已签名的INF驱动程序可在已签名的计算机上运行,而不能在其他计算机上运行 [英] Signed INF driver works on the computer where it was signed, not others
问题描述
我的公司购买了驾驶员签名证书来自Go Daddy.我用它来签名一个简单的INF文件,该文件是一些使用Microsoft的usbser.sys的USB设备的驱动程序.一切似乎都在我对其进行签名的Windows 7 64位计算机上正常工作:如果我右键单击INF文件并选择安装",那么我看到的第二个警告是此警告,它显示了正确的发布者名称:
但是,如果我转到另一台计算机(Windows Vista 64位),请右键单击INF文件,然后选择安装",那么我会收到此错误消息:
这使我认为我的驱动程序未正确签名,并且在我的计算机上看起来不错的唯一原因是由于我在Go Daddy的安装过程中安装了一些根/中间/交叉证书.我绝对希望我的用户能够看到我们是经过验证的发布者,而不必在他们的计算机上手动安装证书.
INF文件和.cat文件位于同一目录中.
有人知道为什么会这样吗?我该如何解决?
我怀疑主要问题是我在运行signtool verify /v pololu.cat时遇到此错误(下面有更多详细信息),但我仍未弄清原因:
SignTool错误:证书链已处理,但在根中终止 信任提供者不信任的证书.
我的程序的详细信息
驾驶员签名证书是Go Daddy几周前推出的新产品.我不太确定它与代码签名证书有何不同,但价格相同.我按照Go Daddy网站上的说明进行操作下载并安装证书,尽管说明与现实情况并不完全吻合.在步骤1中安装Microsoft交叉证书后,我看到一条红色警告消息,内容为:
在安装证书之前,必须使用Windows Update更新根证书或从我们的存储库手动下载并安装根证书.
我不确定该怎么办.我确实从他们的存储库中安装了一些GoDaddy根证书,但是并没有什么明显的区别.
我安装了 Windows的最新版本(8.0)驱动程序工具包(WDK),然后安装了您可以在此处阅读.这个INF文件是一个独立的驱动程序.在我们的驱动程序包中不需要其他文件.该文件基本上与我们公司多年来成功分发(未签名)的版本相同,但是我必须做一些更改才能使Inf2Cat接受它. 我从 Go Daddy证书存储库下载的
mscvr-cross-gdroot-g2.crt.我相信这是交叉证书,可以证明Microsoft信任"Go Daddy根证书颁发机构-G2",但是我不确定这是否是正确的证书.sign_it.bat,我运行以进行签名的批处理文件.批处理文件仅包含:
"C:\Program Files (x86)\Windows Kits\8.0\bin\x86\inf2cat" /v /driver:%~dp0 /os:XP_X86,Vista_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64
"C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool" sign /v /ac "mscvr-cross-gdroot-g2.crt" /n "Pololu Corporation" /t http://tsa.starfieldtech.com pololu.cat
第一个命令从Windows驱动程序工具包中调用inf2cat. /v选项使其变得冗长. /driver:%~dp0选项将其指向包含批处理文件的目录. .由于某些原因无法正常工作,这比必须对完整路径进行硬编码要好. /os选项指定此驱动程序包支持的所有操作系统.此命令创建pololu.cat.
第二个命令从Windows软件开发工具包调用signtool来签名目录文件. /v选项使其变得冗长. /ac选项指定使用哪个交叉证书(请参阅上面的#2). /n选项指定要使用的证书的名称(该证书已根据certmgr.msc安装在我的计算机上). /t选项指定Go Daddy的时间戳服务器的URL.
这是运行批处理文件时命令提示符中的输出:
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\inf2cat" /v /driver:C:\Users\david.POLOLU\Desktop\sign_it\ /os:XP_X86,Vis
ta_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64
Processing directory (C:\Users\david.POLOLU\Desktop\sign_it\) file (mscvr-cross-
gdroot-g2.crt)
Processing directory (C:\Users\david.POLOLU\Desktop\sign_it\) file (pololu_usb_t
o_serial.inf)
Processing directory (C:\Users\david.POLOLU\Desktop\sign_it\) file (sign_it.bat)
Parsing INF: C:\Users\david.POLOLU\Desktop\sign_it\pololu_usb_to_serial.inf
Finished parsing INFs
Processing INF: C:\Users\david.POLOLU\Desktop\sign_it\pololu_usb_to_serial.inf
Finished processing INFs
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Signability test complete.
