RE: Authenticode issue under Vista. Release Driver signing

NTDEV
1

I am wondering if this error can really be ignored as perhaps the verification being run is the equivalent of signtool verify [cat file], where as you now need to specify /pa or /kp ??

Nik Twerdochlib
Software Developer

+1.601.607.8309 O
+1.866.522.8678 F

BOMGAR | Enterprise Remote Support™

One of the Fastest-Growing Technology Companies in America | Technology Fast 500™

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Nik Twerdochlib
Sent: Monday, April 09, 2012 2:28 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Authenticode issue under Vista.

I am testing a driver under Vista SP2 both 32 bit and 64 bit, and find the device is failing to install due to this error in the setupapi log:

! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

I have been working on this for a few days now and have not found a resolution. The same drivers (same binaries) install and run under Windows 7 without any issue.

The cross-cert chain on the driver appears fine:

Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 09:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: Microsoft Code Verification Root
Expires: Mon Feb 22 15:35:17 2021
SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B

Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Fri Feb 07 19:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: Bomgar Corporation
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Fri Mar 22 19:59:59 2013
SHA1 hash: 7DCBB03B268E6DA4AF031A9BCCB4045653FD1EEE

Successfully verified: VSRReader.sys

After the install on Vista, I have found an tested every copy of the driver in question and they are all correct.

Could this be a result of a root cert not being in the local store on my test systems?

Nik Twerdochlib
Software Developer

+1.601.607.8309 O
+1.866.522.8678 F

BOMGAR | Enterprise Remote Support™

One of the Fastest-Growing Technology Companies in America | Technology Fast 500™

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

2

At least once Verisign have issue the cert for their customers, which had some issues like the expiration date, and thus was not valid for MS’s KMCS.

This was discussed on this forum around a year ago, and IIRC Verisign confirmed the issue and patched the customer’s certs for free.

Probably you have this issue.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

“Nik Twerdochlib” wrote in message news:xxxxx@ntdev…
I am wondering if this error can really be ignored as perhaps the verification being run is the equivalent of signtool verify [cat file], where as you now need to specify /pa or /kp ??

Nik Twerdochlib
Software Developer

+1.601.607.8309 O
+1.866.522.8678 F

BOMGAR | Enterprise Remote SupportT

One of the Fastest-Growing Technology Companies in America | Technology Fast 500T

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Nik Twerdochlib
Sent: Monday, April 09, 2012 2:28 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Authenticode issue under Vista.

I am testing a driver under Vista SP2 both 32 bit and 64 bit, and find the device is failing to install due to this error in the setupapi log:

! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

I have been working on this for a few days now and have not found a resolution. The same drivers (same binaries) install and run under Windows 7 without any issue.

The cross-cert chain on the driver appears fine:

Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 09:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: Microsoft Code Verification Root
Expires: Mon Feb 22 15:35:17 2021
SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B

Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Fri Feb 07 19:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: Bomgar Corporation
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Fri Mar 22 19:59:59 2013
SHA1 hash: 7DCBB03B268E6DA4AF031A9BCCB4045653FD1EEE

Successfully verified: VSRReader.sys

After the install on Vista, I have found an tested every copy of the driver in question and they are all correct.

Could this be a result of a root cert not being in the local store on my test systems?

Nik Twerdochlib
Software Developer

+1.601.607.8309 O
+1.866.522.8678 F

BOMGAR | Enterprise Remote SupportT

One of the Fastest-Growing Technology Companies in America | Technology Fast 500T


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer