Vista64 signing probs

OSR_Community_User · February 13, 2007, 4:09pm

Hi,

When I try to load a signed filter on Vista, I get the message
the signature could not be verified. SignTool however reports this:

Verifying: c:AlfaFF.sys
SHA1 hash of file: AC72E9332E5CB697C061A15FC4D7935360A32A2E
Signing Certificate Chain:
Issued to: GlobalSign Root CA
Issued by: GlobalSign Root CA
Expires: 1/28/2014 1:00:00 PM
SHA1 hash: 2F173F7DE99667AFA57AF80AA2D1B12FAC830338
Issued to: GlobalSign Primary Object Publishing CA
Issued by: GlobalSign Root CA
Expires: 1/27/2014 12:00:00 PM
SHA1 hash: 987FD000DCB121517D72453EE5176EB92B1363B9

Issued to: GlobalSign ObjectSign CA
Issued by: GlobalSign Primary Object Publishing CA
Expires: 1/27/2014 11:00:00 AM
SHA1 hash: 4A19146D67BD20843A3A0713587557BF519213CC

Issued to: Dejan Maksimovic
Issued by: GlobalSign ObjectSign CA
Expires: 1/24/2008 10:10:40 AM
SHA1 hash: 1C40C991803EBEF7416E1BF5C5C2D64444C82928

The signature is timestamped: 2/13/2007 7:40:04 PM
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: 1/1/2021 12:59:59 AM
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: 12/4/2013 12:59:59 AM
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: VeriSign Time Stamping Services Signer
Issued by: VeriSign Time Stamping Services CA
Expires: 12/4/2008 12:59:59 AM
SHA1 hash: 817E78267300CB0FE5D631357851DB366123A690

Successfully verified: c:AlfaFF.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

What gives?

–
King regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.

Peter_Viscarola_OSR · February 13, 2007, 5:34pm

The signature doesn’t “chain up” to the MS code verification root.

I hate to ask the obvious, but… Are you using the proper type of cert (a proper “class 3 code signing cert”)? Did you use the cross-cert during signing?

Peter
OSR

OSR_Community_User · February 13, 2007, 6:06pm

I used an .spc file that includes all the required certificates, and yes it’s a code signing certificate (or so it says when I view the properties). We are
talking about this, right:
“Ensures software came from software publisher
Protects software from alteration after publication
Allows data to be signed with the current time”
?
It does chain up to a Trusted Root, GlobalSign.

Dejan.

xxxxx@osr.com wrote:

The signature doesn’t “chain up” to the MS code verification root.

I hate to ask the obvious, but… Are you using the proper type of cert (a proper “class 3 code signing cert”)? Did you use the cross-cert during signing?

–
King regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.

OSR_Community_User · February 13, 2007, 6:20pm

I’ve also tried this: install Longhorn beta 6001, add CA role, create CA Root, enroll for a Code Signing CERT, Issue it, sign with it - same results!
The signing was done via signtool using the signwizard

This is what the Event Viewer gives (in both the case above and one from previous e-mail):
"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could
indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\AlfaFF.sys"

(Needless to say I did nothing other than install the driver via INF file, after signing it)

Dejan.

xxxxx@osr.com wrote:

The signature doesn’t “chain up” to the MS code verification root.

I hate to ask the obvious, but… Are you using the proper type of cert (a proper “class 3 code signing cert”)? Did you use the cross-cert during signing?

–
King regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.

OSR_Community_User · February 13, 2007, 6:29pm

Search NTDEV archives or MS web for the latest version of the document which describes kernel drivers signing for Vista. It is real pain to make ti working.

Your signtool output shows you probably haven’t used cross certificate. Also, it can’t be done using signwizard. And .spc file can’t be used directly.

I’d recommend to stop experimenting and start searching, instead. Don’t expect anything rational from signing tools.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Dejan Maksimovic[SMTP:xxxxx@alfasp.com]
Reply To: Windows File Systems Devs Interest List
Sent: Wednesday, February 14, 2007 12:20 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Vista64 signing probs

I’ve also tried this: install Longhorn beta 6001, add CA role, create CA Root, enroll for a Code Signing CERT, Issue it, sign with it - same results!
The signing was done via signtool using the signwizard

This is what the Event Viewer gives (in both the case above and one from previous e-mail):
"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could
indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\AlfaFF.sys"

(Needless to say I did nothing other than install the driver via INF file, after signing it)

Dejan.

xxxxx@osr.com wrote:

> The signature doesn’t “chain up” to the MS code verification root.
>
> I hate to ask the obvious, but… Are you using the proper type of cert (a proper “class 3 code signing cert”)? Did you use the cross-cert during signing?

–
King regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@upek.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Frank_Friemel · February 14, 2007, 4:00am

>The signing was done via signtool using the signwizard

The signwizard does not support cross certificate. Use command line
“signtool” with switch “/ac”.

The cross certificate for GlobalSign can be found here:

http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx#ENG

“Dejan Maksimovic” wrote news:xxxxx@ntfsd…
>
> I’ve also tried this: install Longhorn beta 6001, add CA role, create
> CA Root, enroll for a Code Signing CERT, Issue it, sign with it - same
> results!
> The signing was done via signtool using the signwizard
>
> This is what the Event Viewer gives (in both the case above and one
> from previous e-mail):
> “Code integrity determined that the image hash of a file is not valid.
> The file could be corrupt due to unauthorized modification or the invalid
> hash could
> indicate a potential disk device error.
>
> File Name: \Device\HarddiskVolume1\Windows\System32\drivers\AlfaFF.sys”
>
> (Needless to say I did nothing other than install the driver via INF
> file, after signing it)
>
> Dejan.
>
> xxxxx@osr.com wrote:
>
>> The signature doesn’t “chain up” to the MS code verification root.
>>
>> I hate to ask the obvious, but… Are you using the proper type of cert
>> (a proper “class 3 code signing cert”)? Did you use the cross-cert
>> during signing?
>
> –
> King regards, Dejan
> http://www.alfasp.com
> File system audit, security and encryption kits.
>
>
>