We had a couple of Windows 10 x64 systems in our lab that generated this error while installing our driver. Installation of that same driver worked fine on all other Windows 10 x64 systems. After playing with these two systems we identified that they are quite outdated, i.e. Windows update hasn’t been executed on them for a long time. We updated Windows on these systems and the driver now installs just fine on both of them.
I am wondering if there were any early Windows 10 releases that didn’t have SHA256 support?
Any other ideas on what might be missing on older Windows 10 releases that prevents a digital signature verification to work properly?
Thank you,
Mike
I am wondering if there were any early Windows 10 releases that didn’t have SHA256 support?
Certainly not by design. SHA256 support predates Win10 by… a lot.
Now, I’m not saying there couldn’t have been a bug or something…
Peter
Peter,
Do you have any ideas on how this should be researched? There are too many Windows updates and one of them makes the system to accept the signature. We need to find which one, so that our installer checks if that functionality is missing and recommend to update Windows prior to installation.
A reason we need to know for sure whether Windows has everything needed for our driver to install properly is that the driver has to be loaded for a boot device and what happens is that if during installation the digital signature failed to be verified then after Windows gets rebooted it ends up with the “inaccessible boot device” error, which can’t even be repaired if there is no restore point created by User.
I was hoping for Windows wouldn’t install the driver if it fails to verify the signature, but it actually install it anyway and then it fails to load it during the next reboot… such ending up with a complete system failure. We just can’t do this to our clients…
Any ideas on what we could try here would be greatly appreciated.
Thank you,
Mike
On Nov 9, 2018, at 1:57 PM, MikeS wrote:
>
> Do you have any ideas on how this should be researched? There are too many Windows updates and one of them makes the system to accept the signature. We need to find which one, so that our installer checks if that functionality is missing and recommend to update Windows prior to installation.
Are you talking about a driver that you signed yourself? It’s not impossible that one of the updates did a root certificate update, and your certificate needs the new root certificate.
—
Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.
It’s not impossible that one of the updates did a root certificate update, and your certificate needs the new root certificate.
I agree that’s the most likely issue you’re seeing.
I think you can check for this with signtool (I think “SignTool verify /v /kp” or something similar). Do this on the system where the driver is installed but is not recognized, and on a system where the driver is installed and is recognized. Compare. The verification shouldn’t succeed on the older system. Using this, you should be able to verify that the root cert is in fact the problem. Then… it’s “simply” a matter of figuring out which KB updates the root certificates. And, you know, good luck with that.
Having now told you all that, let me hasten to add that what I’m describing is merely conjecture on my part. It’s not like I’ve diagnosed this same problem myself in the past, so I’m really just guessing.
Peter
Peter, Tim,
Yes, this was related to the root certificate. Windows update was needed for Windows to authenticate my certificate/signature. In other words, this was necessary to authenticate me, as a vendor, through the chain of certification authorities, issued me the certificate, up to Microsoft Root Cert.
I solved the problem by adding to my driver a cross-certificate provided by a certification authority I got my EV hardware token from. This was done by adding a “/ac .crt” to my signtool command. Now, the digital signature verification works fine even on a just installed Windows with no updates.
As always, thank you very much for sharing your expertise here!
Best regards,
Mike