Errors:
None
Warnings:
None
Catalog generation complete.
C:\Users\david.POLOLU\Desktop\sign_it\pololu.cat
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\signtool" sign /v /ac "mscvr-cross-gdroot-g2.crt" /n "Pololu Corporation"
/t http://tsa.starfieldtech.com pololu.cat
The following certificate was selected:
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
Done Adding Additional Store
Successfully signed: pololu.cat
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
正如我所说,我将.cat和.inf文件放在同一目录中,但是只有在我对它们签名后,它们才能在计算机上正常工作.
使用Signtool进行验证
Microsoft的signtool实用程序还具有验证"功能,可让您验证签名是否正确.验证时可以使用三种不同的策略,它们各自给出不同的结果:
- Windows驱动程序验证策略说,我的签名链不会追溯到Microsoft,并且会打印一条错误消息,说明我的根是如何不受信任的.对我来说,这似乎是个问题.
- 默认Authenticode验证策略(
/pa)还说我的签名链没有追溯到Microsoft,但是没有给出错误. - 内核模式驱动程序签名策略(
/kp,可能不适用,因为我没有对内核模式驱动程序进行签名)说我的签名链确实可以追溯到Microsoft,并且没有给出错误.
有人知道Windows对INF文件使用哪种策略?这至少可以帮助我缩小问题的范围.
这是signtool verify的完整详细输出:
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\signtool" verify /v pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 09A611ECC83E61646DB967D4C23EED725B903C1B
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 16:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 05 16:22:34 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\signtool" verify /v /pa pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 09A611ECC83E61646DB967D4C23EED725B903C1B
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 16:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 05 16:22:34 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
Successfully verified: pololu.cat
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\signtool" verify /v /kp pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 09A611ECC83E61646DB967D4C23EED725B903C1B
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 16:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 05 16:22:34 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
Successfully verified: pololu.cat
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
在我对驱动程序签名的计算机(正在运行的计算机)和另一台计算机(不在工作的计算机)上运行时,输出看起来相同.
关于StackOverflow的类似问题
用于64位Windows的Thawte驱动程序签名-解决方案这个家伙的问题是在INF文件中添加了CatalogFile指令,但是我已经拥有了. (CatalogFile=pololu.cat).
编辑#1:对可执行文件进行签名
我使用具有相同选项的signtool对可执行文件(NSIS安装程序)进行签名,并且在两台计算机上的第一次尝试中均能正常工作.因此,我认为INF驱动程序文件的签名策略有所不同,这就是让我感到困惑的原因.
编辑#2:GoDaddy的证书警告
如果我双击mscvr-cross-gdroot-g2.crt,则在常规"选项卡中显示"Windows没有足够的信息来验证此证书".在证书路径"选项卡的证书状态:"下,显示找不到此证书的颁发者.".如果我双击gd_ms_drv_sign_bundle.p7b(来自GoDaddy的证书捆绑包)并打开第一个证书,我也会看到相同的警告.
这两个证书的颁发者都应该是Microsoft代码验证根.我应该担心该警告消息吗?
编辑#3:删除GoDaddy的证书
来自GoDaddy的高级支持团队的林赛(Lindsay)回到了我身边.她链接到 globalsign上的此页面,其中说明了如何卸载在对驱动程序进行签名的计算机上,从您的CA获得的根证书和中间证书. Lindsay说,如果您不执行此步骤,则签名工具将假定这些证书存在于其他计算机上,因此不会将它们包括在签名中.
有人知道如何检查将哪些证书"导入"签名吗?我可以使用哪些工具查看Lindsay和GlobalSign是否正确?
顺便说一下,我们有Windows XP计算机,但是Microsoft很快将停止支持该操作系统.尽管GlobalSign说了什么,但仍有 got 可以在Windows 7上实现.
根据林赛(Lindsay)的建议,我按照Microsoft的指示关闭自动根证书更新,然后使用certmgr.msc的UI从受信任的根证书颁发机构"和中间证书颁发机构"中删除所有GoDaddy证书.然后我重新签署了inf文件.
不幸的是,那没有用!签名后,我再次检查所有GoDaddy证书是否仍被删除.
