Signing display class driver for Vista 64 bit

We have valid VeriSign ?Microsoft Authenticode? Code Signing Digital ID.

Commands used to sign driver are:

SignTool sign /a /f /p /t http://timestamp.verisign.com/scripts/timstamp.dll my.sys

SignTool sign /a /f /p /t http://timestamp.verisign.com/scripts/timstamp.dll my.dll

inf2cat.exe /driver:%amd64_winlh_drivers% /os:XP_X64,Server2003_X64,Vista_X64,Server2008_X64

SignTool sign /a /f /p /t http://timestamp.verisign.com/scripts/timstamp.dll my.cat

Right clicking driver files does display valid signature and even device manager’s update driver wizard recognizes the authenticode ™ signature, but clicking on driver details tab - > Driver files display .sys and .dll as unsigned. Thus fails to load.

Are we missing something? Can we use verisign ID to sign a display class driver, or do we need to submit our driver for WHQL tests?

Thanks,
Pratima

xxxxx@hotmail.com wrote:

We have valid VeriSign ?Microsoft Authenticode? Code Signing Digital ID.

Commands used to sign driver are:

SignTool sign /a /f /p /t http://timestamp.verisign.com/scripts/timstamp.dll my.sys
>
> SignTool sign /a /f /p /t http://timestamp.verisign.com/scripts/timstamp.dll my.dll
>
> inf2cat.exe /driver:%amd64_winlh_drivers% /os:XP_X64,Server2003_X64,Vista_X64,Server2008_X64
>
> SignTool sign /a /f /p /t http://timestamp.verisign.com/scripts/timstamp.dll my.cat
>
> Right clicking driver files does display valid signature and even device manager’s update driver wizard recognizes the authenticode ™ signature, but clicking on driver details tab - > Driver files display .sys and .dll as unsigned. Thus fails to load.
>
> Are we missing something? Can we use verisign ID to sign a display class driver, or do we need to submit our driver for WHQL tests?
>

You can certainly sign your driver with your Verisign ID, but that’s not
enough to make the driver package register as “signed”. That requires WHQL.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

I think you’re missing the cross-signing certificate, like:

Signtool sign /v /ac MSCV-VSClass3.cer /s my /n <name_in_my_cert_store> /t
http://timestamp.verisign.com/scripts/timestamp.dll my.sys

You should read the guide to signing drivers… it’s all there.

Peter
OSR</name_in_my_cert_store>

Hi Peter,

Thanks after changing the command as per your suggestion, I was able to load driver on windows Vista 64 bit. But on 2003 and XP I am getting Windows Logo Program warning with continue / stop installation option. I have added certificate to “Trusted publisher” before installing the driver.

This warning might be expected as per Tim’s reply as we have not submited drivers for WHQL tests, but atleast it should display company name which is not happening.

Below is result of signtool verify command for my catalog file:

c:\WinDDK\6001.18001\bin\SelfSign\signtool.exe verify /v my.cat

Verifying: my.cat
SHA1 hash of file: 70C036D304AAEF93395F53B12CD4CD9BA737E5B7
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: 8/1/2028 11:59:59 PM
SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2

Issued to: VeriSign Class 3 Code Signing 2004 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 7/15/2014 11:59:59 PM
SHA1 hash: 197A4AEBDB25F0170079BB8C73CB2D655E0018A4

Issued to: UES Limited
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 3/5/2012 11:59:59 PM
SHA1 hash: 4A897FB5D7029768017EA2292A2AD3B3A25A2420

The signature is timestamped: 3/9/2009 3:41:48 PM
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: 12/31/2020 11:59:59 PM
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: 12/3/2013 11:59:59 PM
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: 6/14/2012 11:59:59 PM
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

SignTool Error: File not valid: my.cat

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

Is this expected? Previously, I was using self-signed certificates [as per %WINDDK%\bin\selfsign\selfsign_readme.htm]. We used to add self-signed certificate to certificate store before installing driver and because of which I was never getting any warning on atleast Windows XP…but now my drivers are unsigned for Windows XP too? Please advice if I am wrong.

Thanks in advance,
Pratima

Well, it’s “expected” in the sense that that’s how those OS’s work
(though I’m a little surprised at Server 2003 having the issue, I
thought that’s when admin-trusted driver functionality was added… are
you sure you added it to the right trusted store?.. it has to be the
local system store, not a user’s).

