Signed driver on Vista64 not recognized

Hi,

I finally have my FSD working great, and tested it a lot on Vista 64-bit using the testsigning boot option. All was fine.

However, when I turn testsigning off and try to start the service (the driver), I get the StartService failed with 577 - windows cannot verify the digital signature. Note that the driver in INSTALLED, and the Registry is updated, etc. I just can’t start the service (even when running as Admin).

It is signed using a Microsoft cross-certificate, based on the original certificate issued by GlobalSign, as directed in MSDN. Here is the path to root of the certificate:

MyCompany->GlobalSign ObjectSign CA->GlobalSign Primary Object Publishing CA->GlobalSign

You can examine the certificate using the driver’s properties, and all looks fine.

The certificate I used to sign with is called: GlobalSign Primary Object Publishing CA.cer
There was a second one, called: GlobalSign ObjectSign CA.cer

Did I use the wrong one? The person who ordered/controls the certificate told me the one to use.

I also tried installing the certificate, but that made no difference. This should all be correct, except that it doesn’t work!!

Any idea what is going on here? Any help would be greatly appreciated! I thought I was all done with this project, but since it doesn’t work, I am currently screwed.

THANKS!

You need to sign using your certificate, with GS’s CA and MS Cross-cert.
To do this, install your certificate if you didn’t. Then use this line to sign the driver:
Signtool sign /v /ac MSCV-GlobalSign.cer /s my /n “Dejan Maksimovic” /t http://timestamp.verisign.com/scripts/timestamp.dll MyDriver.sys
where:
MSCV-GlobalSign.cer points to the path of the cross-signing certificate
Dejan Maksimovic should be your certificate’s CN (Common Name, most probably your company name, check the certificate details, you need the exact CN)
MyDriver.sys points to your driver.

It took me also a few days to get this right :smiley:

Regards, Dejan.

xxxxx@grammatech.com wrote:

Hi,

I finally have my FSD working great, and tested it a lot on Vista 64-bit using the testsigning boot option. All was fine.

However, when I turn testsigning off and try to start the service (the driver), I get the StartService failed with 577 - windows cannot verify the digital signature. Note that the driver in INSTALLED, and the Registry is updated, etc. I just can’t start the service (even when running as Admin).

It is signed using a Microsoft cross-certificate, based on the original certificate issued by GlobalSign, as directed in MSDN. Here is the path to root of the certificate:

MyCompany->GlobalSign ObjectSign CA->GlobalSign Primary Object Publishing CA->GlobalSign

You can examine the certificate using the driver’s properties, and all looks fine.

The certificate I used to sign with is called: GlobalSign Primary Object Publishing CA.cer
There was a second one, called: GlobalSign ObjectSign CA.cer

Did I use the wrong one? The person who ordered/controls the certificate told me the one to use.

I also tried installing the certificate, but that made no difference. This should all be correct, except that it doesn’t work!!

Any idea what is going on here? Any help would be greatly appreciated! I thought I was all done with this project, but since it doesn’t work, I am currently screwed.

THANKS!


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

Thanks Dejan,

I tried your suggestion, but I am still having problems. When I installed the certificates, I let Windows decide the cert store (instead of using ‘my’, I didn’t know). I installed the two GlobalSign code signing certificates I had, and the MSCV-GlobalSign certificate (all to wherever Windows put them).

When I use the certmgr, they appear to be in the Intermediate Certification Authorities store. I tried using this as the name with the /s option to signtool, but it says ‘file not found’ when I sign.

This is frustrating. Can you clarify which certificates I should install and to what cert store? Can I install them again in a different place (e.g. “my”)? What does “my” correspond to? It won’t let me install to “my” - the options are Personal or PrivateCertStore.

Thanks for your help!!

> When I use the certmgr, they appear to be in the Intermediate Certification Authorities store. I tried using this as the name with the /s option to signtool, but it says ‘file not found’ when I sign.

You need to use the file for the MSCV-GlobalSign.cer, you cannot use it from a local store (you can install it, but it won’t make a difference, you must use the file). Your certificate must be in the local store.

This is frustrating. Can you clarify which certificates I should install and to what cert store? Can I install them again in a different place (e.g. “my”)? What does “my” correspond to? It won’t let me install to “my” - the options are Personal or PrivateCertStore.

My corresponds to Personal.


Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

Dejan,

Thanks for your help. The problem was that I was confusing the certificates. My boss had provided me with several GlobalSign.cer files and a GT Cert.pfx (the certificate for my company, I believe, in a file format instead of a .cer format).

He wanted me to use the /f option to sign with this file (with password) instead of installing it. So my signtool line is different from the one you suggested (no /s or /n), and when I tried using those, it didn’t work at all. I finally figured out that all I really needed to do was change the “/ac certname” line from the GlobalSign cert to the MS cross-cert, and now things are working!

Thanks again!

NP. Like I said, it took me a while to get it right as well (I used certs before and that actually hurt me - this has to be done differently :slight_smile:

xxxxx@grammatech.com wrote:

Dejan,

Thanks for your help. The problem was that I was confusing the certificates. My boss had provided me with several GlobalSign.cer files and a GT Cert.pfx (the certificate for my company, I believe, in a file format instead of a .cer format).

He wanted me to use the /f option to sign with this file (with password) instead of installing it. So my signtool line is different from the one you suggested (no /s or /n), and when I tried using those, it didn’t work at all. I finally figured out that all I really needed to do was change the “/ac certname” line from the GlobalSign cert to the MS cross-cert, and now things are working!

Thanks again!


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.