我没有收到GoDaddy对signtool verify的输出的反馈,也没有收到我在进行验证时应检查的驱动程序签名策略的任何输入.我希望他们可以看看验证输出,然后告诉我我做错了什么,或者告诉我正确的输出是什么样子.
为完整起见,这是删除我的证书并重新签名驱动程序后,signtool verify的三个输出:
C:\Users\david.POLOLU\Desktop\sign_inf>"C:\Program Files (x86)\Windows Kits\8.0\
bin\x86\signtool.exe" verify /v pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 5AE4F370471009C8B0ED936C9AE19ED14ABD67D7
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 12 14:52:19 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
C:\Users\david.POLOLU\Desktop\sign_inf>"C:\Program Files (x86)\Windows Kits\8.0\
bin\x86\signtool.exe" verify /v /pa pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 5AE4F370471009C8B0ED936C9AE19ED14ABD67D7
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 12 14:52:19 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
SignTool Error: WinVerifyTrust returned error: 0x800B010A
A certificate chain could not be built to a trusted root authority.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
C:\Users\david.POLOLU\Desktop\sign_inf>"C:\Program Files (x86)\Windows Kits\8.0\
bin\x86\signtool.exe" verify /v /kp pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 5AE4F370471009C8B0ED936C9AE19ED14ABD67D7
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 12 14:52:19 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
SignTool Error: WinVerifyTrust returned error: 0x800B010A
A certificate chain could not be built to a trusted root authority.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
编辑#4:DefaultInstall部分为否"
在默认安装部分的文档中从Microsoft,我发现了这一点:
注意:驱动程序包的INF文件中不得包含INF DefaultInstall 部分(如果要以数字方式显示驱动程序包) 签名.
有人知道为什么这是真的吗?我找不到解释.
无论如何,我取出了INF文件的DefaultInstall部分,所以从现在开始,我必须运行一个我写的小DLL来测试它,该DLL调用对JLinkCDC.cat的signtool验证输出与我的非常相似,除了它可以追溯到Verisign,而不是GoDaddy.
编辑#6:较小的更改
为使驱动程序更像JLinkCDC.inf,我在INF文件中添加了DriverPackageType=PlugAndPlay,并缩短了文件名:这些文件现在分别称为polser.cat和polser.inf.还是没有运气!
编辑#7:成功!
我认为以下事实是对的;如果我错了,请纠正我:
- 对于驱动程序包(.cat文件),
signtool verify的正确选项是/pa.我是从 KMCS_Walkthrough.doc 推断出来的.. li> - 对于驱动程序包,如果信任链返回到certmgr.msc中受信任的根证书颁发机构"文件夹中的证书,则Windows仅认为发布者受到验证.
- 对于驱动程序包,您可以使用交叉证书对其进行签名(将信任链从gdroot-g2.crt扩展到Microsoft代码验证根),但是Windows似乎忽略了它.这是因为Microsoft代码验证根不是受信任的根证书颁发机构".
- 当前用户有证书存储,本地计算机有证书.两者都很重要,因此您应该使用 MMC证书管理单元查看两者. Certmgr.msc仅显示当前用户的内容.
- Windows 应无缝添加"Go Daddy根证书颁发机构-G2"(gdroot- g2.crt)添加到受信任的根证书颁发机构"文件夹,然后从Windows Update下载该文件,但不是. 此处有更多信息.
我在测试机上使用了Windows事件查看器,以查看发生了什么.看起来Windows会自动获取"Go Daddy根证书颁发机构-G2",但前提是它显示了不良的未验证发布者警告对话框.一旦用户关闭该对话框,便会从Windows Update获取证书,因此下一次安装尝试应该会成功.有趣的是,它确实会及时自动下载Starfield证书(这是我时间戳的信任链中的根).
我已经签名,可以在Windows 7和Windows Vista计算机上工作,方法是双击gdroot-g2.crt并将其导入,然后再尝试安装驱动程序.我将看看该过程是否可以自动化并添加到安装程序中.
我找到了另一家公司的驱动程序包,该驱动程序包已用VeriSign证书签名,该证书植根于"VeriSign 3类公共主要证书颁发机构-G5".该证书在我查看过的所有计算机上,因此,如果您使用VeriSign而不是Go Daddy,我认为您可以通过Windows Update避免此问题.
我确实注意到,VeriSign证书使用SHA1,而我的Go Daddy证书将SHA256用于签名算法和签名哈希算法.不确定这是否重要.
编辑#8:向Microsoft寻求帮助
在MSDN论坛上查看讨论和我的结论:解决方案
从2012年9月27日开始,GoDaddy驱动程序签名证书将不适用于Windows Vista或Windows7.它将仅适用于Windows8.GoDaddy证书仅适用于SHA256.
我们最终从GlobalSign(MS Authenticode)那里获得了一个.
来自 http://msdn.microsoft.com/zh-CN/library/windows/hardware/hh967734%28v=vs.85%29.aspx :
使用两个签名对驱动程序包进行签名
在某些情况下,您可能希望使用两个签名驱动程序包 不同的签名.例如,假设您希望驱动程序运行 在Windows 7和Windows 8上运行.Windows 8支持使用以下命令创建的签名 SHA256哈希算法,但Windows 7没有.对于Windows 7, 您需要使用SHA1哈希算法创建的签名.
2012-09-28更新:GlobalSign正常运行.我让Firefox 15下载GlobalSign提供的链接(受Pickup Password保护).最终,Firefox拥有了签名证书,并下载了另外3个GlobalSign证书.签名证书已从Firefox导出到.p12文件.然后双击所有四个文件,以使用自动默认值将它们导入MS证书存储.驱动程序和程序包已在Windows 7 Ultimate x64上签名并经过测试,没有任何驱动程序签名错误. BSoD的驱动程序,但这是一个不同的问题. ;)
GoDaddy仅会在您购买后30天内撤消您的网站信用额度,减去$ 15的信用额.
2016-01-13更新: https://technet.microsoft.com/en-us/library/security/3033929 Microsoft安全通报3033929 Windows 7和Windows Server 2008 R2的SHA-2代码签名支持的可用性 发布时间:2015年3月10日 ... 基本上,您需要在Microsoft提供的链接中安装安全更新,通常由Windows Update自动完成.
我们现在正在使用GlobalSign的EV代码签名证书.警告:SafeSign不适用于Windows服务(例如,buildbot从属).
My company purchased a Driver Signing Certificate from Go Daddy. I used it to sign a simple INF file that is a driver for some of our USB devices that use Microsoft's usbser.sys. Everything seems to work on the Windows 7 64-bit computer where I signed it: if I right-click on the INF file and select "Install" then the second warning I see is this good warning that shows the correct Publisher name:
However, if I go to a different computer (Windows Vista 64-bit), right click on the INF file, and select "Install", then I get this error message instead:
This makes me think that my drivers are not properly signed, and the only reason it looks good on my computer is because of some root/intermediate/cross certificate I installed during Go Daddy's installation process. I definitely want my users to be able to see that we are the verified publisher without having to manually install a certificate on their computer.
The INF file and the .cat file in the same directory.
Does anyone know why this is happening and how I can fix it?
I suspect the main problem is that I get this error when I run signtool verify /v pololu.cat (more details below), and I haven't figured out why:
SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Details of my procedure
The Driver Signing Certificate is a new product from Go Daddy that they launched a few weeks ago. I am not totally sure how it is different from the Code Signing Certificate, but it is the same price. I followed the instructions on Go Daddy's website to download and install the certificate, though the instructions do not match reality perfectly. After I installed the Microsoft Cross Certificate in step 1, I saw a red warning message that said:
Before you can install your certificate, you must use Windows Update to update your root certificates or manually download and install the root certificate from our repository.
I'm not sure what to do about that. I did install some GoDaddy root certificates from their repository but it made no noticeable difference.
I installed the latest version (8.0) of the Windows Driver Kit (WDK) and then installed the latest version (8.0) of the Windows Software Development Kit (SDK) for Windows 8. This gives me access to the inf2cat and signtool utilities. Both of the kits were released within the last month, so it's possible there could be some new bugs that we are treading on.
In a new directory, I put three files:
pololu_usb_to_serial.inf, the INF file I want to sign. It is long but simple; you can read it here. This INF file is a standalone driver; no other files are needed in our driver package. This file is basically the same as the version that our company has successfully distributed (unsigned) for years, but I had to make a few changes for Inf2Cat to accept it.mscvr-cross-gdroot-g2.crt, which I downloaded from the Go Daddy certificate repository. I believe this is the Cross Certificate that proves that the "Go Daddy Root Certificate Authority - G2" is trusted by Microsoft, but I am not totally sure if this is the right certificate to use.sign_it.bat, the batch file I run to do the signing.
