Hi friends, I need your help, the problem is:
We bought a certification from VeriSign, so
I sign the driver linked with INTEGRITYCHECK, for example:
SignTool.exe sign /ac cross.cer /f codesign.pfx /p “test123” 123.sys
And then I check its status:
signtool verify /kp 123.sys
Successfully verified: 123.sys
But after I load the driver, it keep saying:
StartService error 577, windows can not verify this file’s digital signature …
Can you please help to figure it out, Thank you very much.
Best regards,
Zhen hua
You should be able to get additional diagnostic information by enabling the System Event Audit Log.
See
https://msdn.microsoft.com/en-us/library/windows/hardware/ff539911.aspx
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-582217-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: 07 May 2015 04:29
To: Windows System Software Devs Interest List
Subject: [ntdev] SignTool with cross cert can not load driver linked
with INTEGRITYCHECK
Hi friends, I need your help, the problem is:
We bought a certification from VeriSign, so I sign the driver linked
with INTEGRITYCHECK, for example:
SignTool.exe sign /ac cross.cer /f codesign.pfx /p “test123” 123.sys
And then I check its status:
signtool verify /kp 123.sys
Successfully verified: 123.sys
But after I load the driver, it keep saying:
StartService error 577, windows can not verify this file’s digital
signature …
Can you please help to figure it out, Thank you very much.
Best regards,
Zhen hua
This email message has been delivered safely and archived online by Mimecast.
For more information please visit http://www.mimecast.com
xxxxx@gmail.com wrote:
Hi friends, I need your help, the problem is:
We bought a certification from VeriSign, so
I sign the driver linked with INTEGRITYCHECK, for example:
SignTool.exe sign /ac cross.cer /f codesign.pfx /p “test123” 123.sys
You really should be adding a timestamp. Otherwise, your driver can no
longer be loaded after the certificate expires. Add
/t http://timestamp.verisign.com/scripts/timestamp.dll
And then I check its status:
signtool verify /kp 123.sys
Successfully verified: 123.sys
Use the /v parameter to get a complete list of the certificate chain.
The chain needs to end with the Microsoft Code Verification Root.
Otherwise, you have chosen the wrong cross-certificate.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.