vista x64 signing problem.....hum...

OSR_Community_User · October 26, 2006, 2:27am

Hi, all…

My problem is … release mode KMCS…

Every thing is ok when TESTSIGNING is ON.

But release signing mode… hum…

I have signed as follows…

I added my certificate(mycert.pfx) to Personal certificate store.
And I get the Verisign cross-cert from “http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx”
Elevated Longhorn x64 free build enviroment…

stampinf -f myinf.inf -d 10/01/2006, -v 6.0.9999.0

inf2cat.exe /driver:c:\mysigning\ /os:vista_x64

signtool sign /v /ac MSCV-VSClass3.cer /s my /n “mycert_name”
/t http://timestamp.verisign.com/scripts/timestamp.dll mycat_x64.cat

signtool verify /kp /c vrvd3_x64.cat mysys-damd64.sys
->Successfully verified: mysys-damd64.sys
: /v option is not supported with /kp option. Please check your “Kernel-Mode code signing Walkthrough” document.

I installed through hdwwiz.cpl
And I’ve got a log follows…

.
.
.
inf: Opened INF: ‘C:\Windows\system32\DriverStore\Temp{4e7c4582-211b-4d27-9eef-ec212f61c1c0}\Package\vrvd3-amd64.inf’ ([strings] )
sig: {_VERIFY_FILE_SIGNATURE} 03:38:28.164
sig: Key = vrvd3-amd64.inf
sig: FilePath = C:\Windows\system32\DriverStore\Temp{4e7c4582-211b-4d27-9eef-ec212f61c1c0}\Package\vrvd3-amd64.inf
sig: Catalog = C:\Windows\system32\DriverStore\Temp{4e7c4582-211b-4d27-9eef-ec212f61c1c0}\Package\vrvd3-amd64.cat
! sig: Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 03:38:28.274
sig: {_VERIFY_FILE_SIGNATURE} 03:38:28.274
sig: Key = vrvd3-amd64.inf
sig: FilePath = C:\Windows\system32\DriverStore\Temp{4e7c4582-211b-4d27-9eef-ec212f61c1c0}\Package\vrvd3-amd64.inf
sig: Catalog = C:\Windows\system32\DriverStore\Temp{4e7c4582-211b-4d27-9eef-ec212f61c1c0}\Package\vrvd3-amd64.cat
sig: Success: File is signed in Authenticode™ catalog.
.
.
.
flq: SPQ_SCAN_ACTIVATE_DRP
flq: ScanQ number of copy nodes=2
flq: File ‘C:\Windows\system32\DRIVERS\vrvd3.sys’ pruned from copy.
sig: Using catalog ‘C:\Windows\system32\CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem2.CAT’.
! sig: VerifyTrustFailed for C:\Windows\system32\DRIVERS\vrvd3.sys.
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
cpy: DrpSetRegFinewlife
leProt ‘C:\Windows\system32\DRIVERS\vrvd3.sys’ Status=0 Class=OEM Legacy
flq: File ‘C:\Windows\system32\vrvd3.dll’ pruned from copy.
sig: Using catalog ‘C:\Windows\system32\CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem2.CAT’.
! sig: VerifyTrustFailed for C:\Windows\system32\vrvd3.dll.
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
cpy: DrpSetRegFileProt ‘C:\Windows\system32\vrvd3.dll’ Status=0 Class=OEM Legacy
flq: ScanQ action=200 DoPruning=32
flq: ScanQ end Validity flags=620 CopyNodes=0
dvi: {_SCAN_FILE_QUEUE exit(0, 0x00000000)}

OSR_Community_User · October 26, 2006, 2:46am

Another things…

Microsoft Cross-certificates for Windows Vista KMCS(MSCV-VSClass3.cer)

isn’t verified. Does not work the Cross-certificate???

The information as follows…
* Certificate Information of General tab.
Windows does not have enough information to verify this certificate.

Alan_Adams-1 · October 26, 2006, 11:07am

xxxxx@hanmir.com wrote:

… /v option is not supported with /kp option. Please check your
“Kernel-Mode code signing Walkthrough” document.

This is really the only clue I can think to latch on to.

Because in fact the /v option /is/ supported with the /kp option. If
you’re finding otherwise, then I would assume either its not a current
version of SIGNTOOL.EXE, or its just a syntax issue.

(e.g. “signtool verify /kp mydriver.sys /v” would fail because options
have to precede the driver name; “signtool verify /kp /v mydriver.sys”
would succeed.)

Perhaps indicate the version of the WDK and/or SIGNTOOL with which
you’re seeing this behavior. I believe others have reported that
several of the early WDKs indeed could not successfully employ the
cross-certificates.

I can only cite success with the WDK build 5728 and later; but that’s
because I wasn’t trying with any earlier builds, so I just can’t say
which earlier ones did or didn’t work.

Alan Adams

OSR_Community_User · October 26, 2006, 11:29am

Hi Alan… You are right…

I’ve signed with old version of WDK …

Every thing is ok with 5744 WDK.

Thanks…