Hi,
I am having trouble getting my drivers to be loaded by Windows 7 x64, which I’ve signed with a GlobalSign CodeSigning certificate.
I have signed my .sys, my class installer DLL, generated a cat file with inf2cat and signed that. My signing command-line is something like:
signtool.exe sign /ac “GlobalSign Root CA.crt” /s my /n “XJTAG Ltd” /v /t http://timestamp.globalsign.com/scripts/timstamp.dll /du http://www.xjtag.com/ xjlink2.cat
Signtool verify says the cat file is OK, but when I try and install my driver it fails with Code 52.
The CodeIntegrity log has these events:
Warning
> Event ID: 3010
> Code Integrity was unable to load the \SystemRoot\System32\CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem60.CAT catalog.
Error
> Event ID: 3004
> Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\xjlink2.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
Signtool verify /v /kp c:\windows\System32\CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem60.CAT seems to show that the cross certificate is present:
Verifying: c:\windows\System32\CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem60.CAT
> Hash of file (sha1): 9D41EFFE5D734701AB1D8D1617B5E812226D4D67
>
> Signing Certificate Chain:
> Issued to: GlobalSign Root CA
> Issued by: GlobalSign Root CA
> Expires: Fri Jan 28 12:00:00 2028
> SHA1 hash: B1BC968BD4F49D622AA89A81F2150152A41D829C
>
> Issued to: GlobalSign
> Issued by: GlobalSign Root CA
> Expires: Mon Mar 18 10:00:00 2019
> SHA1 hash: 4765557AF418C68A641199146A7E556AA8242996
>
> Issued to: GlobalSign CodeSigning CA - SHA256 - G2
> Issued by: GlobalSign
> Expires: Fri Aug 02 10:00:00 2019
> SHA1 hash: 4E34C4841080D07059EFC1F3C5DE4D79905A36FF
>
> Issued to: XJTAG Ltd
> Issued by: GlobalSign CodeSigning CA - SHA256 - G2
> Expires: Sat Oct 08 16:08:08 2016
> SHA1 hash: FE829EF7FEF8975A85E55193C173ADB2F58286A8
>
> The signature is timestamped: Tue Dec 02 15:19:38 2014
> Timestamp Verified by:
> Issued to: GlobalSign Root CA
> Issued by: GlobalSign Root CA
> Expires: Fri Jan 28 12:00:00 2028
> SHA1 hash: B1BC968BD4F49D622AA89A81F2150152A41D829C
>
> Issued to: GlobalSign Timestamping CA - G2
> Issued by: GlobalSign Root CA
> Expires: Fri Jan 28 12:00:00 2028
> SHA1 hash: C0E49D2D7D90A5CD427F02D9125694D5D6EC5B71
>
> Issued to: GlobalSign TSA for MS Authenticode - G1
> Issued by: GlobalSign Timestamping CA - G2
> Expires: Mon Sep 23 00:00:00 2024
> SHA1 hash: 8CE69F5012E1D1A8FB395E2E31E2B42BDE3B343B
>
> Cross Certificate Chain:
> Issued to: Microsoft Code Verification Root
> Issued by: Microsoft Code Verification Root
> Expires: Sat Nov 01 13:54:03 2025
> SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
>
> Issued to: GlobalSign Root CA
> Issued by: Microsoft Code Verification Root
> Expires: Thu Apr 15 20:05:08 2021
> SHA1 hash: CC1DEEBF6D55C2C9061BA16F10A0BFA6979A4A32
>
> Issued to: GlobalSign
> Issued by: GlobalSign Root CA
> Expires: Mon Mar 18 10:00:00 2019
> SHA1 hash: 4765557AF418C68A641199146A7E556AA8242996
>
> Issued to: GlobalSign CodeSigning CA - SHA256 - G2
> Issued by: GlobalSign
> Expires: Fri Aug 02 10:00:00 2019
> SHA1 hash: 4E34C4841080D07059EFC1F3C5DE4D79905A36FF
>
> Issued to: XJTAG Ltd
> Issued by: GlobalSign CodeSigning CA - SHA256 - G2
> Expires: Sat Oct 08 16:08:08 2016
> SHA1 hash: FE829EF7FEF8975A85E55193C173ADB2F58286A8
>
> Successfully verified: c:\windows\System32\CatRoot{F750E6C3-38EE-11D1-85E5-00C0 4FC295EE}\oem60.CAT
> Number of files successfully Verified: 1
> Number of warnings: 0
> Number of errors: 0
Any ideas what I might be doing wrong or how I can go about troubleshooting this further?
This article https://support.globalsign.com/customer/portal/articles/1231847 seems to say that you can’t reliably sign drivers unless you’re running Windows XP 32 bit, but can that really still be true?
thanks,
John