Global Sign certificates not working

OSR_Community_User · May 22, 2015, 7:37am

i have an issue that my 64bit driver signed with Global sign certificates are not working, Windows is unable to verify my digital signture.

Peter_Viscarola_OSR · May 22, 2015, 9:51am

OK.

(seriously, you have to give us more information than that… how you’re signing the driver, output from signtool, information on the OS VERSION that is “unable to verify” your driver’s signature, SOMEthing. Otherwise, you have simply made an observation that’s not very interesting.)

Peter
OSR
@OSRDrivefrs

OSR_Community_User · May 28, 2015, 1:18am

* O/S: windows 7/8/8.1 64bit
* We use Global sign certificates with .pfx extension
* We generate certificate file from .pfx using Window’s certmgr.exe
* We sign our driver with signtool.exe using our certificates
* after certification with verify signatures using signtool.exe and our drivers are verified successfully
* but when we use in Windows 64bit version ‘Windows is unable to verify my digital signture’

Peter_Viscarola_OSR · May 28, 2015, 8:52am

Are you installing the driver with an inf file? Is the CAT file signed?

Peter
OSR
@OSRDrivers

Tim_Roberts · May 28, 2015, 1:27pm

xxxxx@newsoftwares.net wrote:

* O/S: windows 7/8/8.1 64bit
* We use Global sign certificates with .pfx extension
* We generate certificate file from .pfx using Window’s certmgr.exe
* We sign our driver with signtool.exe using our certificates
* after certification with verify signatures using signtool.exe and our drivers are verified successfully
* but when we use in Windows 64bit version ‘Windows is unable to verify my digital signture’

Did you use the GlobalSign cross-certificate with the /ac parameter?
When you do “signtool verify /v /kp”, it should end at the Microsoft
Code Verification Root.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · May 29, 2015, 1:06am

* We use inf file for driver installation.
* We used Global sign certificates with signature algorithm SHA-1 and SHA-2 both but did not work.
i.e first we used a certificate with SHA1 did not work then we used certificate with SHA-2 also not worked
* we used a/c parameter but we did not get what mean to say ‘cross-certificates’?
* When you do “signtool verify /v /kp”, it should end at the Microsoft
Code Verification Root.: yes it is.

OSR_Community_User · May 29, 2015, 1:19am

* we sign our driver by two ways: 1. using Sign tool in command prompt with all relevant parameters(here we use certificate generated by Window’s certmgr.exe using .pfx file), 2. using Sign GUI which uses .pfx file as a certificates. we obtains .pfx file from Global sign
* We last signed our drivers in December 2014 with no problems and still works nicely
* But when we sign our driver using the same above mentioned process we face the problem ‘The driver failed to start due to the following error:
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.’

Christiaan_Ghijselinck · May 29, 2015, 2:53am

>> * we used a/c parameter but we did not get what mean to say ‘cross-certificates’?

cross-certificates here : https://msdn.microsoft.com/en-us/library/windows/hardware/dn170454(v=vs.85).aspx
syntax : signtool … /ac “\GlobalSign Root CA.crt” …

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Friday, May 29, 2015 7:04 AM
Subject: RE:[ntdev] Global Sign certificates not working

>* We use inf file for driver installation.
> * We used Global sign certificates with signature algorithm SHA-1 and SHA-2 both but did not work.
> i.e first we used a certificate with SHA1 did not work then we used certificate with SHA-2 also not worked
> * we used a/c parameter but we did not get what mean to say ‘cross-certificates’?
> * When you do “signtool verify /v /kp”, it should end at the Microsoft
> Code Verification Root.: yes it is.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Jan_Bottorff · May 29, 2015, 3:39am

Did you try validating the signature with signtool on the exact system that fails? If for example the target system is not SHA2 compatible, and the development system is, you can run signtool /v on the development system and is says the signature is ok, when it actually will not work on the SHA2 incompatible system. Did you try loading the driver on different Windows OS versions, and does it only fail on some?

You can also turn on ETW traces for code integrity to help debug signing issues.

Also note that you can select SHA1 or SHA2 file hashes, and these are a different thing that keys made with SHA1 or SHA2.

You also understand about the difference between 64-bit kernel code signing (the .sys is signed) vs PnP install signing where the .cat is signed?

If you right click on the .sys file in file explorer, on the target system, and look at the digital signature tab, does it say the signature is valid?

Note that you can no longer get new SHA1 keys, although if you already have one that is valid through 2015 it can still be used to do SHA1 signing. There are patches for some older OS versions to work with SHA2 keys, but a clean off the DVD install may not have that patch, and after 12/31/2015 (maybe before) it will no longer be possible to generate SHA1 key signatures. Already SHA1 signed drivers are supposed to keep working after 12/31/2015, but at some future date may not. This means that today, if you don’t have a SHA1 key, you are out of luck at signing drivers that work on OS versions that don’t have the SHA2 compatibility patch.

You say you last signed the drivers in December 2014, is it possible your signing key has been updated since then, and the old one was a SHA1 key and the new one is SHA2?

You may have checked all this so my message is not helpful, but then again maybe you missed one subtle little issue and this is helpful. I know last year I spent multiple days fooling with the SHA1/SHA2 issues, and the fix ended up being to get a SHA1 key (which the CA gave us for free because we had just bought a 3 year SHA2 key).

Jan

On 5/28/15, 10:17 PM, “xxxxx@lists.osr.com on behalf of xxxxx@newsoftwares.net” wrote:

>* we sign our driver by two ways: 1. using Sign tool in command prompt with all relevant parameters(here we use certificate generated by Window’s certmgr.exe using .pfx file), 2. using Sign GUI which uses .pfx file as a certificates. we obtains .pfx file from Global sign
> * We last signed our drivers in December 2014 with no problems and still works nicely
> * But when we sign our driver using the same above mentioned process we face the problem ‘The driver failed to start due to the following error:
>Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.’
>
>—
>NTDEV is sponsored by OSR
>
>Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
>OSR is HIRING!! See http://www.osr.com/careers
>
>For our schedule of WDF, WDM, debugging and other seminars visit:
>http://www.osr.com/seminars
>
>To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer