Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Go Back   OSR Online Lists > nttalk
Welcome, Guest
You must login to post to this list
  Message 1 of 2  
04 Feb 18 03:01
Dvir su
xxxxxx@gmail.com
Join Date: 03 Nov 2017
Posts To This List: 7
Windows 7 X64 Driver Signing Certificate Problem

0down votefavorite <https://stackoverflow.com/questions/48603112/sign-windows-x64-driver-the-system- cannot-find-the-file-specified#> I have SafeNet token that contain 2 certificates (which the private key is not exported), one is sha256 EV code certificate and the other is sha1 EV code certificate. I signed my drivers using signtool: Signtool sign /v /s my /n "my_company" /sha1 my_sha256_hash /t http://timestamp.verisign.com/scripts/timestamp.dll mydriver.sys when I tried to load the driver, I got an error said that the system cannot find the file specified, I look at driver with Depends and everything is OK. When I run signtool verify mydriver.sys I got the following error: SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. I tried to sign my cat file as well with my associated binaries but still no luck with that. I've read that there's a program called WHQL which in the end process Microsoft give me my "good" signed drivers, is it only for Windows Update distribution? or is it not necessary to run my driver in Windows 7 x64 and above? --
  Message 2 of 2  
04 Feb 18 03:44
Tim Roberts
xxxxxx@probo.com
Join Date: 06 Apr 2011
Posts To This List: 149
Windows 7 X64 Driver Signing Certificate Problem

On Feb 4, 2018, at 12:00 AM, Dvir A xxxxx@lists.osr.com <xxxxx@gmail.com> wrote: > I have SafeNet token that contains 2 certificates (which the private key is not exported), one is sha256 EV code certificate and the other is sha1 EV code certificate. Who are the certificates from? > I signed my drivers using sign tool > > Signtool sign /v /s my /n "my_company" /sha1 my_sha256_hash /t http://timestamp.verisign.com/scripts/timestamp.dll <http://timestamp.verisign.com/scripts/timestamp.dll> my driver.sys > > when I tried to load the driver, I got an error said that the system cannot find the file specified. How did you load the driver, and where did you see this error? That's not an error that you would see with any driver loading method I know. The biggest problem is that you have not specified the "cross certificate". In addition to your certificate, kernel drivers have to be signed with a "cross certificate" that verifies that your certificate authority is trusted by Microsoft. Here is the list of certificate authorities Microsoft supports and the downloadable cross certificate: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certifica tes-for-kernel-mode-code-signing <https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certific ates-for-kernel-mode-code-signing> > When I run sign tool verify my driver.sys I got the following error: SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. For kernel drivers, you need to use the "/kp" switch to do kernel checking. If you do not see the "Microsoft Code Signing Authority" in the list, then you have done it incorrectly. > I tried to sign my cat file as well with my associated binaries but still no luck with that. You will definitely need to sign the CAT file. Signing the binary is optional, although it makes debugging easier. > I've read that there's a program called WHQL which in the end process Microsoft give me my "good" signed drivers, is it only for Windows Update distribution? or is it not necessary to run my driver in windows 7 x64 and above? It's hard to imagine you have written a driver and prepared a driver package and aren't familiar with WHQL. Yes, if you run your driver through the WHQL testing process, Microsoft will sign the package. That CAN lead to Windows Update distribution, but only if you want it to. It is not necessary for loading a driver in Windows 7. The situation changes a bit in Windows 10, but get past the first steps before we talk about that. ??? Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc. --
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the nttalk list to be able to post.

All times are GMT -5. The time now is 02:26.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license