I get a Ev Code sign in Cloud from Certum. And with the SimplySign app, I do not need to get the USB disk.
But when sign with the cert, An error occurs:
SignTool.exe sign /ac "Certum Trusted Network CA.crt" /sha1 afdd9e4c718b41fb7981ee32c55837035bdb9abe /t http://time.certum.pl /fd sha256 /v dmfs.sys
The following certificate was selected:
Issued to: Beijing Healthy Hailstone Technology Co., Ltd.
Issued by: Certum Extended Validation Code Signing CA SHA2
Expires: Sat Dec 12 19:28:35 2020
SHA1 hash: AFDD9E4C718B41FB7981EE32C55837035BDB9ABE
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 21:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Certum Trusted Network CA
Issued by: Microsoft Code Verification Root
Expires: Fri Apr 16 04:25:34 2021
SHA1 hash: 55435515FDD2486575FDC5CF3BAD00C913123D03
Issued to: Certum Extended Validation Code Signing CA SHA2
Issued by: Certum Trusted Network CA
Expires: Tue Jan 19 19:55:39 2027
SHA1 hash: BC432D6E675FF26B7BA71C24EA469A7D5457C745
Issued to: Beijing Healthy Hailstone Technology Co., Ltd.
Issued by: Certum Extended Validation Code Signing CA SHA2
Expires: Sat Dec 12 19:28:35 2020
SHA1 hash: AFDD9E4C718B41FB7981EE32C55837035BDB9ABE
Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2146893792/0x80090020)
Under the condition, I do not know how to process the error. And Why it occurs.
Is any idea?
Related
Why signing works but signing verification doesn't ?
signtool sign /v /ac comodorsacertificationauthority_kmod.crt /tr http://timestamp.comodoca.com/rfc3161 mydriver.sys
The following certificate was selected:
Issued to: Company, Inc
Issued by: COMODO RSA Extended Validation Code Signing CA
Expires: >..
SHA1 hash: ....
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 16:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: COMODO RSA Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Mon Apr 12 01:16:20 2021
SHA1 hash: 106870659C069F248C8C0A05ACD871CABEB3CC38
Issued to: COMODO RSA Extended Validation Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon Dec 03 02:59:59 2029
SHA1 hash: 351A78EBC1B4BB6DC366728D334231ABA9AE3EA7
Issued to: Company, Inc
Issued by: COMODO RSA Extended Validation Code Signing CA
Expires: ...
SHA1 hash: ...
Done Adding Additional Store Successfully signed: mydriver.sys
signtool verify /v /kp mydriver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 1EDBB6F9354413D1B0F1696BF713281954F75130
Signing Certificate Chain:
Issued to: COMODO RSA Certification Authority
Issued by: COMODO RSA Certification Authority
Expires: Tue Jan 19 02:59:59 2038
SHA1 hash: AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
Issued to: COMODO RSA Extended Validation Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon Dec 03 02:59:59 2029
SHA1 hash: 351A78EBC1B4BB6DC366728D334231ABA9AE3EA7
Issued to: MyCompany, Inc
Issued by: COMODO RSA Extended Validation Code Signing CA
Expires: ...
SHA1 hash: ...
The signature is timestamped: Thu Oct 25 16:17:01 2018
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-1 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: 03A5B14663EB12023091B84A6D6A68BC871DE66B
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
Maybe you should use verify /ds 1 /v?? Where /ds 1 is index 1, not 0?
https://learn.microsoft.com/en-US/dotnet/framework/tools/signtool-exe
When I try to install my device driver, I get the
"Program Compatibility Dialog"
A digitally signed driver is required : Process Detection Driver Cetrus. Windows blocked the installation of a digitally unsigned driver. Uninstall the program or device that uses the driver and check the publisher's website for a digitally signed version of the driver.
My driver is signed:
Verifying: PDetect64.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 039DFBD6C922B86BC9D8E2ABF9AADAB800ABE21E
Signing Certificate Chain:
Issued to: AddTrust External CA Root
Issued by: AddTrust External CA Root
Expires: Sat May 30 03:48:38 2020
SHA1 hash: 02FAF3E291435468607857694DF5E45B68851868
Issued to: COMODO RSA Certification Authority
Issued by: AddTrust External CA Root
Expires: Sat May 30 03:48:38 2020
SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon May 08 16:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Issued to: Cetrus LLC
Issued by: COMODO RSA Code Signing CA
Expires: Sun May 26 16:59:59 2019
SHA1 hash: 647ACC3A5A36302E3A096F05595FD94EF8ED530D
The signature is timestamped: Fri May 26 10:58:35 2017
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 11:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-1 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 11:40:36 2019
SHA1 hash: 03A5B14663EB12023091B84A6D6A68BC871DE66B
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: AddTrust External CA Root
Issued by: Microsoft Code Verification Root
Expires: Tue Aug 15 13:36:30 2023
SHA1 hash: A75AC657AA7A4CDFE5F9DE393E69EFCAB659D250
Issued to: COMODO RSA Certification Authority
Issued by: AddTrust External CA Root
Expires: Sat May 30 03:48:38 2020
SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon May 08 16:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Issued to: Cetrus LLC
Issued by: COMODO RSA Code Signing CA
Expires: Sun May 26 16:59:59 2019
SHA1 hash: 647ACC3A5A36302E3A096F05595FD94EF8ED530D
Successfully verified: PDetect64.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
Can somebody help with how to go about figuring out why Windows 10 thinks this is an unsigned driver?
