签名x64引导启动驱动程序二进制文件时出现问题 [英] Problem signing x64 boot start driver binary
问题描述
我们的软件使用引导启动文件系统过滤器驱动程序.但是我们对KMCS政策存在疑问.我们有一个来自VeriSign的Class 3 SPC,一个spc和pvk文件.
我们将它们合并为一个pfx文件,并将其安装到签名计算机的Personal certicifate存储中.我们从Microsoft下载了VeriSign交叉证书,但是在Windows Vista x64(Ultimate,SP1)上,由于无法在系统上找到文件哈希,因此无法启动驱动程序.
驱动程序由CreateService API安装,则不会使用其他文件(没有inf或cat文件).
我们正在使用WDK(版本6.0.6001.18000)提供的signtool.exe,其语法为:
signtool sign/v/ac MSCV-VSClass3.cer/s我的/n我们的公司名称"; /t http://timestamp.verisign.com/scripts/timestamp.dll ourdriver.sys
它说一切正常,但是signtool验证/v/kp ourdriver.sys不显示``Microsoft代码验证根'',并且无法加载驱动程序.
其他有趣的事情是如果我们进行签名如果驱动程序没有交叉证书和时间戳,则输出二进制文件将与我们使用交叉证书对其进行签名时完全相同.也许/ac符号开关不起作用?
根据Peter Viscarola在OSR的NTDEV列表上的帖子,我们在3台计算机(Vista x64 SP1,Vista x32 SP1,XP x32 SP3)上尝试了签名过程,但都产生了相同的结果.
我们在做什么错了?
Our software using a boot start file system filter driver. But we have problems with the KMCS Policy. We have a Class 3 SPC from VeriSign, an spc and pvk file.
We merged them to a pfx file, and installed it to the signing computer's Personal certicifate store. We downloaded the VeriSign Cross Certificate from Microsoft, but on Windows Vista x64 (Ultimate, SP1), the driver cannot be started, because the file hash could not be found on the system.
The driver is installed by the CreateService API, no additional files are used (no inf, or cat file).
We are using the signtool.exe provided by the WDK (version 6.0.6001.18000) with the syntax:
signtool sign /v /ac MSCV-VSClass3.cer /s my /n "Our company name" /t http://timestamp.verisign.com/scripts/timestamp.dll ourdriver.sys
It says everything is ok, but signtool verify /v /kp ourdriver.sys doesn't display "Microsoft Code Verification Root", and the driver cannot be loaded.
Other interesting thing is if we sign the driver without the Cross Certificate and timestamp, the output binary file will be the same (exactly) as we sign it with the Cross Certificate. Maybe the /ac sign switch doesn't work?
According to Peter Viscarola's post on OSR's NTDEV list we tried the sign process on 3 computers (Vista x64 SP1, Vista x32 SP1, XP x32 SP3), but all produced the same result.
What are we doing wrong?
推荐答案
Illés,我们有一个类似的问题.我发现2009年5月17日,VeriSign已切换到新的根目录,因此,如果您在该日期之后从VeriSign获得了签名,则以下MS页上列出的交叉证书不再有效(或者我认为):
用于Windows Vista内核模式代码签名的Microsoft跨证书(在该页面的底部)
85 37 1c a6 e5 50 14 3d ce 28 03 47 1b de 3a 09 e8 f8 77 0f"的新证书.这需要一个新的MS交叉证书.
到目前为止,我未能找到新的交叉证书.如果找到它,请在此页面上发布指向它的链接.
有关更多详细信息,请参见:
重要更新:VeriSign SSL,OFX和代码签名证书已移至1024位SHA -1根,截至2009年5月17日.
https: //knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD146
Microsoft根证书计划成员(2009年2月)
http://support.microsoft.com/kb/931125 (这将安装更新的根证书,包括"85 37 1c ..."一个)
Hi Illés,We have a similar issue. I found that on May 17, 2009 VeriSign have switched to a new root, so if you have acquired your signature from VeriSign after that date the cross-certificate listed on the following MS page is no longer valid (or so I think):
Microsoft Cross-Certificates for Windows Vista Kernel Mode Code Signing (at the very bottom of that page)
http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx
The VeriSign's Root certificate with thumbprint: "74 2c 31 92 e6 07 e4 24 eb 45 49 54 2b e1 bb c5 3e 61 74 e2" listed on that page was replaced by a new certificate with thumbprint "85 37 1c a6 e5 50 14 3d ce 28 03 47 1b de 3a 09 e8 f8 77 0f" which requires a new MS cross-certificate.
So far I was unsuccessfull in finding the new cross-certificate. If you do find it, please post the link to it on this page.
For more details see:
Important Update: VeriSign SSL, OFX and Code Signing Certificates moved to 1024-bit SHA-1 root as of May 17, 2009.
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD146
Microsoft root certificate program members (February 2009)
http://support.microsoft.com/kb/931125 (this installs updated root certificates, including the "85 37 1c..." one)
这篇关于签名x64引导启动驱动程序二进制文件时出现问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