The batch file just contains:
"C:\Program Files (x86)\Windows Kits\8.0\bin\x86\inf2cat" /v /driver:%~dp0 /os:XP_X86,Vista_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64
"C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool" sign /v /ac "mscvr-cross-gdroot-g2.crt" /n "Pololu Corporation" /t http://tsa.starfieldtech.com pololu.cat
The first command invokes inf2cat from the Windows Driver Kit. The /v option makes it verbose. The /driver:%~dp0 option points it to the directory that contains the batch file; a . does not work for some reason and this is nicer than having to hard code the full path. The /os option specifies all the operating systems I would like to support with this driver package. This command creates pololu.cat.
The second command invokes signtool from the Windows Software Development Kit to sign the catalog file. The /v option makes it verbose. The /ac option specifies which cross certificate use (see #2 above). The /n option specifies the name of the certificate to use (that certificate is installed on my computer according to certmgr.msc). The /t option specifies the URL of Go Daddy's timestamping server.
Here is the output in the Command Prompt when I run the batch file:
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\inf2cat" /v /driver:C:\Users\david.POLOLU\Desktop\sign_it\ /os:XP_X86,Vis
ta_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64
Processing directory (C:\Users\david.POLOLU\Desktop\sign_it\) file (mscvr-cross-
gdroot-g2.crt)
Processing directory (C:\Users\david.POLOLU\Desktop\sign_it\) file (pololu_usb_t
o_serial.inf)
Processing directory (C:\Users\david.POLOLU\Desktop\sign_it\) file (sign_it.bat)
Parsing INF: C:\Users\david.POLOLU\Desktop\sign_it\pololu_usb_to_serial.inf
Finished parsing INFs
Processing INF: C:\Users\david.POLOLU\Desktop\sign_it\pololu_usb_to_serial.inf
Finished processing INFs
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Signability test complete.
Errors:
None
Warnings:
None
Catalog generation complete.
C:\Users\david.POLOLU\Desktop\sign_it\pololu.cat
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\signtool" sign /v /ac "mscvr-cross-gdroot-g2.crt" /n "Pololu Corporation"
/t http://tsa.starfieldtech.com pololu.cat
The following certificate was selected:
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
Done Adding Additional Store
Successfully signed: pololu.cat
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
As I said, I am keeping the .cat and .inf file together in the same directory, but they only work properly on the computer were I signed them.
Verification with Signtool
The signtool utility from Microsoft also has a "verify" feature that lets you verify if your signature is correct. There are three different policies you can use when verifying and they each give different results:
- The Windows Driver Verification Policy says my signature chain does not trace back to Microsoft, and prints an error message about how my root is not trusted. That seems like a problem to me.
- The Default Authenticode Verification Policy (
/pa) also says my signature chain does not trace back to Microsoft, but it doesn't give an error. - The kernel-mode driver signing policy (
/kp, which is probably not applicable because I am not signing kernel-mode drivers) says my signature chain does trace back to Microsoft, and gives no error.
Does anyone know which policy is used by Windows for INF files? That would at least help me narrow down the problem.
Here is the full, verbose output from signtool verify:
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\signtool" verify /v pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 09A611ECC83E61646DB967D4C23EED725B903C1B
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 16:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 05 16:22:34 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\signtool" verify /v /pa pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 09A611ECC83E61646DB967D4C23EED725B903C1B
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 16:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 05 16:22:34 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
Successfully verified: pololu.cat
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\signtool" verify /v /kp pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 09A611ECC83E61646DB967D4C23EED725B903C1B
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 16:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 05 16:22:34 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
Successfully verified: pololu.cat
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
The output looked the same when run on the computer where I signed the driver (where it is working) and on the other computer (where it is not working).
Similar Questions on StackOverflow
Thawte driver signing for 64-bit Windows - The solution to this guy's problem was to add a CatalogFile directive to the INF file, but I already have that. (CatalogFile=pololu.cat).
Edit #1: Signing executables works
I used signtool with those same options to sign an executable file (NSIS installer), and it worked correctly on the first try, on both computers. So I think there is something different about the signing policy for INF driver files and that is what is screwing me up.
