win7: SignTool Error: No certificates were found that met all the given criteria.

same steps work in xp, not in win 7,

SignTool Error: No certificates were found that met all the given
criteria.

all tools are from latest wdk.

1. install ThawteCodeSigningCA.cer
2. install MSCV-Globalsign.cer
3. install pvkimport.exe
4. run pvkimport.exe -import codesign_61610.cer mykey.pvk
   give it the password
5. run certmgr.exe, yes i do see our certificate under the personal
   store
6. build my driver from winddk
7. inf2cat /driver:%my_driver_path% /os:7_X86

C:\WinDDK\7600.16385.1\src\general\toaster\wdm\bus\objfre_win7_x86\i386

c:\winddk\7600.16385.1\bin\x86\signtool sign /a /v /ac c:\opt\thawte-
roots\MSCV-GlobalSign.cer /s my /n “somehow’s company” /t
http://timestamp.versign.com/scripts/timestamp.dll busenum.sys
SignTool Error: No certificates were found that met all the given
criteria.

xxxxx@hotmail.com wrote:

same steps work in xp, not in win 7,

SignTool Error: No certificates were found that met all the given
criteria.

all tools are from latest wdk.

1. install ThawteCodeSigningCA.cer
2. install MSCV-Globalsign.cer
3. install pvkimport.exe
4. run pvkimport.exe -import codesign_61610.cer mykey.pvk
   give it the password
5. run certmgr.exe, yes i do see our certificate under the personal
   store
6. build my driver from winddk
7. inf2cat /driver:%my_driver_path% /os:7_X86

C:\WinDDK\7600.16385.1\src\general\toaster\wdm\bus\objfre_win7_x86\i386

> c:\winddk\7600.16385.1\bin\x86\signtool sign /a /v /ac c:\opt\thawte-
>
roots\MSCV-GlobalSign.cer /s my /n “somehow’s company” /t
http://timestamp.versign.com/scripts/timestamp.dll busenum.sys
SignTool Error: No certificates were found that met all the given
criteria.

The /n parameter is rather picky. Make sure the capitalization and
punctuation match exactly. There was a bug in /n in one of the beta Win
7 WDKs that caused me to switch to using the SHA1 thumbprint to select
the certificate instead of /n; that’s more precise, and probably a
better long-term solution anyway.

Why is Thawte in your recipe? They aren’t one of the “approved” KMCS
certificate authorities.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

i solved this issue, but then hit another error …

Thawte is the one we use in our xp system digital sign. So i’m trying to port to win7.
so you are saying it won’t work ?

basically for win7 u have to use pvk2pfx, not pvkimport.

the i get this, any suggestions ?

C:\WinDDK\7600.16385.1\lib\win7\i386>c:\winddk\7600.16385.1\bin\x86\signtool sig
n /a /v /ac c:\opt\thawte-roots\MSCV-GlobalSign.cer /s my /n "Interva, Inc.
" /t http://timestamp.versign.com/scripts/timestamp.dll GenCrash.sys
The following certificate was selected:
Issued to: Interval, Inc.
Issued by: Thawte Code Signing CA
Expires: Mon Jul 25 19:59:59 2011
SHA1 hash: 44397D9A4E35174E18FFD16D58F01B5A58B1D10A

Cross certificate chain (using user store):
Issued to: Thawte Premium Server CA
Issued by: Thawte Premium Server CA
Expires: Thu Dec 31 19:59:59 2020
SHA1 hash: 627F8D7827656399D27D7F9044C9FEB3F33EFA9A

Issued to: Thawte Code Signing CA
Issued by: Thawte Premium Server CA
Expires: Mon Aug 05 19:59:59 2013
SHA1 hash: A706BA1ECAB6A2AB18699FC0D7DD8C7DE36F290F

Issued to: Interval, Inc.
Issued by: Thawte Code Signing CA
Expires: Mon Jul 25 19:59:59 2011
SHA1 hash: 44397D9A4E35174E18FFD16D58F01B5A58B1D10A

Signtool Error: The provided cross certificate would not be present in the certi
ficate chain.

C:\WinDDK\7600.16385.1\lib\win7\i386>

DEFINITELY not my area, but I think that this means that the root of trust
does not end up with msft.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Tuesday, June 22, 2010 10:12 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] win7: SignTool Error: No certificates were found that
met all the given criteria.

i solved this issue, but then hit another error …

Thawte is the one we use in our xp system digital sign. So i’m trying to
port to win7.
so you are saying it won’t work ?

basically for win7 u have to use pvk2pfx, not pvkimport.

the i get this, any suggestions ?

