解决驱动程序开发问题:Windows CodeIntegrity 3004无法识别签名的驱动程序 [英] Troubleshoot Driver development: Signed driver not recognized by Windows CodeIntegrity 3004
问题描述
简短说明:我有一个经过签名的驱动程序,可以通过SignTool验证,但是Windows拒绝加载它,并显示错误:CodeIntegrity 3004-在系统上找不到文件哈希。我该如何解决?
Short description: I have a signed driver that passes SignTool verification but Windows refuses to load it with error: CodeIntegrity 3004 - file hash not found on system. How do I fix this?
详细说明:
我正在使用Cypress Suite USB 3.4.7开发套件来创建USB的驱动程序,可在64位Windows 7下运行。我已经使用正确的ID配置了INF,并且只要我通过绕过驱动程序签名强制实施,未签名的驱动程序就可以正常工作。我想创建一个签名的驱动程序,并且已经按照 http://www.davidegrayson.com/signing中描述的步骤进行操作/
我已经使用Inf2Cat v3.2和/ os:7_X64标志创建了目录文件。我正在使用SignTool / sha1进行签名,并且可以验证.cat和cyusb.sys文件上的签名。文件浏览器显示两个文件都具有数字签名,而高级选项卡显示此数字签名可以。
I've created a catalog file using Inf2Cat v3.2 with the /os:7_X64 flag among others. I'm using SignTool /sha1 to sign and can verify signatures on the .cat and cyusb.sys files. File explorer shows that both files have digital signatures and the advanced tab shows "This digital signature is OK."
我插入USB设备后,显示为未知设备管理器中的设备。我选择更新驱动程序,然后看到一个屏幕,指出该驱动程序已由我签名。我继续,过了一会儿安装失败,说明驱动程序未正确签名。事件查看器显示CodeIntegrity错误3004, Windows无法验证CYUSB.sys的图像完整性,因为在系统上找不到文件哈希。
I plug in my USB device and it shows up as an Unknown device in device manager. I select Update Driver and I see a screen stating that the driver is signed by me. I continue and after a few moments the installation fails stating that the driver is not properly signed. The eventviewer shows a CodeIntegrity error 3004, "Windows is unable to verify the image integrity of CYUSB.sys because the file hash could not be found on the system"
无法找到找不到此文件哈希的说明。
I haven't been able to find an explanation for this "file hash" that could not be found. Any help with how to further troubleshoot and resolve this issue would be GREATLY appreciated!
推荐答案
事件日志中的错误消息会引起误解。丢失的文件哈希实际上是Microsoft根级别的证书。我的驱动程序由GlobalSign ObjectSign CA签名,这是有效的签名,但是我没有指定将GlobalSign链接到Microsoft根证书的交叉证书。
The error message in the event log is misleading. The missing "file hash" is really a Microsoft Root level certificate. I had my driver signed by GlobalSign ObjectSign CA which was a valid signature but I did not specify the cross-certificate which links GlobalSign to the Microsoft root certificate.
我需要使用带/ kp开关的SignTool验证来测试该USB驱动程序所需的内核级别权限,这是原始错误。使用该开关,我收到一条错误消息,明确指出它找不到Microsoft根证书。
To clearly detect the original error I needed to use SignTool Verify with the /kp switch which tests for kernel level permissions needed by this USB driver. Using that switch I got an error clearly stating it couldn't find the Microsoft root certificate.
我在此处下载了GlobalSign的交叉证书: http://msdn.microsoft.com/zh-CN/library /windows/hardware/dn170454(v=vs.85).aspx
I downloaded the cross certificate for GlobalSign here: http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454(v=vs.85).aspx
在SignTool中使用/ ac开关我可以对.cat文件进行签名与下降到Microsoft根证书的链。此驱动程序已成功安装在Win 7 64位系统上。胜利!
Using /ac switch with SignTool Sign I was able to sign the .cat file with a chain that went down to the Microsoft root certificate. This driver successfully installed on a Win 7 64-bit system. Victory!
这篇关于解决驱动程序开发问题:Windows CodeIntegrity 3004无法识别签名的驱动程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
