Windows 7 上的代码签名驱动程序失败,错误为 0xC0000428 [英] Code Signed Driver on Windows 7 Fails with 0xC0000428
问题描述
我签名的驱动程序生成的 Windows(带有 SHA256 修补程序的 Windows 7)无法启动并生成错误代码 0xC0000428(Windows 无法验证此文件的数字签名).
我接手了一个使用 Visual Studio 2010 创建的驱动程序项目,我的第一个任务是更新过期的代码签名证书.最初的数字证书使用 Global Sign,现在使用 Digi Cert.原来的程序员在给我的一封电子邮件中表示,他每年都会在这个话题上遇到麻烦.
我检查了有效但已过期的 icsflt.sys 驱动程序文件,发现它是 SHA256,指纹是 SHA1.其他一切都有效.我尝试了许多不同的变体(双签名证书、SHA1 和 SHA2).我最后一次尝试直接从 Digi Cert 技术支持使用以下命令行.
C:\ICS\IM6000\Certificate>"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" 签名/tr http://timestamp.digicert.com/td sha256/fd sha256/a "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"完成添加额外的商店签名成功:C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys这是证书,和原来的很像.
这是基本证书,清楚地显示了摘要算法的 SHA256.证书来自构建机器.Windows启动管理器"的第一张截图来自测试机.
以下是我从 Digi Certs 网站使用的一些链接.
这是良好/工作驱动程序的驱动程序属性数字签名.
你可以区分它们,因为我将好的/工作的一个重命名为 icflt-good.sys.除了公司名称、日期和证书颁发机构 (CA) 之外,两者看起来完全相同,但 Windows 7 对 Digi Cert 的新证书大加赞赏.
这里是我注释掉的前面 signtool.exe 命令行的代码.
@echo on@REM 请参阅如何发布驱动程序包签名"和通过 Windows DDK 中的嵌入式签名发布驱动程序签名"@REM 尽管商店的名称似乎是 Personal,但我们在使用 Signtool 时应该使用 MY.否则找不到证书.@REM 当使用 makecert 创建 Personal 存储时,会创建另一个 Personal.奇怪的.@REM Signtool 签名/v/ac MSCV-GlobalSign.cer/s MY/sha1 5250f1a5ddd11e3e4e924757e6da1c43dd3487c0/t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%@REM Signtool 签名/v/ac MSCV-GlobalSign.cer/s MY/sha1 5D743B02DCDE74B16D133BDFEB2E1C5F6F44E966/t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%@REM 检查 $\IM6000\Certificate\current 以获取确切的文件名和密码@REM Signtool 签名/v/ac %PROJECT_DIR%\..\Certificate\current\MSCV-GlobalSign.cer/f %PROJECT_DIR%\..\Certificate\current\OS201602156091.pfx/p 1C73295775925A71BtimeAmp5A760DF600000000000000000000000000000000000.globalsign.com/scripts/timstamp.dll %mydriverpath%@REM Signtool 签名/v/ac %PROJECT_DIR%\..\Certificate\current\GlobalSignRootCA.crt/f %PROJECT_DIR%\..\Certificate\current\OS201701106786.pfx/p ICScertificate2017/t http://timestamp.al.com/scripts/timstamp.dll %mydriverpath%@REM Signtool 签名/v/fd sha256/ac %PROJECT_DIR%\..\Certificate\current\GlobalSignRootCA.crt/f %PROJECT_DIR%\..\Certificate\current\OS201701106786.pfx/p ICScertificate2017/trtimestamp.globalsign.com/scripts/timstamp.dll?td=sha256/td sha256 %mydriverpath%经过大量研究,我找到了问题所在.(请对这个问题特别是回答点个赞.)
签署内核级驱动程序需要使用 /AC 开关,附加证书进行交叉签名,创建到 Microsoft 根证书的交叉证书链.
相关链接:
注意:以下链接中的文章是错误的.指纹不需要匹配.但是,发行人需要完全匹配.
需要获取颁发者
我去了 mmc 并添加了证书(个人).然后我双击我的 SHA256 证书并注明颁发者,在我的例子中是:
CN = DigiCert 保证 ID 根 CAOU = www.digicert.comO = DigiCert 公司C = 美国我的证书的指纹(无关紧要)是:
05 63 b8 63 0d 62 d7 5a bb c8 ab 1e 4b df b5 a8 99 b2 4d 43
Microsoft 交叉证书列表再次是 此处.我下载的是 DigiCert Assured ID Root CA,其指纹为:
ba 3e a5 4d 72 c1 45 d3 7c 25 5e 1e a4 0a fb c6 33 48 b9 6e我使用下载链接来获取文件.这给了我一个DigiCert Assured ID Root CA.crt"文件.
注意:有人告诉我证书必须是 CER 扩展名.我的测试和与 DigiCert 的对话表明这不是真的.CRT 完全没问题.
工作符号工具命令行是:
C:\ICS\IM6000\Certificate>"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign/v/ac "DigiCert Assured ID Root CA.crt"/tr http://timestamp.digicert.com/td sha256/fd sha256/a "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"要验证标志是否正确,我强烈建议发出以下行:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" 验证/kp/v "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.系统"注意验证测试的输出:
验证:C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys签名索引:0(主签名)文件哈希(sha256):FAFB2B31B8ED4A9E8F9EC84196E7E52009A4C709521457FD83FC1945DCF5872F签名证书链:颁发给:DigiCert Assured ID Root CA颁发者:DigiCert Assured ID Root CA截止日期:2031 年 11 月 9 日星期日 17:00:00SHA1 哈希值:0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43颁发给:DigiCert SHA2 保证 ID 代码签名 CA颁发者:DigiCert Assured ID Root CA截止日期:2028 年 10 月 22 日星期日 05:00:00SHA1 哈希值:92C1588E85AF2201CE7915E8538B492F605B80C6颁发给:JMR Electronics, Inc.颁发者:DigiCert SHA2 保证 ID 代码签名 CA到期时间:2019 年 1 月 28 日星期一 05:00:00SHA1 哈希值:9CDC225480659E8CDD6E794A81455C905403755B签名带有时间戳:Mon Jun 04 16:35:45 2018时间戳验证者:颁发给:DigiCert Assured ID Root CA颁发者:DigiCert Assured ID Root CA截止日期:2031 年 11 月 9 日星期日 17:00:00SHA1 哈希值:0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43颁发给:DigiCert SHA2 Assured ID Timestamping CA颁发者:DigiCert Assured ID Root CA到期时间:2031 年 1 月 7 日星期二 05:00:00SHA1 哈希值:3BA63A6E4841355772DEBEF9CDCF4D5AF353A297颁发给:DigiCert SHA2 时间戳响应程序颁发者:DigiCert SHA2 Assured ID Timestamping CA到期时间:2028 年 1 月 17 日星期一 17:00:00SHA1 哈希值:400191475C98891DEBA104AF47091B5EB6D4CBCB跨证书链:颁发给:Microsoft 代码验证根发布者:Microsoft 代码验证根到期:2025 年 11 月 1 日星期六 06:54:03SHA1 哈希值:8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3颁发给:DigiCert Assured ID Root CA发布者:Microsoft 代码验证根截止日期:2021 年 4 月 15 日星期四 12:51:37SHA1 哈希值:BA3EA54D72C145D37C255E1EA40AFBC63348B96E颁发给:DigiCert SHA2 保证 ID 代码签名 CA颁发者:DigiCert Assured ID Root CA截止日期:2028 年 10 月 22 日星期日 05:00:00SHA1 哈希值:92C1588E85AF2201CE7915E8538B492F605B80C6颁发给:JMR Electronics, Inc.颁发者:DigiCert SHA2 保证 ID 代码签名 CA到期时间:2019 年 1 月 28 日星期一 05:00:00SHA1 哈希值:9CDC225480659E8CDD6E794A81455C905403755B验证成功:C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys成功验证的文件数:1警告数:0错误数:0这里的关键是除了 Successfully Verification 交叉证书链以 Issued to: Microsoft Code Verification Root 开始,以我的数字代码签名证书和所有在之间.这就是微软对 Windows 的要求.Windows 7 或 Windows 10 无关紧要.