C:\WinDDK\7600.16385.1\lib\win7\i386>c:\winddk\7600.16385.1\bin\x86\signtool
sig n /a /v /ac c:\opt\thawte-roots\MSCV-GlobalSign.cer /s my /n "Interva,
Inc.
" /t http://timestamp.versign.com/scripts/timestamp.dll GenCrash.sys The
following certificate was selected:
Issued to: Interval, Inc.
Issued by: Thawte Code Signing CA
Expires: Mon Jul 25 19:59:59 2011
SHA1 hash: 44397D9A4E35174E18FFD16D58F01B5A58B1D10A

Cross certificate chain (using user store):
Issued to: Thawte Premium Server CA
Issued by: Thawte Premium Server CA
Expires: Thu Dec 31 19:59:59 2020
SHA1 hash: 627F8D7827656399D27D7F9044C9FEB3F33EFA9A

Issued to: Thawte Code Signing CA
Issued by: Thawte Premium Server CA
Expires: Mon Aug 05 19:59:59 2013
SHA1 hash: A706BA1ECAB6A2AB18699FC0D7DD8C7DE36F290F

Issued to: Interval, Inc.
Issued by: Thawte Code Signing CA
Expires: Mon Jul 25 19:59:59 2011
SHA1 hash: 44397D9A4E35174E18FFD16D58F01B5A58B1D10A

Signtool Error: The provided cross certificate would not be present in the
certi ficate chain.

C:\WinDDK\7600.16385.1\lib\win7\i386>

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

On 06/23/2010 04:11 AM, xxxxx@hotmail.com wrote:

/ac c:\opt\thawte-roots\MSCV-GlobalSign.cer

[…]

Signtool Error: The provided cross certificate would not be present
in the certificate chain.

Of course not: It is not referenced for anything!

Explanation:

To verify a PK signature, you need an unbroken “signature path” from the
bottom to the top (root) CA.

Let’s see what you have got:

(1) Your company -> Thawte Code Signing CA
Issued to: Interval, Inc.
Issued by: Thawte Code Signing CA

(2) Thawte Code Signing CA -> Thawte Premium Server CA
Issued to: Thawte Code Signing CA
Issued by: Thawte Premium Server CA

(You also have a self-certificate of Thawte Premium Server CA, but this
is not relevant to our discussion.)

What you would need now is this:

(3) Thawte Premium Server CA -> Microsoft Code Certification Root
Issued to: Thawte Premium Server CA
Issued by: Microsoft Code Certification Root

But what you have got in MSCV-GlobalSign.cer is:

(x) GlobalSign Code Signing CA -> Microsoft Code Certification Root

(See this page for a picture with a complete chain:
https://globalsign.com/support/code-signing/codesign_vista64.php)

Of course you can’t use a GlobalSign->Microsoft cross-certificate to
cross-certify some other CA (Thawte) with it.

If you want to make a kernel driver that runs at boot time - using your
Thawte code-signing certificate - you need a cross-certificate linking
Thawte CA to the MS Code Signing Root.

If Microsoft does not provide one, you are out of luck.

Another CA (e.g. GlobalSign) could make a cross-certificate for Thawte
to complete the chain. So if e.g. CA “A” takes over CA “B”, then CA “A”
could provide a cross-certificate for “B”. Theoretically.

Thawte code signing certificates I’m almost certain are not compatible with
kernel code signing. If they were you also would need to use a Thawte cross
certificate instead of the GlobalSign cross certificate.

You will need to purchase a kernel code signing compatible certificate, like
from Verisign ($400/yr with WHQL discount) or GlobalSign (about $230/yr). If
you then want to pursue WHQL signing, you MUST have a certificate from
Verisgn, although they will sell you a company id only certificate for $100
(which can be used for code signing). If you plan WHQL certification, there
is not a huge price advantage of the GlobalSIgn+Verisign corp certificates
over the single Verisign code signing certificate (which can also be used to
establish WHQL corp identity).

Jan

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-415470-
xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Tuesday, June 22, 2010 7:12 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] win7: SignTool Error: No certificates were found that
met
all the given criteria.

i solved this issue, but then hit another error …

Thawte is the one we use in our xp system digital sign. So i’m trying to
port to
win7.
so you are saying it won’t work ?

basically for win7 u have to use pvk2pfx, not pvkimport.

the i get this, any suggestions ?

C:\WinDDK\7600.16385.1\lib\win7\i386>c:\winddk\7600.16385.1\bin\x86\sig
ntool sig n /a /v /ac c:\opt\thawte-roots\MSCV-GlobalSign.cer /s my /n
"Interva, Inc.
" /t http://timestamp.versign.com/scripts/timestamp.dll GenCrash.sys The
following certificate was selected:
Issued to: Interval, Inc.
Issued by: Thawte Code Signing CA
Expires: Mon Jul 25 19:59:59 2011
SHA1 hash: 44397D9A4E35174E18FFD16D58F01B5A58B1D10A

Cross certificate chain (using user store):
Issued to: Thawte Premium Server CA
Issued by: Thawte Premium Server CA
Expires: Thu Dec 31 19:59:59 2020
SHA1 hash: 627F8D7827656399D27D7F9044C9FEB3F33EFA9A

Issued to: Thawte Code Signing CA
Issued by: Thawte Premium Server CA
Expires: Mon Aug 05 19:59:59 2013
SHA1 hash: A706BA1ECAB6A2AB18699FC0D7DD8C7DE36F290F

Issued to: Interval, Inc.
Issued by: Thawte Code Signing CA
Expires: Mon Jul 25 19:59:59 2011
SHA1 hash: 44397D9A4E35174E18FFD16D58F01B5A58B1D10A

Signtool Error: The provided cross certificate would not be present in the
certi ficate chain.

C:\WinDDK\7600.16385.1\lib\win7\i386>

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

xxxxx@hotmail.com wrote:

i solved this issue, but then hit another error …

Thawte is the one we use in our xp system digital sign. So i’m trying to port to win7.
so you are saying it won’t work ?

XP didn’t require a digital signature, so whatever you were doing was
just for fun anyway, right?

You can still use your Thawte certificate to sign your drivers, and that
will change the “CAUTION: UNSIGNED DRIVER” warning to the more pleasant
“Do you trust this publisher?” warning.

HOWEVER, that will not allow your driver to be loaded on a 64-bit
system. Kernel-Mode Code Signing (KMCS) is a separate issue. In order
to satisfy KMCS, you must have a code-signing certificate from a rather
short list of approved certificate authorities, and Thawte is not on
that list.

http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx

the i get this, any suggestions ?

C:\WinDDK\7600.16385.1\lib\win7\i386>c:\winddk\7600.16385.1\bin\x86\signtool sig
n /a /v /ac c:\opt\thawte-roots\MSCV-GlobalSign.cer /s my /n "Interva, Inc.
" /t http://timestamp.versign.com/scripts/timestamp.dll GenCrash.sys
…
Signtool Error: The provided cross certificate would not be present in the certi
ficate chain.

Right, because you are trying to use the GlobalSign cross-certificate,
but you don’t have a GlobalSign certificate to begin with, and there is
no Thawte cross-certificate.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Jan Bottorff wrote:

Thawte code signing certificates I’m almost certain are not compatible with
kernel code signing. If they were you also would need to use a Thawte cross
certificate instead of the GlobalSign cross certificate.

You will need to purchase a kernel code signing compatible certificate, like
from Verisign ($400/yr with WHQL discount) or GlobalSign (about $230/yr). If
you then want to pursue WHQL signing, you MUST have a certificate from
Verisgn, although they will sell you a company id only certificate for $100
(which can be used for code signing).

I believe you meant “which CANNOT be used for code signing”.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Oops, my typo, thanks Tim. VeriSign WHQL company id certificates definitely
can’t be used for code signing.

Jan

Jan Bottorff wrote:
> Thawte code signing certificates I’m almost certain are not compatible
> with kernel code signing. If they were you also would need to use a
> Thawte cross certificate instead of the GlobalSign cross certificate.
>
> You will need to purchase a kernel code signing compatible
> certificate, like from Verisign ($400/yr with WHQL discount) or
> GlobalSign (about $230/yr). If you then want to pursue WHQL signing,
> you MUST have a certificate from Verisgn, although they will sell you
> a company id only certificate for $100 (which can be used for code
signing).

I believe you meant “which CANNOT be used for code signing”.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks very much for everyone’s great reply,
yeah seems i need to buy Verisign certificate to sign the 64-bit win 7 driver.
(We didn’t sign xp driver, but i was new to the CA stuff and thought we did …)

Thanks again and have a nice day !