Edit #2: Warning on GoDaddy's certificate
If I double click on mscvr-cross-gdroot-g2.crt, in the General tab it says "Windows does not have enough information to verify this certificate." In the Certification Path tab, under "Certificate status:", it says "The issuer of this certificate could not be found.". I also see those same warnings if I double click on gd_ms_drv_sign_bundle.p7b (a certificate bundle from GoDaddy) and open up the first certificate.
The issuer of both of those certificates is supposed to be the Microsoft Code Verification Root. Should I worry about that warning message?
Edit #3: Deleting GoDaddy's certificates
Lindsay from GoDaddy's advanced support team got back to me. She linked to this page from globalsign which explains how you have to uninstall the root and intermediate certificates from your CA on the computer where you sign the drivers. Lindsay says that if you don't do this step, the signing tools will assume that those certificates are present on other computers and hence not include them in the signature.
Does anyone know how to check what certificates are "imported" into a signature? What tools can I use to see if Lindsay and GlobalSign are right?
By the way, we have Windows XP computers around but Microsoft will stop supporting that OS soon. Despite what GlobalSign says, there has got to be a way to make this work on Windows 7.
Based on Lindsay's advice, I followed instructions from Microsoft to Turn off Automatic Root Certificates Update, and then I used the UI of certmgr.msc to delete all GoDaddy certificates from "Trusted Root Certification Authorities" and "Intermediate Certification Authorities". Then I re-signed my inf file.
Unfortunately, that did not work! After signing, I double checked that all the GoDaddy certificates are still deleted.
I have received no feedback from GoDaddy on the output of signtool verify, or any input on which driver signing policy I should check when doing the verification. I was hoping that they could just look at the verification output and tell me what I was doing wrong, or tell me what correct output would look like.
For completeness, here are the three outputs from signtool verify after I deleted those certificates and re-signed the drivers:
C:\Users\david.POLOLU\Desktop\sign_inf>"C:\Program Files (x86)\Windows Kits\8.0\
bin\x86\signtool.exe" verify /v pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 5AE4F370471009C8B0ED936C9AE19ED14ABD67D7
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 12 14:52:19 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
C:\Users\david.POLOLU\Desktop\sign_inf>"C:\Program Files (x86)\Windows Kits\8.0\
bin\x86\signtool.exe" verify /v /pa pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 5AE4F370471009C8B0ED936C9AE19ED14ABD67D7
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 12 14:52:19 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
SignTool Error: WinVerifyTrust returned error: 0x800B010A
A certificate chain could not be built to a trusted root authority.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
C:\Users\david.POLOLU\Desktop\sign_inf>"C:\Program Files (x86)\Windows Kits\8.0\
bin\x86\signtool.exe" verify /v /kp pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 5AE4F370471009C8B0ED936C9AE19ED14ABD67D7
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 12 14:52:19 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
SignTool Error: WinVerifyTrust returned error: 0x800B010A
A certificate chain could not be built to a trusted root authority.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
Edit #4: DefaultInstall section is a no-no
In the documentation of the DefaultInstall section from Microsoft, I discovered this:
Note The INF file of a driver package must not contain an INF DefaultInstall section if the driver package is to be digitally signed.
Does anyone know why that is true? I couldn't find an explanation.
Anyway, I took out the DefaultInstall section of my INF file, so from now on I have to test it by running a little DLL I wrote, that calls SetupCopyOemInf.
Still no luck; I keep on getting the unverified publisher warning on the Windows Vista computer.
Edit #5: JLink driver is signed correctly
I was poking around in C:\Windows\System32\DriverStore\FileRepository to try to find some properly signed driver packages. The first interesting one I found is JLinkCDC.cat/JLinkCDC.inf. The version of the Inf file is DriverVer=01/25/2012,6.0.2600.4. On the Windows Vista machine, if I call SetupCopyOemInf on the inf file (using my DLL) then I get a proper message telling me who the publisher is (Segger GMBH or something like that). Therefore, it is possible to sign driver packages like mine properly, but somehow GoDaddy or I am doing something wrong.
The JLinkCDC.inf driver is very similar to my driver because it is just one file and uses usbser.sys. The trust chain of their signature goes back to VeriSign Class 3 Public Primary Certificate Authority - G5.
Basically, this JLinkCDC driver is similar to mine and it works, so I plan on looking carefully at it to see what the differences are.
The output of signtool verify for JLinkCDC.cat looks very similar to mine except it traces back to Verisign instead of GoDaddy.