What specific version of Windows 10 you are running? Starting with new installations of Version 1607 of Windows 10, Windows not load any new kernel mode drivers which are not signed by the Dev Portal. For more details, see https://learn.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later-
The ONLY way is to sign the driver with an EV code signing certificate.
Problem summary
My Windows application includes a service that loads a rather simple driver. This driver contains embedded SHA1 as well as SHA256 signatures and includes a cross-signing certificate chain for both of them, as per the KMCS requirements described in the MS Kernel Signing doc for signing a driver without a CAT file.
The driver loads perfectly fine on most Windows installations but fails to load in some rare cases, mostly on Windows 7 x64 and Windows 10 x64. The error is 0x241 (577): Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
More info
I've been trying to figure out what might be the cause of this problem for the better part of two weeks. As you'd expect, this error only comes up on the user's machines. I have installed 4 VMs with Windows 7 x64 and another 4 VMs with Windows 10 x64 in various configurations and with various levels of updates. I went as far as completely reproducing a user's setup in one of the Windows 10 VMs - I spent a whole day installing the exact Windows edition with the right language and with all the software they had down to the precise version in an attempt to reproduce the problem. No such luck, though: when installing my application, the driver loaded perfectly fine.
In the hope that someone might have an idea of what might be going on or could at least point me in the right direction, I decided to ask here: what could possibly be causing a driver that is apparently correctly signed to fail validation on some Windows installations?
Further details
I am using a StartCom Class 3 Code Signing certificate. I downloaded the cross-signing StartCom certificate from the Microsoft Cross-Certificates for Kernel Mode Code Signing page.
My certificate is in a pfx file and I am signing the driver as follows:
signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll /p %1 driver.sys
signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /p %1 driver.sys
Since this is not a hardware driver that would need to be installed, it does not include a .CAT file or .INF file. It's simply a driver that gets loaded when the service starts and unloaded when the service stops.
As it can be noticed, the SHA256 signature is added after the SHA1 signature (with /as) and it also uses an SHA256 timestamping server. It is dual signed for compatibility with older operating systems, although I must say it fails to load in Vista x64, presumably because my certificate is using SHA256 as the signature algorithm. It's worth noting that the driver loads fine on Windows XP x64. It's also worth mentioning that all users for whom it failed to load report that both signatures are validated fine when inspecting the Digital Signature tab of the file properties. I can live without Vista x64 compatibility, but the Windows 7 and Windows 10 problems are very worrying and force me to keep the application in beta testing.
Out of some 150+ installs across various Windows versions, I've had:
3 users for whom validation failed in Windows 7 x64. One of them didn't have all the updates installed, went ahead and installed some 200 updates after which validation passed and the problem was solved. I recommended updating to the other 2 users having the same problem but I haven't received any feedback so I don't know if the problem was fixed, nor do I even know if their Windows was up to date to begin with or not.
3 users for whom the driver failed to load on Windows 10 x64. All of them were much more responsive than the Windows 7 users and I was able to find out that all of them have all the updates installed. Two of the three users installed using the Windows 10 Anniversary edition installation kit.
1 user for whom the driver failed to load on Windows 2003 R2 x86. I also created a VM with this OS and failed to reproduce the problem.
Every time the driver fails to load, an Audit Failure event is generated in the Security event category with the text:
*Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolumeX\Program Files (x86)\path\to\driver.sys*
I get exactly the same error in Vista x64 and enabling the Code Integrity verbose log results in a lot of messages about loading all the .CAT files and nothing else of interest. Naturally, in Vista x64 the Code Integrity operational log includes an Error about the file not getting validated, rather similar to the Audit Error above.
