Signing

NTDEV
1

Can anyone see anything wrong with the following?
I am receving driver unsigned in Windows x64.

I used:

call winddk.…\x86\signtool.exe sign /v /ac signing\MSCV-VSClass3.cer /v /s my /n “MYCOMPANY” /t http://timestamp.verisign.com/scripts/timstamp.dll driver.sys
call winddk.…\x86\signtool.exe sign /v /ac signing\MSCV-VSClass3.cer /v /s my /n “MYCOMPANY” /t http://timestamp.verisign.com/scripts/timstamp.dll driver.cat

to sign the driver.

I used. winddk.…\x86\signtool.exe verify /pa /v driver.sys:

Verifying: driver.sys

Hash of file (sha1): BA874254C319607E424EB4549542B192E60795F4

Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority

Issued by: Class 3 Public Primary Certification Authority

Expires: Wed Aug 02 00:59:59 2028

SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2

Issued to: VeriSign Class 3 Code Signing 2009-2 CA

Issued by: Class 3 Public Primary Certification Authority

Expires: Tue May 21 00:59:59 2019

SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3

Issued to: MYCOMPANY

Issued by: VeriSign Class 3 Code Signing 2009-2 CA

Expires: Thu Dec 02 00:59:59 2010

SHA1 hash: 46788ADFE9653EFFED7182BDA9D3A279D849F019D

The signature is timestamped: Thu Feb 04 04:03:21 2010

Timestamp Verified by:
Issued to: Thawte Timestamping CA

Issued by: Thawte Timestamping CA

Expires: Fri Jan 01 00:59:59 2021

SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA

Issued by: Thawte Timestamping CA

Expires: Wed Dec 04 00:59:59 2013

SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: VeriSign Time Stamping Services Signer - G2

Issued by: VeriSign Time Stamping Services CA

Expires: Fri Jun 15 00:59:59 2012

SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

Successfully verified: driver.sys

Number of files successfully Verified: 1

Number of warnings: 0

Number of errors: 0

2

Looks like it’s not properly cross-signed to me.

I don’t see where it’s chaining-up to the MSFT CA.

Peter
OSR

3

On Thu, Feb 4, 2010 at 7:21 AM, wrote:
> Can anyone see anything wrong with the following?
> I am receving driver unsigned in Windows x64.
>
> I used:
>
> call winddk.…\x86\signtool.exe sign /v /ac signing\MSCV-VSClass3.cer /v /s my /n “MYCOMPANY” /t http://timestamp.verisign.com/scripts/timstamp.dll driver.sys
> call winddk.…\x86\signtool.exe sign /v /ac signing\MSCV-VSClass3.cer /v /s my /n “MYCOMPANY” /t http://timestamp.verisign.com/scripts/timstamp.dll driver.cat
>
> to sign the driver.

Where did you get MSCV-VSClass3.cer from?
Please use the one from here.
http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx#EWAAC
It is the last entry on the page

quote
VeriSign Class 3 Public Primary Certification Authority
Issuer identification in Certification properties:
OU = Class 3 Public Primary Certification Authority
O = VeriSign, Inc.
C = US

Valid to: Tuesday, August 01, 2028 4:59:59 PM

Root certificate thumbprint:
74 2c 31 92 e6 07 e4 24 eb 45 49 54 2b e1 bb c5 3e 61 74 e2

Cross-certificate thumbprint:
58 45 53 89 cf 1d 0c d6 a0 8e 3c e2 16 f6 5a df f7 a8 64 08

Download cross-certificate for VeriSign Class 3 Public Primary
Certification Authority
(Certificate file in a 37 KB self-extracting zip file)
unquote

Thanks,
–rc

4

xxxxx@hotmail.co.uk wrote:

Can anyone see anything wrong with the following?
I am receving driver unsigned in Windows x64.

WHICH “driver unsigned” warning do you get? Is it the “unsigned driver”
warning during install time, but the driver runs OK? Or is it that the
driver refuses to run?

You will get the “unsigned driver” warning until your driver is signed
by WHQL. This is exactly like the 32-bit systems. If the driver runs
OK after you dismiss that warning, then your signing is working properly.

I used:

call winddk.…\x86\signtool.exe sign /v /ac signing\MSCV-VSClass3.cer /v /s my /n “MYCOMPANY” /t http://timestamp.verisign.com/scripts/timstamp.dll driver.sys
call winddk.…\x86\signtool.exe sign /v /ac signing\MSCV-VSClass3.cer /v /s my /n “MYCOMPANY” /t http://timestamp.verisign.com/scripts/timstamp.dll driver.cat

For what it’s worth, the “call” command is only needed when invoking
another batch file. Otherwise, it serves no purpose.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

5

I believe you’re seeing the certificate chain that is applied when the
Verisign intermediate certificate is incorrectly added to the certificate
store that has your certificate. You should open the certificate manager and
remove it. When the Verisign certificate is found in the certificate store,
the signing tool fails to properly include the cross certificate, and the
certificate chain does not terminate in the correct Microsoft code signing
root.

If you clean out the certificate store you use (I believe often the personal
store), and then use file manager to import the signing .PFX with default
options, the correct thing happens. If when it asks if you want to choose
the location to store the new certificate, and you say yes, and then select
the personal store, it incorrectly includes the intermediate Verisign
certificate.

Use certmgr.msc to verify and remove the inappropriate VeriSign certificate
from your personal certificate store.

Jan

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-399320-
xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.co.uk
Sent: Thursday, February 04, 2010 5:21 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Signing

Can anyone see anything wrong with the following?
I am receving driver unsigned in Windows x64.

I used:

call winddk.…\x86\signtool.exe sign /v /ac signing\MSCV-VSClass3.cer
/v /s my /n “MYCOMPANY” /t
http://timestamp.verisign.com/scripts/timstamp.dll driver.sys
call winddk.…\x86\signtool.exe sign /v /ac signing\MSCV-VSClass3.cer
/v /s my /n “MYCOMPANY” /t
http://timestamp.verisign.com/scripts/timstamp.dll driver.cat

to sign the driver.

I used. winddk.…\x86\signtool.exe verify /pa /v driver.sys:

Verifying: driver.sys

Hash of file (sha1): BA874254C319607E424EB4549542B192E60795F4

Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority

Issued by: Class 3 Public Primary Certification Authority

Expires: Wed Aug 02 00:59:59 2028

SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2

Issued to: VeriSign Class 3 Code Signing 2009-2 CA

Issued by: Class 3 Public Primary Certification Authority

Expires: Tue May 21 00:59:59 2019

SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3

Issued to: MYCOMPANY

Issued by: VeriSign Class 3 Code Signing 2009-2 CA

Expires: Thu Dec 02 00:59:59 2010

SHA1 hash: 46788ADFE9653EFFED7182BDA9D3A279D849F019D

The signature is timestamped: Thu Feb 04 04:03:21 2010

Timestamp Verified by:
Issued to: Thawte Timestamping CA

Issued by: Thawte Timestamping CA

Expires: Fri Jan 01 00:59:59 2021

SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA

Issued by: Thawte Timestamping CA

Expires: Wed Dec 04 00:59:59 2013

SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: VeriSign Time Stamping Services Signer - G2

Issued by: VeriSign Time Stamping Services CA

Expires: Fri Jun 15 00:59:59 2012

SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

Successfully verified: driver.sys

Number of files successfully Verified: 1

Number of warnings: 0

Number of errors: 0

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer