I’ve come up against a small issue with the 7100 WDK. I have a batch
file that encapsulates the 150-character “signtool” command line for
building 64-bit drivers, which works in the 6000 and 6001 WDKs. That
command line now fails with:
C:\Dev\Xxxx\sw\driver>signtool.exe sign /v /ac \data\MSCV-GlobalSign.cer
/n Providenza /t http://timestamp.verisign.com/scripts/timestamp.dll
objchk_wlh_amd64\amd64\vidousb.sys
SignTool Error: No certificates were found that met all the given criteria.
If I use \ddk\6001.18002\bin\selfsign\signtool.exe instead, it works
fine. I don’t remember whether I ever tried this with 7000.
Have the selection criteria changed in some way?
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
From what I know you should specify the /s parameter to specify the certificate store. When absent this should default to the “my”
store which I believe is for personal certificates only, so this should only work if you have a Providenza certificate in the
personal store.
//Daniel
“Tim Roberts” wrote in message news:xxxxx@ntdev…
> I’ve come up against a small issue with the 7100 WDK. I have a batch
> file that encapsulates the 150-character “signtool” command line for
> building 64-bit drivers, which works in the 6000 and 6001 WDKs. That
> command line now fails with:
>
> C:\Dev\Xxxx\sw\driver>signtool.exe sign /v /ac \data\MSCV-GlobalSign.cer
> /n Providenza /t http://timestamp.verisign.com/scripts/timestamp.dll
> objchk_wlh_amd64\amd64\vidousb.sys
>
> SignTool Error: No certificates were found that met all the given criteria.
>
> If I use \ddk\6001.18002\bin\selfsign\signtool.exe instead, it works
> fine. I don’t remember whether I ever tried this with 7000.
>
> Have the selection criteria changed in some way?
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
May I suggest to try the
/sha1 1234567890abcde… parameter insteas of the /n parameter ,
and to provide the full path ( with quotes ) for the cross certificate
/ac “C:\Winddk.…”
Greetings ,
Christiaan
----- Original Message -----
From: “Tim Roberts”
To: “Windows System Software Devs Interest List”
Sent: Monday, May 04, 2009 8:17 PM
Subject: [ntdev] Signtool Change?
> I’ve come up against a small issue with the 7100 WDK. I have a batch
> file that encapsulates the 150-character “signtool” command line for
> building 64-bit drivers, which works in the 6000 and 6001 WDKs. That
> command line now fails with:
>
> C:\Dev\Xxxx\sw\driver>signtool.exe sign /v /ac \data\MSCV-GlobalSign.cer
> /n Providenza /t http://timestamp.verisign.com/scripts/timestamp.dll
> objchk_wlh_amd64\amd64\vidousb.sys
>
> SignTool Error: No certificates were found that met all the given criteria.
>
> If I use \ddk\6001.18002\bin\selfsign\signtool.exe instead, it works
> fine. I don’t remember whether I ever tried this with 7000.
>
> Have the selection criteria changed in some way?
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Christiaan Ghijselinck wrote:
May I suggest to try the
/sha1 1234567890abcde… parameter insteas of the /n parameter ,
and to provide the full path ( with quotes ) for the cross certificate
/ac “C:\Winddk.…”
The cross certificate DOES have a full path and doesn’t need quotes.
The /sha1 option is a novel idea, although there is no reason why the /n
version shouldn’t work.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
xxxxx@resplendence.com wrote:
> From what I know you should specify the /s parameter to specify the
> certificate store. When absent this should default to the “my”
store which I believe is for personal certificates only, so this
should only work if you have a Providenza certificate in the personal
store.
Right, and it is. As I said, this exact same command line works
perfectly with the 6000 and 6001 versions of signtool I did actually
try “/s Personal”, with no change.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
> Christiaan Ghijselinck wrote:
>
> May I suggest to try the
> /sha1 1234567890abcde… parameter insteas of the /n parameter ,
> and to provide the full path ( with quotes ) for the cross certificate
> /ac “C:\Winddk.…”
The cross certificate DOES have a full path and doesn’t need quotes.
The /sha1 option is a novel idea, although there is no reason why the /n
version shouldn’t work.
The advantage of using /sha1 is that the certificate does not to be stored in the personal store , the tool will find it “somewhere”
. I am not sure , but a path with blanks and without quotes may not work.
Christiaan
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
“Tim Roberts” wrote in message news:xxxxx@ntdev…
> xxxxx@resplendence.com wrote:
>>> From what I know you should specify the /s parameter to specify the
>>> certificate store. When absent this should default to the “my”
>> store which I believe is for personal certificates only, so this
>> should only work if you have a Providenza certificate in the personal
>> store.
>
> Right, and it is. As I said, this exact same command line works
> perfectly with the 6000 and 6001 versions of signtool I did actually
> try “/s Personal”, with no change.
>
> –
Try adding “/s my” instead which is the name for the personal store. I could never find this information in any of the lengthy
document except in the command line sample.
//Daniel
> -----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
Christiaan Ghijselinck
Sent: Monday, May 04, 2009 9:25 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Signtool Change?
The advantage of using /sha1 is that the certificate does not
to be stored in the personal store , the tool will find it
“somewhere”
In addition, there is no place for a mistake and selecting wrong
certificate. We use /sha1 only.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
Christiaan Ghijselinck wrote:
> Christiaan Ghijselinck wrote:
>>
>> May I suggest to try the
>> /sha1 1234567890abcde… parameter insteas of the /n parameter ,
>> and to provide the full path ( with quotes ) for the cross certificate
>> /ac “C:\Winddk.…”
>
> The cross certificate DOES have a full path and doesn’t need quotes.
> The /sha1 option is a novel idea, although there is no reason why the /n
> version shouldn’t work.
The advantage of using /sha1 is that the certificate does not to be
stored in the personal store , the tool will find it “somewhere” .
Indeed, specifying the /sha1 hash does work.
However, the fact that the /n parameter fails is clearly a bug. Guess I
need to search for a feedback link.
I am not sure , but a path with blanks and without quotes may not work.
The path does not have blanks. As a command-line nut, I’m very careful
about that.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
“Tim Roberts” wrote in message news:xxxxx@ntdev…
> However, the fact that the /n parameter fails is clearly a bug. Guess I
> need to search for a feedback link.
>
Yes, I’m now seeing it also and adding the store (/s my) does not help. The new signtool has new bugs.
//Daniel
xxxxx@resplendence.com wrote:
“Tim Roberts” wrote in message news:xxxxx@ntdev…
>> However, the fact that the /n parameter fails is clearly a bug. Guess I
>> need to search for a feedback link.
>>
>
> Yes, I’m now seeing it also and adding the store (/s my) does not
> help. The new signtool has new bugs.
Yes, there seems to be more to it than just the /n issue. When I use
the 7100 version of signtool, Win 7 RC 64-bit will not load my driver
(Code 52). When I use the 6001.18002 version, it works just fine.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Tim,
Thanks for submitting bug reports on this. It makes it so much FASTER when you submit the reports.
I have assigned them over to the crypto team - the owners of signtool. They did do some work on signtool for Windows 7 - tried to make the cross-cert signing error checking and messaging a little more robust.
Jennifer
Tim Roberts wrote:
I’ve come up against a small issue with the 7100 WDK. I have a batch
file that encapsulates the 150-character “signtool” command line for
building 64-bit drivers, which works in the 6000 and 6001 WDKs. That
command line now fails with:
C:\Dev\Xxxx\sw\driver>signtool.exe sign /v /ac \data\MSCV-GlobalSign.cer
/n Providenza /t http://timestamp.verisign.com/scripts/timestamp.dll
objchk_wlh_amd64\amd64\vidousb.sys
SignTool Error: No certificates were found that met all the given criteria.
If I use \ddk\6001.18002\bin\selfsign\signtool.exe instead, it works
fine. I don’t remember whether I ever tried this with 7000.
Have the selection criteria changed in some way?
For those of you keeping score at home, I have received an answer on
this one. Even though the 7100 signtool help string continues to say this:
/n Specify the Subject Name of the signing cert, or a
substring.
…they have, in fact, removed the “or a substring” capability from the
tool. If I specify the entire subject name, it is able to find the
certificate.
One down, one to go…
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
My cert name is “OSR Open Systems Resources, Inc.”… so instead of being able to say “OSR” I have to put the whole thing?
Yeah, that certainly seems like progress to me,
Peter
OSR
xxxxx@osr.com wrote:
My cert name is “OSR Open Systems Resources, Inc.”… so instead of being able to say “OSR” I have to put the whole thing?
Yeah, that certainly seems like progress to me,
Yes. “Providenza & Boekelheide, Inc.” isn’t terribly easy to type,
either. From the reponse, it seems to have been unintentional, and they
are investigating what it will take to restore this ability.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
IMHO, */n* was never a good idea. Selecting the right certificate is
important. Why use a switch that isn’t deterministic? */sha1* has
always been a better choice. With the advent of KMCS, you really need
to integrate signing into your regular build process. It’s no longer
optional. That nasty SHA1 hex string should be in your build scripts,
and not something you routinely type at the command line.
–John
On 5/12/2009 3:33 PM Tim Roberts wrote:
xxxxx@osr.com wrote:
> My cert name is “OSR Open Systems Resources, Inc.”… so instead of being able to say “OSR” I have to put the whole thing?
>
> Yeah, that certainly seems like progress to me,
>
>
Yes. “Providenza & Boekelheide, Inc.” isn’t terribly easy to type,
either. From the reponse, it seems to have been unintentional, and they
are investigating what it will take to restore this ability.
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of John McNamee
Sent: Wednesday, May 13, 2009 12:54 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Signtool Change?
IMHO, /n was never a good idea. Selecting the right certificate
is important. Why use a switch that isn’t deterministic? /sha1 has
always been a better choice. With the advent of KMCS, you really need
to integrate signing into your regular build process. It’s no longer
optional. That nasty SHA1 hex string should be in your build scripts,
and not something you routinely type at the command line.
Exactly. I experimented with /n on the very beginning and found it
completely obscure. /sha1 is reliable and how often has to be the script
updated?
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com http:</http:>]
Tim,
I come up with the exact same issue as yours. I can now properly signed my cat files using the sha1 flag but for some reason the drivers do not installed properly under Windows 7…
Did you get more info on the signtool issue ?
Thanks
Vincent
Guillemot R&D inc
xxxxx@guillemot.com wrote:
I come up with the exact same issue as yours. I can now properly signed my cat files using the sha1 flag but for some reason the drivers do not installed properly under Windows 7…
Did you get more info on the signtool issue ?
Yes, they found and solved the problem, and sent me an internal build of
signtool in which both the /n abbreviation and the KMCS signing works
just fine. They did not yet know whether the fix would make it into the
final WDK – signtool is produced by the security group and “imported”
into the WDK.
In the meantime, the right answer is to use signtool.exe from one of the
6001 WDKs.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
xxxxx@guillemot.com wrote:
I come up with the exact same issue as yours. I can now properly signed my cat files using the sha1 flag but for some reason the drivers do not installed properly under Windows 7…
Did you get more info on the signtool issue ?
Here’s something to check. Here is a link to my bug report on Microsoft
Connect:
https://connect.microsoft.com/feedback/ViewFeedback.aspx?FeedbackID=442133&SiteID=704
The internal build of signtool.exe is one of the “Attached Files” at the
very bottom. I don’t know whether the attached files are visible only
to me, or to everyone. If you can see the link, then you should be able
to download it.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.