Signing FS driver for Win7/8 64 bit

Igal_Kroyter · October 8, 2013, 2:27am

Hello,

I am trying to sign a driver. I have purchased a DigiCert certificate for my company, signed the *.sys driver file (its size was increased slightly, thanks to the signature) and the verbose of the signature process displayed the whole chain of signatures up to Microsoft as the Root CA (I have also downloaded the Microsoft-DigiCert cross certificate for the signature process).

When I run the verify process it displays only up to the “DigiCert High Assurance EV Root CA” which is the authority that signed the certificate proivded to my company; During the signing process above that authority was Microsoft (which now is not displayed).

After installing the FS driver on a Win 7 64 bit machine, restart…, It looked like the driver was not loaded.
I have double clicked my certificate and let the automatic “windows” process to install the certificate - to which ever store “windows” selects, restarted the machine… does not help

The same process for the cross certificate (although I do not need to do it!!)… does not help.

Next Step…Please help…

Igal

adnan · October 8, 2013, 4:45am

I also have a similar problem.
My signed FS driver is loaded on windows 8 64 bit. But can’t load on windows 7 64 bit (giving error driver is digitally unsigned).

Even i can see the driver is signed from properties.

Iqal, if you find a solution. Please don’t forget to write it here.

Igal_Kroyter · October 10, 2013, 1:21am

Hi,

First I’d like to update that the verification that I used was correct partially this is why I could not see Microsoft as the root CA:

Signtool verify /pa /v myDriver.sys - Not full chain
Signtool verify /v /kp myDriver.sys - full chain up to Microsoft.

So I saw the full chain. this means that the driver is signed correctly. Yet I cannot see the driver being used by Windows.

Is there anyone that can assist me?

Igal

adnan · October 10, 2013, 3:08pm

Hi Iqal,
Can you paste the output of your command “signtool verify /pa /v myDriver.sys”.

From your description, your certificate is not properly chained.
Do you have all the 4 certificates installed,
your certificate, intermediate primary, intermediate secondary and root CA?

Igal_Kroyter · October 17, 2013, 10:30am

Adnan,

thank you for trying to assist:

signtool verify /pa /v myDriver.sys:

Verifying: myDriver.sys
Hash of file (sha1): 30B84649A235C68DA468A37A4DB6A91B8B251165
Signing Certificate Chain:
Issued to: DigiCert High Assurance EV Root CA
Issued by: DigiCert High Assurance EV Root CA
Expires: Mon Nov 10 03:00:00 2031
SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25

Issued to: DigiCert High Assurance Code Signing CA-1
Issued by: DigiCert High Assurance EV Root CA
Expires: Tue Feb 10 15:00:00 2026
SHA1 hash: E308F829DC77E80AF15EDD4151EA47C59399AB46

Issued to: My Companies name.
Issued by: DigiCert High Assurance Code Signing CA-1
Expires: Mon Sep 15 15:00:00 2014
SHA1 hash: 23F8DDB90BA773B85D36E6704DF47AAFC641A85E

File is not timestamped.
Successfully verified: myDriver.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

Signtool verify /v /kp myDriver.sys:

Verifying: myDriver.sys

Hash of file (sha1): 30B84649A235C68DA468A37A4DB6A91B8B251165

Signing Certificate Chain:
Issued to: DigiCert High Assurance EV Root CA
Issued by: DigiCert High Assurance EV Root CA
Expires: Mon Nov 10 03:00:00 2031
SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25

Issued to: DigiCert High Assurance Code Signing CA-1
Issued by: DigiCert High Assurance EV Root CA
Expires: Tue Feb 10 15:00:00 2026
SHA1 hash: E308F829DC77E80AF15EDD4151EA47C59399AB46

Issued to: My Company
Issued by: DigiCert High Assurance Code Signing CA-1
Expires: Mon Sep 15 15:00:00 2014
SHA1 hash: 23F8DDB90BA773B85D36E6704DF47AAFC641A85E

File is not timestamped.

Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 16:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: DigiCert High Assurance EV Root CA
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 22:55:33 2021
SHA1 hash: 2F2513AF3992DB0A3F79709FF8143B3F7BD2D143

Issued to: DigiCert High Assurance Code Signing CA-1
Issued by: DigiCert High Assurance EV Root CA
Expires: Tue Feb 10 15:00:00 2026
SHA1 hash: E308F829DC77E80AF15EDD4151EA47C59399AB46

Issued to: My Company
Issued by: DigiCert High Assurance Code Signing CA-1
Expires: Mon Sep 15 15:00:00 2014
SHA1 hash: 23F8DDB90BA773B85D36E6704DF47AAFC641A85E

Successfully verified: MyDriver.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

Hope that will help you assist me.

Igal

Igal_Kroyter · October 19, 2013, 4:59pm

Adnan,

From reading the certification instructions only the certificate provided to my company by DigiCert has to be installed per machine (where my driver is installed), while all intermidiate or cross certificates supposed to be installed by Microsoft as part of the Windows installation - I assume…

Could you enlight me, in which certificate store these certificates supposed to be installed in?

Igal

adnan · October 20, 2013, 1:12pm

Normally your company certificate (provided by DegiCert here) should go to ‘Local Machine’ Personal. All other chain certificates should go to ‘Local Machine’ trusted root certificates.

Kindly check with your certificate support, they may provide you with proper chain certificates. There seems to be issue with chaining.

Igal_Kroyter · October 27, 2013, 6:59am

Hi,

I have verified that the ceritificates are in place:

driver’s certificate is in “Personal”
cross certificate is in “trusted root certificates” and in “intemidiate certificates”

and yet the driver is not uploaded by the Windows 7 64 bit system.

I have also run the Device-Tree application and verified that the driver is not attached to the tree.

Is there any person in Microsoft that can assist me on this issue?

Igal

OSR_Community_User · October 27, 2013, 8:34am

If you have MSDN you can always open a support case with the WDK support team. I think most subscriptions come with some support incidents.

Tony
OSR

Igal_Kroyter · October 27, 2013, 1:26pm

Hi,
I think that I start to understand the problem:

“DigiCert High Assurance Code Signing CA-1” certificate cannot be found on the tested machine
“DigiCert High Assurance EV Root CA” certificate signature(SHA-1) signed my driver is different from the one found by the CertMgr
I have hard time installing certificates into “Trusted Root Certificate Authorities” - declaring a suucccessful installation, but actually the certificates are not visible. I tried to move the chain of certificates on the signing machine to the testing machine.

I have also posted a request foir support on the MSDN.

Any support on this.

Igal

Igal_Kroyter · November 3, 2013, 3:51pm

The problem was not related to signatures. I have compiled the wrong version of 64bit for the machine I am using.

Igal