert. The cross-certificate is issued by Microsoft and says
“I trust the VeriSign root”.
So, your cert is trusted by VeriSign’s code-signing authority,
VeriSign’s code-signing authority is trusted by VeriSign’s root
authority, and VeriSign’s root authority is trusted by the Microsoft
Code-Signing Authority (because of the cross-cert), which in turn is
trusted by KMCS. All KMCS has to do is enure that the chain is valid,
and that the final step is the Microsoft Authority.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.