SignTool with cross cert can not load driver linked with INTEGRITYCHECK

Hi friends, I need your help, the problem is:

We bought a certification from VeriSign, so
I sign the driver linked with INTEGRITYCHECK, for example:
SignTool.exe sign /ac cross.cer /f codesign.pfx /p “test123” 123.sys

And then I check its status:
signtool verify /kp 123.sys
Successfully verified: 123.sys

But after I load the driver, it keep saying:
StartService error 577, windows can not verify this file’s digital signature …

Can you please help to figure it out, Thank you very much.

Best regards,
Zhen hua

You should be able to get additional diagnostic information by enabling the System Event Audit Log.

See

https://msdn.microsoft.com/en-us/library/windows/hardware/ff539911.aspx

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-582217-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: 07 May 2015 04:29
To: Windows System Software Devs Interest List
Subject: [ntdev] SignTool with cross cert can not load driver linked
with INTEGRITYCHECK

Hi friends, I need your help, the problem is:

We bought a certification from VeriSign, so I sign the driver linked
with INTEGRITYCHECK, for example:
SignTool.exe sign /ac cross.cer /f codesign.pfx /p “test123” 123.sys

And then I check its status:
signtool verify /kp 123.sys
Successfully verified: 123.sys

But after I load the driver, it keep saying:
StartService error 577, windows can not verify this file’s digital
signature …

Can you please help to figure it out, Thank you very much.

Best regards,
Zhen hua
This email message has been delivered safely and archived online by Mimecast.

For more information please visit http://www.mimecast.com

xxxxx@gmail.com wrote:

Hi friends, I need your help, the problem is:

We bought a certification from VeriSign, so
I sign the driver linked with INTEGRITYCHECK, for example:
SignTool.exe sign /ac cross.cer /f codesign.pfx /p “test123” 123.sys

You really should be adding a timestamp. Otherwise, your driver can no
longer be loaded after the certificate expires. Add
/t http://timestamp.verisign.com/scripts/timestamp.dll

And then I check its status:
signtool verify /kp 123.sys
Successfully verified: 123.sys

Use the /v parameter to get a complete list of the certificate chain.
The chain needs to end with the Microsoft Code Verification Root.
Otherwise, you have chosen the wrong cross-certificate.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.