Windows cannot verify the digital signature...(Code 52)
-
Friday, March 16, 2012 1:03 PM
Having this problem installing my driver on 64-bit Windows 7. 32-bit install seems to work fine.
According to http://msdn.microsoft.com/en-us/library/windows/hardware/ff539108(v=vs.85).aspx the driver is not signed. But, according to Digital Signature Details, the SYS file is signed. I successfully signed the SYS file followed by Inf2Cat and the CAT file is signed.
I suspect a certificate problem. We renewed our Verisign certificate about a month ago. An alpha driver signed with the previous certificate installs OK. The two beta drivers signed with the new certificate have this problem.
Anyone have an idea why this is noit working? TIA.
- Edited by megabitee Friday, March 16, 2012 1:04 PM
All Replies
-
Friday, March 16, 2012 4:09 PM
Does this certificate chain up to the Microsoft root? If not, you need to enable test signing on your system, and make sure that certificate is in your trusted root store for the local machine.
To turn on test signing, run this from an elevated cmd prompt: "bcdedit /set testsigning on"
An easier way is to use the built-in deployment feature in Visual Studio. It will configure a test machine with the right certificates and enable test signing mode.
This posting is provided "AS IS" with no warranties, and confers no rights.
- Marked As Answer by Doron Holan [MSFT]Microsoft Community Contributor, Owner Friday, March 16, 2012 4:20 PM
-
Friday, March 16, 2012 4:16 PM
> To turn on test signing...
I am signing this for release. Why do I want to turn on test signing?
> An easier way is to use the built-in deployment feature in Visual Studio.
The driver must be built from the DDK command line. No Visual Studio involved. Deployment feature???
> Does this certificate chain up to the Microsoft root?
Verifying: PyroCam3Wdf.sys
Hash of file (sha1): 0F2BFDF400D3CF575334F63DCE460E827D97451C
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification AuthorityIssued by: Class 3 Public Primary Certification Authority
Expires: Wed Aug 02 17:59:59 2028
SHA1 hash: A1DB6393916F17E4185509400415C70240B0AE6B
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5Issued by: Class 3 Public Primary Certification Authority
Expires: Sun Nov 07 17:59:59 2021
SHA1 hash: 32F30882622B87CF8856C63DB873DF0853B4DD27
Issued to: VeriSign Class 3 Code Signing 2010 CAIssued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Fri Feb 07 17:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F
Issued to: Ophir-Spiricon, LLCIssued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Tue Feb 11 17:59:59 2014
SHA1 hash: 652B3E57F9E63AA2BC59E4CD3D6EC1DA86570D8A
The signature is timestamped: Fri Mar 16 10:02:14 2012Timestamp Verified by:
Issued to: Thawte Timestamping CAIssued by: Thawte Timestamping CA
Expires: Thu Dec 31 17:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: VeriSign Time Stamping Services CAIssued by: Thawte Timestamping CA
Expires: Tue Dec 03 17:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Issued to: VeriSign Time Stamping Services Signer - G2Issued by: VeriSign Time Stamping Services CA
Expires: Thu Jun 14 17:59:59 2012
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
-
Friday, March 16, 2012 4:20 PM
This certificate does not chain to the Microsoft root, so you probably need a new cert.
The reason the 32-bit "works" is that the policy on x86 still allows the driver to load. There is most likely an error in the Event Log under "Event Viewer->Applications and Services Logs->Microsoft->Windows->CodeIntegrity".
This posting is provided "AS IS" with no warranties, and confers no rights.
- Marked As Answer by Doron Holan [MSFT]Microsoft Community Contributor, Owner Friday, March 16, 2012 4:46 PM
-
Friday, March 16, 2012 4:36 PM
>This certificate does not chain to the Microsoft root
How do I know?
> so you probably need a new cert.
I just got the "cert" last month.
Today I spent an hour on the phone with Verisign. The certificate path in the store seems correct.
Do I need a cross certificate for driver signing? The instructions on http://msdn.microsoft.com/en-us/library/windows/hardware/ff549830(v=vs.85).aspx seem to say that. But nonoe of the certificates on the page http://msdn.microsoft.com/en-us/windows/hardware/gg487315.aspx match my thumbprint (according to the instructions).
- Edited by megabitee Friday, March 16, 2012 4:41 PM
-
Friday, March 16, 2012 4:40 PM
The certificate you use for signing must be cross-certified, yes. You should check with the issuer.
Did you try to do the verification using "signtool verify /kp /v"? It will spit out a chain that goes up to the Microsoft root if it can build one.
This posting is provided "AS IS" with no warranties, and confers no rights.
-
Friday, March 16, 2012 4:45 PM
> You should check with the issuer.
I did check with the issuer. They have no idea what a cross certificate is or why I should use one. This is a Microsoft requirement since 1) it is included in the driver signing steps, 2) cross certificates are supplied by Microsoft.
> Did you try to do the verification using "signtool verify /kp /v"?
Verifying: PyroCam3Wdf.sys
Hash of file (sha1): 0F2BFDF400D3CF575334F63DCE460E827D97451C
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification AuthorityIssued by: Class 3 Public Primary Certification Authority
Expires: Wed Aug 02 17:59:59 2028
SHA1 hash: A1DB6393916F17E4185509400415C70240B0AE6B
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5Issued by: Class 3 Public Primary Certification Authority
Expires: Sun Nov 07 17:59:59 2021
SHA1 hash: 32F30882622B87CF8856C63DB873DF0853B4DD27
Issued to: VeriSign Class 3 Code Signing 2010 CAIssued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Fri Feb 07 17:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F
Issued to: Ophir-Spiricon, LLCIssued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Tue Feb 11 17:59:59 2014
SHA1 hash: 652B3E57F9E63AA2BC59E4CD3D6EC1DA86570D8A
The signature is timestamped: Fri Mar 16 10:02:14 2012Timestamp Verified by:
Issued to: Thawte Timestamping CAIssued by: Thawte Timestamping CA
Expires: Thu Dec 31 17:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: VeriSign Time Stamping Services CAIssued by: Thawte Timestamping CA
Expires: Tue Dec 03 17:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Issued to: VeriSign Time Stamping Services Signer - G2Issued by: VeriSign Time Stamping Services CA
Expires: Thu Jun 14 17:59:59 2012
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Cross Certificate Chain:
Issued to: Microsoft Code Verification RootIssued by: Microsoft Code Verification Root
Expires: Sat Nov 01 07:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5Issued by: Microsoft Code Verification Root
Expires: Mon Feb 22 13:35:17 2021
SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B
Issued to: VeriSign Class 3 Code Signing 2010 CAIssued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Fri Feb 07 17:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F
Issued to: Ophir-Spiricon, LLCIssued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Tue Feb 11 17:59:59 2014
SHA1 hash: 652B3E57F9E63AA2BC59E4CD3D6EC1DA86570D8A
Successfully verified: PyroCam3Wdf.sys
Number of files successfully Verified: 1Number of warnings: 0
Number of errors: 0
- Edited by megabitee Friday, March 16, 2012 4:45 PM
-
Friday, March 16, 2012 7:43 PMYour output from signtool seems to indicate that the certificate is good. Do you see any errors in the event log? What did you use to get the first output above?
This posting is provided "AS IS" with no warranties, and confers no rights.
-
Friday, March 16, 2012 7:46 PM
Turns out I did have the right cross certificate but I was confused by the instructions.
On the web page http://msdn.microsoft.com/en-us/windows/hardware/gg487315.aspx it says to find "Find the Issuer and Thumbprint for this certificate. Then locate the corresponding entry for this CA in the list below"
The Issuer is Verisign but the Thumbprint does not match the "Root certificate thumbprint" of VeriSign Class 3 Public Primary Certification Authority – G5. Turns out that the thumbprint is thumbprint of the cross certificate, not the root certificate.
When I use the new cross certificate then signing, verification, and installation succeed.
- Marked As Answer by megabitee Friday, March 16, 2012 7:46 PM
-
Friday, January 25, 2013 4:47 PM
I am also having the same problem but my drivers appear to be signed correctly. I used the "Go Daddy Root Certificate Authority – G2" cross certificate for kernel-mode signing from Microsoft. The only thing I can't explain is when I open up the cross certificate it says "Windows does not have enough information to verify this certificate". Please help.
Verifying: i386\driver.cat
Hash of file (sha1): 266D45B8181B3E7B06715C8DFD44662F97BEF40F
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 18:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 02:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Adaptive Micro-Ware, Inc.
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Fri Jan 17 16:19:44 2014
SHA1 hash: B71D22EFA5525986E714B11DA459C090592E04C2
The signature is timestamped: Fri Jan 25 11:35:54 2013
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 18:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 02:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
Successfully verified: i386\driver.cat
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
Verifying: i386\driver.sys
File is signed in catalog: i386\driver.cat
Hash of file (sha1): 266D45B8181B3E7B06715C8DFD44662F97BEF40F
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 18:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 02:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Adaptive Micro-Ware, Inc.
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Fri Jan 17 16:19:44 2014
SHA1 hash: B71D22EFA5525986E714B11DA459C090592E04C2
The signature is timestamped: Fri Jan 25 11:35:54 2013
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 18:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 02:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 08:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 15:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 02:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Adaptive Micro-Ware, Inc.
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Fri Jan 17 16:19:44 2014
SHA1 hash: B71D22EFA5525986E714B11DA459C090592E04C2
Successfully verified: i386\driver.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
Verifying: amd64\driver.cat
Hash of file (sha1): FB1AD869C9B4D37EABC2DE39B2CEAC2BCFC946E0
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 18:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 02:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Adaptive Micro-Ware, Inc.
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Fri Jan 17 16:19:44 2014
SHA1 hash: B71D22EFA5525986E714B11DA459C090592E04C2
The signature is timestamped: Fri Jan 25 11:35:57 2013
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 18:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 02:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
Successfully verified: amd64\driver.cat
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
Verifying: amd64\driver64.sys
File is signed in catalog: amd64\driver.cat
Hash of file (sha1): FB1AD869C9B4D37EABC2DE39B2CEAC2BCFC946E0
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 18:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 02:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Adaptive Micro-Ware, Inc.
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Fri Jan 17 16:19:44 2014
SHA1 hash: B71D22EFA5525986E714B11DA459C090592E04C2
The signature is timestamped: Fri Jan 25 11:35:57 2013
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 18:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 02:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 08:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 15:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 02:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Adaptive Micro-Ware, Inc.
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Fri Jan 17 16:19:44 2014
SHA1 hash: B71D22EFA5525986E714B11DA459C090592E04C2
Successfully verified: amd64\driver64.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
-
Friday, January 25, 2013 6:08 PMOwner
Search on previous posts in this forum on go daddy certs. IIRC, they are not usable for KM signing.
d -- This posting is provided "AS IS" with no warranties, and confers no rights.