我还必须使用至少来自 Windows 8.1 的 signtool.exe.早期版本不支持我被告知要使用的所有必需开关.
虽然我最终不需要SHA1证书,但找到如何获得一个需要几个周期.我多次被告知我需要那个,但我没有.对于任何有兴趣获得该指令的人来说,这里.即使在带有修补程序的 Windows 7 上,现在一切都是 SHA256.
My signed driver yields a Windows (Windows 7 with the SHA256 hot fix) that fails to start and yields error code 0xC0000428 (Windows cannot verify the digital signature for this file).
I took over a driver project, created using Visual Studio 2010, and my first task was to update the expired code signing certificate. Originally the digital certificate was with Global Sign and now using Digi Cert. The original programmer stated on an email to me that he has trouble with this topic every year.
I examined the working but expired icsflt.sys driver file and see that it is SHA256 with the thumbprint being SHA1. Everything else works. I tried many different variations (dual signed certificate, SHA1, and SHA2). My last attempt, straight from Digi Cert technical support uses the following command line.
C:\ICS\IM6000\Certificate>"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"
Done Adding Additional Store
Successfully signed: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys
Here is the certificate, which looks similar to the original one.
Here is the base certificate clearly showing SHA256 for the digest algorithm. The certificates are from the build machine. The first screenshot of the "Windows Boot Manager" is from the test machine.
Here are some of the links that I used from Digi Certs website.
Sign Code SignTool.exe Command Line
Installing Code Signing Certificate
Here is the working expired certificate view.
Here is the driver properties Digital Signature for the good/working driver.
You can tell them apart, as I renamed the good/working one icflt-good.sys. Aside from the company name, dates, and Certificate Authority (CA) the two look identical, yet Windows 7 barks on the new one from Digi Cert.
Here is the code to the previous signtool.exe command lines, which I commented out.
@echo on
@REM see "How to Release-Sign a Driver Package" and "Release-Signing a Driver through an Embedded Signature in Windows DDK"
@REM despite the store's name seems to be Personal we should use MY when using Signtool. Otherwise the certificate is not found.
@REM when Personal store is created with makecert, another Personal is created. Weird.
@REM Signtool sign /v /ac MSCV-GlobalSign.cer /s MY /sha1 5250f1a5ddd11e3e4e924757e6da1c43dd3487c0 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /ac MSCV-GlobalSign.cer /s MY /sha1 5D743B02DCDE74B16D133BDFEB2E1C5F6F44E966 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM check $\IM6000\Certificate\current for the exact file names and password
@REM Signtool sign /v /ac %PROJECT_DIR%\..\Certificate\current\MSCV-GlobalSign.cer /f %PROJECT_DIR%\..\Certificate\current\OS201602156091.pfx /p 1C73295775925A7EE1C6D35ADF9DF611A55A60B8 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /ac %PROJECT_DIR%\..\Certificate\current\GlobalSignRootCA.crt /f %PROJECT_DIR%\..\Certificate\current\OS201701106786.pfx /p ICScertificate2017 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /fd sha256 /ac %PROJECT_DIR%\..\Certificate\current\GlobalSignRootCA.crt /f %PROJECT_DIR%\..\Certificate\current\OS201701106786.pfx /p ICScertificate2017 /tr http://timestamp.globalsign.com/scripts/timstamp.dll?td=sha256 /td sha256 %mydriverpath%
After much research, I figured out the problem. (Please give a thumbs up to the question and especially answer.)