Running
signtool.exe verify /v /kp driver.sys
Results in:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 16:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: StartCom Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 23:23:19 2021
SHA1 hash: E6069E048DEA8D817AFC4188B1BEF1D888D0AF17
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
Successfully verified: driver.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
Running
signtool.exe verify /v /pa /all driver.sys
Results in:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Signature Index: 1
Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:53 2016
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-256 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA
Successfully verified: driver.sys
Number of signatures successfully Verified: 2
Number of warnings: 0
Number of errors: 0
What is a bit strange is that verifying with no special switches results in certificate chain errors. Then again, I get the same error when checking a VMWare driver so I guess it's not something to worry about. In any case, running:
signtool.exe verify /v /all driver.sys
Results in:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Signature Index: 1
Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:53 2016
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-256 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of signatures successfully Verified: 0
Number of warnings: 0
Number of errors: 2
I am using signtool.exe from the 8.1 Windows kit that ships with VS 2015, its version is 6.3.9600.17298. For what it's worth, the driver is compiled with WDK 7.1.0 (7600.13685.1).
As Martin Drab posted above, the problem is twofold. By the way, thanks Martin, your comment helped me sort it out, I was able to reproduce the Windows 10 problem by setting up a VM with Secure Boot enabled.
For operating systems older than Windows 10, the problem seems to be fixed by installing all the latest updates. If the PC wasn't updated since before 01.11.2015 (when the new Microsoft Code Verification Root certificate was issued), it won't be able to validate because the kernel doesn't recognize the root certificate.
For Windows 10 there is a new Kernel Mode Code Signining Policy that specifies that all fresh installations of Windows 10 Anniversary Edition will not validate any kernel code that is not signed by the Microsoft Dev Portal (which requires an EV certificate) unless it was signed with a cross-signing certificate issued prior to July 29th 2015 or Secure Boot is disabled.
The reason the problem was only occurring rarely is that most people don't have Windows 7 machines that haven't been updated in ages and most of those that have Windows 10 at the time of this writing aren't using fresh installs of the Anniversary Edition.
The only real solution for Windows 10 is to get an EV certificate.
I have two driver files which appear to have been singned properly:
bobbarker#bobbarker-PC /cygdrive/c/Users/bobbarker/Desktop
$ ./SignTool.exe verify /kp /v /ph /d truecrypt.sys
Verifying: truecrypt.sys
Hash of file (sha1): 8562AC6F95298C1904DFC0B579C51CBB414D13C9
Signing Certificate Chain:
Issued to: AddTrust External CA Root
Issued by: AddTrust External CA Root
Expires: Sat May 30 05:48:38 2020
SHA1 hash: 02FAF3E291435468607857694DF5E45B68851868
Issued to: COMODO RSA Certification Authority
Issued by: AddTrust External CA Root
Expires: Sat May 30 05:48:38 2020
SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon May 08 18:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Issued to: Jason Pyeron
Issued by: COMODO RSA Code Signing CA
Expires: Wed Sep 16 18:59:59 2015
SHA1 hash: 535A507A767922BE8C9BF959BCD2179DE626AAA4
The signature is timestamped: Tue Dec 30 00:29:01 2014
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 18:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Wed Dec 30 18:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Tue Dec 29 18:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 08:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: AddTrust External CA Root
Issued by: Microsoft Code Verification Root
Expires: Tue Aug 15 15:36:30 2023
SHA1 hash: A75AC657AA7A4CDFE5F9DE393E69EFCAB659D250
Issued to: COMODO RSA Certification Authority
Issued by: AddTrust External CA Root
Expires: Sat May 30 05:48:38 2020
SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon May 08 18:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Issued to: Jason Pyeron
Issued by: COMODO RSA Code Signing CA
Expires: Wed Sep 16 18:59:59 2015
SHA1 hash: 535A507A767922BE8C9BF959BCD2179DE626AAA4
Successfully verified: truecrypt.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
bobbarker#bobbarker-PC /cygdrive/c/Users/bobbarker/Desktop
$ ./SignTool.exe verify /kp /v /ph /d truecrypt-x64.sys
Verifying: truecrypt-x64.sys
Hash of file (sha1): 5B9B534E682A8768F404B1A1CBFD9ACC98B8E195
Signing Certificate Chain:
Issued to: AddTrust External CA Root
Issued by: AddTrust External CA Root
Expires: Sat May 30 05:48:38 2020
SHA1 hash: 02FAF3E291435468607857694DF5E45B68851868
Issued to: COMODO RSA Certification Authority
Issued by: AddTrust External CA Root
Expires: Sat May 30 05:48:38 2020
SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon May 08 18:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Issued to: Jason Pyeron
Issued by: COMODO RSA Code Signing CA
Expires: Wed Sep 16 18:59:59 2015
SHA1 hash: 535A507A767922BE8C9BF959BCD2179DE626AAA4
The signature is timestamped: Tue Dec 30 00:28:52 2014
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 18:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Wed Dec 30 18:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Tue Dec 29 18:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 08:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: AddTrust External CA Root
Issued by: Microsoft Code Verification Root
Expires: Tue Aug 15 15:36:30 2023
SHA1 hash: A75AC657AA7A4CDFE5F9DE393E69EFCAB659D250
Issued to: COMODO RSA Certification Authority
Issued by: AddTrust External CA Root
Expires: Sat May 30 05:48:38 2020
SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Issued to: COMODO RSA Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Mon May 08 18:59:59 2028
SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Issued to: Jason Pyeron
Issued by: COMODO RSA Code Signing CA
Expires: Wed Sep 16 18:59:59 2015
SHA1 hash: 535A507A767922BE8C9BF959BCD2179DE626AAA4
Successfully verified: truecrypt-x64.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
bobbarker#bobbarker-PC /cygdrive/c/Users/bobbarker/Desktop
$
But when I try to install them I get the dredded error:
Windows cannot verify the digital signature for this file. A recent
hardware or software change might have installed a file that is signed
incorrectly or damaged, or that might be malicious software from an
unknown source.
I have posted the files in question, along with the relevant certs. I create the files using the following command:
for i in *.sys; do
cp "$i" "$i".presignbak && \
/cygdrive/c/WinDDK/7600.16385.1/bin/amd64/SignTool.exe sign /v /ac AddTrust_External_CA_Root-srosssigned-by-Microsoft.crt /f signkey.pfx /p password /t http://timestamp.verisign.com/scripts/timstamp.dll "$i" ;
done
My cert uses Signature Algorithm: sha256WithRSAEncryption
What should I try next?
It turns out that Microsoft does not support SHA-2 for driver signing on Windows 7.
In some cases, you might want to sign a driver package with two different signatures. For example, suppose you want your driver to run on Windows 7 and Windows 8. Windows 8 supports signatures created with the SHA256 hashing algorithm, but Windows 7 does not. For Windows 7, you need a signature created with the SHA1 hashing algorithm.
Suppose you want to build and sign a driver package that will run on Windows 7 and Windows 8 on x64 hardware platforms. You can sign your driver package with a primary signature that uses SHA1. Then you can append a secondary signature that uses SHA256. You can use the same certificate for both signatures, or you can use separate certificates. Here are the steps to create the two signatures using Visual Studio.
Could be that your Windows PC hasn't the same CA root installed than the machine you used to sign & verify?
Check if the listed CAs in the certificate chain are correctly installed (Run > mmc) where you are trying to install.
Solved!
Hope you guys can help!
First off. I have gone through every article I could find at SO, as well as MSDN, etc.
I am trying to sign an installshield exe.
I have a godaddy code signing certificate, and have no problem signing the certificate at all. What I do have an issue with is no matter what I do, I get Publisher Unknown on every other computer.
See output below.
Bottom line: I get no issues signing the cert, but cannot remove the unknown publisher error during the UAC Prompt (The test computers have internet access)
Also: If I omit the /kp option on verify I get: SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Final update:
If I run verify /pa /v temp\setup.exe I get success on the verify, but still an error on the Unknown publish. The /kp option was used incorrectly on this sign.
Steps:
%SIGNTOOL% sign /v /ac %BUILDROOT%%CERTPATH%%MSCERT% /f %BUILDROOT%%CERTPATH%%CERT% /p %CERTPW% /n "%COMPANY%" /t %TIMESTAMP% %BUILDROOT%%TEMPPATH%\setup.exe
Output:
The following certificate was selected:
Issued to: %COMPANY NAME%
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Jun 22 14:07:27 2013
SHA1 hash: 612A38DDED199101442B09D884ED718BBE00D252
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 09:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 16:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 03:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: %COMPANY NAME%
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Jun 22 14:07:27 2013
SHA1 hash: 612A38DDED199101442B09D884ED718BBE00D252
Done Adding Additional Store
Successfully signed and timestamped: c:\build\temp\setup.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
Verify:
Verifying: c:\build\temp\setup.exe
Hash of file (sha1): 62F814EFC81400AD938AB9D9D49B36F7175A098A
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 19:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 03:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: %COMPANY NAME%
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Jun 22 14:07:27 2013
SHA1 hash: 612A38DDED199101442B09D884ED718BBE00D252
The signature is timestamped: Sun Jun 24 09:57:57 2012
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 19:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Tue Dec 03 19:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Issued to: Symantec Time Stamping Services Signer - G3
Issued by: VeriSign Time Stamping Services CA
Expires: Mon Dec 31 19:59:59 2012
SHA1 hash: 8FD99D63FB3AFBD534A4F6E31DACD27F59504021
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 09:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 16:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 03:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: %COMPANY NAME%
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Jun 22 14:07:27 2013
SHA1 hash: 612A38DDED199101442B09D884ED718BBE00D252
Successfully verified: c:\build\temp\setup.exe
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
Solved!
The issue was the MSI inside the exe installer. The setup.exe file was signed, but when the msi inside was extracted and ran, that file was not signed. Signed both, and the error went away!!!