W7x64: Issue(s) installing apparently correctly signed driver?

NTDEV
1

FAQ of FAQs I’m sure so apologies. I’m doing what I hoped was a quick bit of
desktop research to grok driver signing/install process.

Thoughts most welcome and much appreciated. The facts follow:

Using MSVAD sample from WDK8.1 built with VS2013 Pro on Win7x64U.
Certificate is Digicert code signing with PFX export contains ‘all
certificates in the certification path’ and ‘all extended properties’. Using
PFX so I can be absolutely sure signtool does not pick up self-signed test
certs …

Then:

copy x64\win7debug\vadsimpl.sys .
signtool sign /f my.pfx /p pwd /t http://timestamp.digicert.com vadsimpl.sys
inf2cat /driver:. /os:7_x64
signtool sign /f my.pfx /p pwd /t http://timestamp.digicert.com msvad.cat
signtool verify /v /kp msvad.cat

As far as signtool goes, all looks 100% OK.

Issued to:
Issued by: DigiCert High Assurance Code Signing CA-1
Expires:
SHA1 hash:

Successfully verified: msvad.cat

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

Install using ‘add legacy hardware’ in Device manager. All good, with
‘Would you like to install this device software?’ popping up as expected.
The publisher is precisely as advertised in the Digicert certificate etc.

Then ‘Completing the Add Hardware Wizard’ shows ‘cannot verify digital
signatures for the drivers required for this device’ …

Windows Event log shows the 5038 error as described here:
https://msdn.microsoft.com/en-us/library/windows/hardware/dn741536(v=vs.85
%29.aspx

And setupapi.log has the following bang (more or less) lines:

! sig: VerifyTrustFailed for
C:\Windows\system32\drivers\vadsimpl.sys.
! sig: Error 0x800b0109: A certificate chain processed,
but terminated in a root certificate which is not trusted by the trust
provider.
! sto: Driver package signer is unknown but user
trusts the signer.

sig: Success: File is signed in Authenticode™ catalog.
sig: Error 0xe0000242: The publisher of an Authenticode™ signed
catalog has not yet been established as trusted.

!!! dvi: Device not started: Device has problem:
0x34: CM_PROB_UNSIGNED_DRIVER.

2

xxxxx@chordia.co.uk wrote:

Using MSVAD sample from WDK8.1 built with VS2013 Pro on Win7x64U.
Certificate is Digicert code signing with PFX export contains ‘all
certificates in the certification path’ and ‘all extended properties’. Using
PFX so I can be absolutely sure signtool does not pick up self-signed test
certs …

Then:

copy x64\win7debug\vadsimpl.sys .
signtool sign /f my.pfx /p pwd /t http://timestamp.digicert.com vadsimpl.sys
inf2cat /driver:. /os:7_x64
signtool sign /f my.pfx /p pwd /t http://timestamp.digicert.com msvad.cat
signtool verify /v /kp msvad.cat

As far as signtool goes, all looks 100% OK.

Issued to:
> Issued by: DigiCert High Assurance Code Signing CA-1
> Expires:
> SHA1 hash:

That does not look 100% OK. You have not included the required “cross
certificate” from Microsoft. In order to be 100% OK, the chain has to
end with the “Microsoft Code Verification Root”. The Windows kernel
does not have time to go validate all of the various certificate
authorities. Instead, it trusts exactly one root authority, and you are
required to get a certificate, issued by Microsoft, that “crosses” from
your certificate authority to the Microsoft root.

If you go to the following page, you can see a couple of DigiCert
cross-certificates. You need to fetch the right one and pass it via the
/ac parameter to “signtool sign”. You may have to try all 3 to figure
out which one you need.

https://msdn.microsoft.com/en-us/library/windows/hardware/dn170454.aspx

> And setupapi.log has the following bang (more or less) lines:
>
> ! sig: VerifyTrustFailed for
> C:\Windows\system32\drivers\vadsimpl.sys.
> ! sig: Error 0x800b0109: A certificate chain processed,
> but terminated in a root certificate which is not trusted by the trust
> provider.

THAT warning will still be issued after signing. It doesn’t go away
until you get a WHQL signature.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.