On 2k/XP, the only way to get that message to go away (other than
malware tricks) is to get it WHQL’d.

xxxxx@hotmail.com wrote:

Hi Peter,

Thanks after changing the command as per your suggestion, I was able to load driver on windows Vista 64 bit. But on 2003 and XP I am getting Windows Logo Program warning with continue / stop installation option. I have added certificate to “Trusted publisher” before installing the driver.

This warning might be expected as per Tim’s reply as we have not submited drivers for WHQL tests, but atleast it should display company name which is not happening.

Below is result of signtool verify command for my catalog file:

c:\WinDDK\6001.18001\bin\SelfSign\signtool.exe verify /v my.cat

Verifying: my.cat
SHA1 hash of file: 70C036D304AAEF93395F53B12CD4CD9BA737E5B7
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: 8/1/2028 11:59:59 PM
SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2

Issued to: VeriSign Class 3 Code Signing 2004 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 7/15/2014 11:59:59 PM
SHA1 hash: 197A4AEBDB25F0170079BB8C73CB2D655E0018A4

Issued to: UES Limited
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 3/5/2012 11:59:59 PM
SHA1 hash: 4A897FB5D7029768017EA2292A2AD3B3A25A2420

The signature is timestamped: 3/9/2009 3:41:48 PM
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: 12/31/2020 11:59:59 PM
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: 12/3/2013 11:59:59 PM
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: 6/14/2012 11:59:59 PM
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

SignTool Error: File not valid: my.cat

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

Is this expected? Previously, I was using self-signed certificates [as per %WINDDK%\bin\selfsign\selfsign_readme.htm]. We used to add self-signed certificate to certificate store before installing driver and because of which I was never getting any warning on atleast Windows XP…but now my drivers are unsigned for Windows XP too? Please advice if I am wrong.

Thanks in advance,
Pratima

–
Ray
(If you want to reply to me off list, please remove “spamblock.” from my
email address)

Hi Ray,

We have .pfx certificate file, I have exported it to .cer format so that we can add it to Truested root and trusted publisher store. Install program calls CertAddEncodedCertificateToStore API with X509_ASN_ENCODING format to import this new certificate to ROOT and CA certificate store.

Same program was working fine with my self-signed certificates [.cer format], certificate was getting added to trusted root correctly and I was able to install drivers on Windows 2000 and XP w/o single popup.

With new verisign certificate [.cer exported out of .pfx] when I open internet explorer -> Tools, can’t find my company certificate listed in Trusted root, so finally I am adding .pfx file manually using certmgr.msc, under required stores.

Now I am at stage, where certmgr.msc does display our certificate in Trusted root and Trusted publisher store but internet explorer’s tool options does not list us as trusted yet [root as well as publisher]. Drivers are still considered as unsigned. What is correct way to import .pfx file on Windows XP / 2003?

Thanks & Regards,
Pratima

You need to read the “Kernel Mode Code Signing Walkthrough” document:

http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/KMCS_Walkthrough.doc

Peter
OSR

Hi Peter,

Thanks for document, I have refered it before and Vista 64-bit is no longer issue for us, it started working by /ac switch recommended by you. I also accept that we can’t avoid WHQL and only verisign digital ID is not enough.

But in this process on 2K / XP we have started getting logo program warnings? My only question left is then how we were able to get everything working [w/o any single popup] with previous self-signed ID by just adding that certificate to ROOT and CA store?

Why same thing is not possible for verisign digital ID certificate? I am looking for answer as we need to automate this install for bunch of desktops, w/o any warnings…and wanted to know if we can avoid WHQL atleast for our inhouse testing?

Thanks,
Pratima

I am not aware of any way to bypass the “not WHQLed” pop-up by self-signing a driver in a category where there’s a WHQL logo program.

I *can* tell you that there’s nothing special about a Versign ID, per se.

Peter
OSR

xxxxx@hotmail.com wrote:

I am looking for answer as we need to automate this install for bunch of desktops, w/o any warnings…and wanted to know if we can avoid WHQL atleast for our inhouse testing?

Apply for a test signature. Use the test cert on your internal machines.

–pa

> Why same thing is not possible for verisign digital ID

certificate? I am looking for answer as we need to automate
this install for bunch of desktops, w/o any warnings…and
wanted to know if we can avoid WHQL atleast for our inhouse testing?

If you do automated text mode OS installs (like PXE boot and then OS setup
via network), driver signing is bypassed until the final reboot. One of the
last things the OS install does is enable driver siging checks.

Jan