Bingo! Tim, *splendid*, that did the trick. Thank you.
VBR,
Jerry
For anyone else passing this way:
signtool sign /f my.pfx /p pwd /t http://timestamp.digicert.com /ac
digicert-root.crt vadsimpl.sys
inf2cat /driver:. /os:7_x64
signtool sign /f my.pfx /p pwd /t http://timestamp.digicert.com /ac
digicert-root.crt msvad.cat
signtool verify /v /kp msvad.cat
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-580871-
xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: 20 April 2015 17:37
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] W7x64: Issue(s) installing apparently correctly
signed
driver?xxxxx@chordia.co.uk wrote:
> Using MSVAD sample from WDK8.1 built with VS2013 Pro on Win7x64U.
> Certificate is Digicert code signing with PFX export contains ‘all
> certificates in the certification path’ and ‘all extended properties’.
> Using PFX so I can be absolutely sure signtool does not pick up
> self-signed test certs …
>
> Then:
>
> copy x64\win7debug\vadsimpl.sys .
> signtool sign /f my.pfx /p pwd /t http://timestamp.digicert.com
> vadsimpl.sys inf2cat /driver:. /os:7_x64 signtool sign /f my.pfx /p
> pwd /t http://timestamp.digicert.com msvad.cat signtool verify /v /kp
> msvad.cat
>
> As far as signtool goes, all looks 100% OK.
>
> Issued to:
> > Issued by: DigiCert High Assurance Code Signing CA-1
> > Expires:
> > SHA1 hash:
>
> That does not look 100% OK. You have not included the required “cross
> certificate” from Microsoft. In order to be 100% OK, the chain has to
> end with the “Microsoft Code Verification Root”. The Windows kernel
> does not have time to go validate all of the various certificate
authorities.
> Instead, it trusts exactly one root authority, and you are required to get
a
> certificate, issued by Microsoft, that “crosses” from your certificate
authority
> to the Microsoft root.
>
> If you go to the following page, you can see a couple of DigiCert cross-
> certificates. You need to fetch the right one and pass it via the /ac
parameter
> to “signtool sign”. You may have to try all 3 to figure out which one you
need.
>
> https://msdn.microsoft.com/en-
> us/library/windows/hardware/dn170454.aspx
>
>
> > And setupapi.log has the following bang (more or less) lines:
> >
> > ! sig: VerifyTrustFailed for
> > C:\Windows\system32\drivers\vadsimpl.sys.
> > ! sig: Error 0x800b0109: A certificate chain
processed,
> > but terminated in a root certificate which is not trusted by the trust
> > provider.
>
> THAT warning will still be issued after signing. It doesn’t go away until
you get
> a WHQL signature.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer