Windows 7驱动程序签名"Windows无法验证驱动程序的数字签名...". [英] Windows 7 Driver signing "Windows could not verify the digital signature for the drivers..."

问题描述

我的PCI设备具有内部开发的驱动程序.当启用Windows 7测试签名(使用bcdedit)时，我能够为PCI设备安装此驱动程序.由于已经对该驱动程序进行了测试，因此我想使其成为已签名的驱动程序. 在部署之前，我创建了一个新的目录文件(在WDK中使用Inf2cat).目录文件是由我公司的签名机构签名的.当我尝试禁用测试签名(bcdedit/SET testsigning OFF)并更新设备的驱动程序时，我得到了 错误"Windows无法验证此设备所需驱动程序的数字签名...代码(52).

 

如果我双击cat文件，我会看到显示安全目录有效且数字签名正确的显示..

在事件查看器中-代码整数是否可见事件

Windows无法验证文件\ Device \ HarddiskVolume2 \ Windows \ System32 \ drivers \ TCIJdrv.sys的图像完整性，因为在系统上找不到文件哈希.最近的硬件或软件更改可能已经安装了已签名的文件 错误或损坏，或者可能是来自未知来源的恶意软件."

有人可以提供任何建议吗?

 

谢谢

 

解决方案

我在这里有点困惑.我没有明确测试sys文件的签名.我已经对cat文件进行了测试签名，并在打开Windows测试签名之后安装了该文件.后来我卸载了驱动程序，关闭了测试签名并安装了 该版本已签名的驱动程序.我公司的签名机构对使用Inf2Cat命令生成的cat文件进行了签名.

 

发布的带签名的cat文件上的sign verify命令显示了这一点

(signtool验证/kp/c tcijdrv.cat/v tcijdrv.inf)

------------

验证:T​​CIJdrv.inf

文件已在目录中签名:tcijdrv.cat

签名证书链:
   颁发给:VeriSign 3类公共一级证书颁发机构-G5

   颁发者:VeriSign 3类公共主要证书颁发机构-G5

   过期: 7/16/2036 7:59:59 PM

    SHA1哈希:4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5


      颁发给:VeriSign 3类代码签名2010 CA

      颁发者:VeriSign 3类公共主要证书颁发机构-G5

      过期: 2020/2/7下午7:59:59

       SHA1哈希:495847A93187CFB8C71F840CB7B41497AD95C64F


          颁发给:Teradyne

          颁发者:VeriSign 3类代码签名2010 CA

          过期: 2012/3/12下午7:59:59

           SHA1哈希:8868765A2519E10F3B656496B32C3AC4F91D594F


签名带有时间戳记:2011年6月21日上午9:55:56

时间戳验证人:
   颁发给:Thawte Timestamping CA

   颁发者:Thawte Timestamping CA

   过期: 2020/12/31下午7:59:59

    SHA1哈希:BE36A4562FB2EE05DBB3D32323ADF445084ED656


      颁发给:VeriSign时间戳服务CA

      颁发者:Thawte Timestamping CA

      过期: 2013/12/3下午7:59:59

       SHA1哈希:F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D


          颁发给:VeriSign时间戳服务签名者-G2

          颁发者:VeriSign时间戳服务CA

          过期: 2012/6/14下午7:59:59

           SHA1哈希:ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE


已成功验证:TCIJdrv.inf


成功验证的文件数:1

警告数量:0

错误数量:0

I have a PCI device that has  driver that was developed in-house. I have bee able to install this driver for the PCI device when Windows 7 test signing is enabled (using bcdedit). Since this driver has been tested, I wanted to make this a signed driver before deployment and I created a new catalog file (using Inf2cat in WDK). The catalog file was signed by the signing authority in my company. When I tried to disable test signing (bcdedit /SET testsigning OFF) and update the driver for the device I get the error "Windows could not verify the digital signature for the drivers required for this device... Code(52) ).

 

If I double click on the cat file I can see the display that says that the security catalog is valid and that the digital signature is OK..:

In the event viewer - Code integerity Is see the event

"Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\TCIJdrv.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source."

Can some one offer any suggestions ?

 

Thanks

 

解决方案

I am a little confuse here.  I did not test sign the sys file explicitly.  I had test signed the cat file and had installed it after turning the windows test signing on. Later I uninstalled the drivers, turned the test signing off and installed the release signed drivers.  The signing authority in my company signed the cat file that was generated using the Inf2Cat command.

 

The sign verify command on the release signed cat file shows this

(signtool verify /kp /c tcijdrv.cat /v tcijdrv.inf)

------------

Verifying: TCIJdrv.inf

File is signed in catalog: tcijdrv.cat

Signing Certificate Chain:
    Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

    Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

    Expires:   7/16/2036 7:59:59 PM

    SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5


        Issued to: VeriSign Class 3 Code Signing 2010 CA

        Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

        Expires:   2/7/2020 7:59:59 PM

        SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F


            Issued to: Teradyne

            Issued by: VeriSign Class 3 Code Signing 2010 CA

            Expires:   3/12/2012 7:59:59 PM

            SHA1 hash: 8868765A2519E10F3B656496B32C3AC4F91D594F


The signature is timestamped: 6/21/2011 9:55:56 AM

Timestamp Verified by:
    Issued to: Thawte Timestamping CA

    Issued by: Thawte Timestamping CA

    Expires:   12/31/2020 7:59:59 PM

    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656


        Issued to: VeriSign Time Stamping Services CA

        Issued by: Thawte Timestamping CA

        Expires:   12/3/2013 7:59:59 PM

        SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D


            Issued to: VeriSign Time Stamping Services Signer - G2

            Issued by: VeriSign Time Stamping Services CA

            Expires:   6/14/2012 7:59:59 PM

            SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE


Successfully verified: TCIJdrv.inf


Number of files successfully Verified: 1

Number of warnings: 0

Number of errors: 0

这篇关于Windows 7驱动程序签名"Windows无法验证驱动程序的数字签名...".的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！