Edit #6: Minor changes
To make my driver more like JLinkCDC.inf, I added DriverPackageType=PlugAndPlay to the INF file and I shortened the file names: the files are now called polser.cat and polser.inf. Still no luck!
Edit #7: Some success!
I think the following things are true; please correct me if I am wrong:
- For a driver package (.cat file), the correct option for
signtool verifyis/pa. I infer this from KMCS_Walkthrough.doc. - For a driver package, Windows only considers the publisher to be verified if the chain of trust goes back to a certificate in the "Trusted Root Certification Authorities" folder in certmgr.msc.
- For a driver package, you can sign it with a cross certificate (extending the chain of trust from gdroot-g2.crt to the Microsoft Code Verification Root), but Windows seems to ignore that. This is because the Microsoft Code Verification Root is not a "Trusted Root Certification Authority".
- There are certificate stores for the current user and certificates for the local machine. Both of them matter, so you should use the MMC Certificates Snap-In to view both. Certmgr.msc only shows the ones for the current user.
- Windows should seamlessly add the "Go Daddy Root Certificate Authority - G2" (gdroot-g2.crt) to the "Trusted Root Certification Authorities" folder when needed, downloading it from Windows Update, but it doesn't. More info here.
I used the Windows Event Viewer on the test machine to see what was up. It looks like Windows WILL fetch "Go Daddy Root Certificate Authority - G2" automatically, but only after it displays the undesirable unverified publisher warning dialog. As soon as the user closes that dialog, the certificate is fetched from Windows Update, so the next attempt at installation should be successful. Interestingly, it does automatically download the a Starfield certificate (which is the root at the chain of trust for my timestamp) in a timely manner.
I have gotten my signature to work on Windows 7 and Windows Vista computers by double-clicking on gdroot-g2.crt and importing it before I attempt to install the drivers. I will see if this process can be automated and added to an installer.
I found a driver package from another company (JLinkCDC.cat) that was signed with a VeriSign certificate, rooted in "VeriSign Class 3 Public Primary Certification Authority - G5". That certificate is on all the computers I have looked at, so if you go with VeriSign instead of Go Daddy I think you can avoid this problem with Windows Update.
I did notice that the VeriSign certificates use SHA1 while my Go Daddy certificates use SHA256 for the signature algorithm and signature hash algorithm. Not sure if that matters.
Edit #8: Asked Microsoft for help
See the discussion and my conclusion on the MSDN forums: http://social.msdn.microsoft.com/Forums/en-US/wdk/thread/1fede768-7925-4f30-8eef-ce5bd08b0b60
As of 9/27/2012, GoDaddy Driver Signing Certificate will not work with Windows Vista or Windows 7. It will only work with Windows 8. The GoDaddy certificate is only available with SHA256.
We ended up getting one from GlobalSign (MS Authenticode).
From http://msdn.microsoft.com/en-us/library/windows/hardware/hh967734%28v=vs.85%29.aspx :
Signing a driver package with two signatures
In some cases, you might want to sign a driver package with two different signatures. For example, suppose you want your driver to run on Windows 7 and Windows 8. Windows 8 supports signatures created with the SHA256 hashing algorithm, but Windows 7 does not. For Windows 7, you need a signature created with the SHA1 hashing algorithm.
2012-09-28 Update: The GlobalSign worked. I let Firefox 15 download the GlobalSign provided link (protected by a Pickup Password). Ended up with Firefox holding the signed certificate, and downloading 3 other GlobalSign certs. The signed certificate was exported from Firefox into a .p12 file. All four files were then double clicked to import them into the MS Certificate Store using automatic defaults. Driver and package were signed and tested in a Windows 7 Ultimate x64 without any driver signing errors. The driver BSoD'd but that's a different issue. ;)
GoDaddy will only give you website credit minus $15 and only if you revoke within 30 days of purchase.
2016-01-13 Update: https://technet.microsoft.com/en-us/library/security/3033929 Microsoft Security Advisory 3033929 Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2 Published: March 10, 2015 ... Basically, you need to install the security update in the links provided by Microsoft which is usually done automatically by Windows Update.
We are now using EV Code Signing Certificates from GlobalSign. Warning: SafeSign does not work with Windows services (e.g., buildbot slave).
这篇关于已签名的INF驱动程序可在已签名的计算机上运行,而不能在其他计算机上运行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
