Problems signing driver - digicert

NTDEV
1

Hi All

We are experiencing a fair amount of trouble getting our digitally signed driver to install without a big warning screen popping up to the end user - “Windows cannot verify the publisher of this software”.

We bought a kernel mode code signing certificate from Digicert - They have a cross sign certificate available for download from MS.

signtool verify /v /kp .sys shows a chain of three certificates:

DigiCert High Assurance EV Root CA
DigiCert High Assurance Code Signing CA-1


It also lists the cross certificate chain:

Microsoft Code Verification Root
DigiCert High Assurance EV Root CA
DigiCert High Assurance Code Signing CA-1


We have three components to our installation:
A) INF file
B) Executable that does the actual installation
C) SYS driver file.

The executable and SYS file are signed. The INF is timestamped.

Do we need a CAT file as well ?

When I right click on the SYS file and look at the certificate’s certificate path, I only see the three certificates - it does not end in Microsoft Code Verification Root.

We also tried installing our code signing certificate in the TrustedPublisher store on the computer but it did not help.

Any ideas?

2

You need a cat for the hash of the inf (and sys if not embed signed) to be verified

d

debt from my phone

From: xxxxx@gmail.com
Sent: 6/20/2012 7:06 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Problems signing driver - digicert

Hi All

We are experiencing a fair amount of trouble getting our digitally signed driver to install without a big warning screen popping up to the end user - “Windows cannot verify the publisher of this software”.

We bought a kernel mode code signing certificate from Digicert - They have a cross sign certificate available for download from MS.

signtool verify /v /kp .sys shows a chain of three certificates:

DigiCert High Assurance EV Root CA
DigiCert High Assurance Code Signing CA-1


It also lists the cross certificate chain:

Microsoft Code Verification Root
DigiCert High Assurance EV Root CA
DigiCert High Assurance Code Signing CA-1


We have three components to our installation:
A) INF file
B) Executable that does the actual installation
C) SYS driver file.

The executable and SYS file are signed. The INF is timestamped.

Do we need a CAT file as well ?

When I right click on the SYS file and look at the certificate’s certificate path, I only see the three certificates - it does not end in Microsoft Code Verification Root.

We also tried installing our code signing certificate in the TrustedPublisher store on the computer but it did not help.

Any ideas?


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

3

Yes, you need the .cat.
– pa

On 20-Jun-2012 17:05, xxxxx@gmail.com wrote:

Hi All

We are experiencing a fair amount of trouble getting our digitally signed driver to install without a big warning screen popping up to the end user - “Windows cannot verify the publisher of this software”.

We bought a kernel mode code signing certificate from Digicert - They have a cross sign certificate available for download from MS.

signtool verify /v /kp .sys shows a chain of three certificates:
>
> DigiCert High Assurance EV Root CA
> DigiCert High Assurance Code Signing CA-1
>
>
> It also lists the cross certificate chain:
>
> Microsoft Code Verification Root
> DigiCert High Assurance EV Root CA
> DigiCert High Assurance Code Signing CA-1
>
>
> We have three components to our installation:
> A) INF file
> B) Executable that does the actual installation
> C) SYS driver file.
>
> The executable and SYS file are signed. The INF is timestamped.
>
> Do we need a CAT file as well ?
>
> When I right click on the SYS file and look at the certificate’s certificate path, I only see the three certificates - it does not end in Microsoft Code Verification Root.
>
> We also tried installing our code signing certificate in the TrustedPublisher store on the computer but it did not help.
>
> Any ideas?
>

4

Thanks for the reply guys.

I had tried that before but I must have had another mistake somewhere else which masked the symptoms.

Added the cat file and now it installs totally silently.

Thanks