Signing kernel level drivers requires a cross signing using the /AC switch, Additional Certificate, creates a cross certificate chain to a Microsoft Root Certificate.
Relevant links:
Microsoft Cross Certificate Links
Note: The article in the following link was wrong. The thumbprint DOES NOT need to match. The Issuer, however, needs to match exactly.
Cross Signing Kernel Mode Drivers
Fetch Issuer needed
I went to mmc and added Certificates (Personal). I then double clicked on my SHA256 certificate and noted the Issuer, which in my case was:
CN = DigiCert Assured ID Root CA
OU = www.digicert.com
O = DigiCert Inc
C = US
The thumbprint of my certificate, which does not matter, is:
05 63 b8 63 0d 62 d7 5a bb c8 ab 1e 4b df b5 a8 99 b2 4d 43
The Microsoft Cross Certificate List again is here. My download was DigiCert Assured ID Root CA, which has a thumbprint of:
ba 3e a5 4d 72 c1 45 d3 7c 25 5e 1e a4 0a fb c6 33 48 b9 6e
I used the download link to obtain the file. That gave me a file of "DigiCert Assured ID Root CA.crt".
Note: I was told that the certificate had to be a CER extension. My testing and a conversation with DigiCert revealed that not to be true. CRT is perfectly fine.
The working sign tool command line is:
C:\ICS\IM6000\Certificate>"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /v /ac "DigiCert Assured ID Root CA.crt" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"
To verify the sign is correctly cross sign, I highly recommend to issue the following line:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /kp /v "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"
Notice this output from the verification test:
Verifying: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha256): FAFB2B31B8ED4A9E8F9EC84196E7E52009A4C709521457FD83FC1945DCF5872F
Signing Certificate Chain:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Nov 09 17:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Issued to: DigiCert SHA2 Assured ID Code Signing CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Oct 22 05:00:00 2028
SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6
Issued to: JMR Electronics, Inc.
Issued by: DigiCert SHA2 Assured ID Code Signing CA
Expires: Mon Jan 28 05:00:00 2019
SHA1 hash: 9CDC225480659E8CDD6E794A81455C905403755B
The signature is timestamped: Mon Jun 04 16:35:45 2018
Timestamp Verified by:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Nov 09 17:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Issued to: DigiCert SHA2 Assured ID Timestamping CA
Issued by: DigiCert Assured ID Root CA
Expires: Tue Jan 07 05:00:00 2031
SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297
Issued to: DigiCert SHA2 Timestamp Responder
Issued by: DigiCert SHA2 Assured ID Timestamping CA
Expires: Mon Jan 17 17:00:00 2028
SHA1 hash: 400191475C98891DEBA104AF47091B5EB6D4CBCB
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: DigiCert Assured ID Root CA
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 12:51:37 2021
SHA1 hash: BA3EA54D72C145D37C255E1EA40AFBC63348B96E
Issued to: DigiCert SHA2 Assured ID Code Signing CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Oct 22 05:00:00 2028
SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6
Issued to: JMR Electronics, Inc.
Issued by: DigiCert SHA2 Assured ID Code Signing CA
Expires: Mon Jan 28 05:00:00 2019
SHA1 hash: 9CDC225480659E8CDD6E794A81455C905403755B
Successfully verified: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
The key here is aside from the Successfully verified the Cross Certificate Chain starts with Issued to: Microsoft Code Verification Root and ends with my digital code signing certificate and everything in between. That is what Microsoft wants with Windows. Windows 7 or Windows 10 does not matter.
I also had to use signtool.exe from at least Windows 8.1. Earlier versions did not support all the required switches that I was told to use.
Although I did not need the SHA1 certificate in the end, finding out how to obtain one took a few cycles. I was told several times that I needed that, which I did not. To anyone who is interested the instruction to obtain that is here. Everything is SHA256 nowadays even on Windows 7 with the hotfix.
这篇关于Windows 7 上的代码签名驱动程序失败,错误为 0xC0000428的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
