none
Windows cannot verify the digital signature...(Code 52)

    Question

  • Having this problem installing my driver on 64-bit Windows 7.  32-bit install seems to work fine.

    According to http://msdn.microsoft.com/en-us/library/windows/hardware/ff539108(v=vs.85).aspx the driver is not signed.  But, according to Digital Signature Details, the SYS file is signed.  I successfully signed the SYS file followed by Inf2Cat and the CAT file is signed.

    I suspect a certificate problem.  We renewed our Verisign certificate about a month ago.  An alpha driver signed with the previous certificate installs OK.  The two beta drivers signed with the new certificate have this problem.

    Anyone have an idea why this is noit working?  TIA.


    • Edited by megabitee Friday, March 16, 2012 1:04 PM
    Friday, March 16, 2012 1:03 PM

Answers

  • Does this certificate chain up to the Microsoft root?  If not, you need to enable test signing on your system, and make sure that certificate is in your trusted root store for the local machine.

    To turn on test signing, run this from an elevated cmd prompt:  "bcdedit /set testsigning on"

    An easier way is to use the built-in deployment feature in Visual Studio.  It will configure a test machine with the right certificates and enable test signing mode.


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, March 16, 2012 4:09 PM
  • This certificate does not chain to the Microsoft root, so you probably need a new cert.

    The reason the 32-bit "works" is that the policy on x86 still allows the driver to load.  There is most likely an error in the Event Log under "Event Viewer->Applications and Services Logs->Microsoft->Windows->CodeIntegrity".


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, March 16, 2012 4:20 PM
  • Turns out I did have the right cross certificate but I was confused by the instructions.

    On the web page http://msdn.microsoft.com/en-us/windows/hardware/gg487315.aspx it says to find "Find the Issuer and Thumbprint for this certificate. Then locate the corresponding entry for this CA in the list below"

    The Issuer is Verisign but the Thumbprint does not match the "Root certificate thumbprint" of VeriSign Class 3 Public Primary Certification Authority – G5. Turns out that the thumbprint is thumbprint of the cross certificate, not the root certificate.

    When I use the new cross certificate then signing, verification, and installation succeed.

    • Marked as answer by megabitee Friday, March 16, 2012 7:46 PM
    Friday, March 16, 2012 7:46 PM

All replies

  • Does this certificate chain up to the Microsoft root?  If not, you need to enable test signing on your system, and make sure that certificate is in your trusted root store for the local machine.

    To turn on test signing, run this from an elevated cmd prompt:  "bcdedit /set testsigning on"

    An easier way is to use the built-in deployment feature in Visual Studio.  It will configure a test machine with the right certificates and enable test signing mode.


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, March 16, 2012 4:09 PM
  • > To turn on test signing...

    I am signing this for release.  Why do I want to turn on test signing?

    > An easier way is to use the built-in deployment feature in Visual Studio.

    The driver must be built from the DDK command line.  No Visual Studio involved.  Deployment feature???

    > Does this certificate chain up to the Microsoft root? 

    Verifying: PyroCam3Wdf.sys

    Hash of file (sha1): 0F2BFDF400D3CF575334F63DCE460E827D97451C

    Signing Certificate Chain:
        Issued to: Class 3 Public Primary Certification Authority

        Issued by: Class 3 Public Primary Certification Authority

        Expires:   Wed Aug 02 17:59:59 2028

        SHA1 hash: A1DB6393916F17E4185509400415C70240B0AE6B


            Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

            Issued by: Class 3 Public Primary Certification Authority

            Expires:   Sun Nov 07 17:59:59 2021

            SHA1 hash: 32F30882622B87CF8856C63DB873DF0853B4DD27


                Issued to: VeriSign Class 3 Code Signing 2010 CA

                Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

                Expires:   Fri Feb 07 17:59:59 2020

                SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F


                    Issued to: Ophir-Spiricon, LLC

                    Issued by: VeriSign Class 3 Code Signing 2010 CA

                    Expires:   Tue Feb 11 17:59:59 2014

                    SHA1 hash: 652B3E57F9E63AA2BC59E4CD3D6EC1DA86570D8A


    The signature is timestamped: Fri Mar 16 10:02:14 2012

    Timestamp Verified by:
        Issued to: Thawte Timestamping CA

        Issued by: Thawte Timestamping CA

        Expires:   Thu Dec 31 17:59:59 2020

        SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656


            Issued to: VeriSign Time Stamping Services CA

            Issued by: Thawte Timestamping CA

            Expires:   Tue Dec 03 17:59:59 2013

            SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D


                Issued to: VeriSign Time Stamping Services Signer - G2

                Issued by: VeriSign Time Stamping Services CA

                Expires:   Thu Jun 14 17:59:59 2012

                SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

     

    Number of files successfully Verified: 0

    Number of warnings: 0

    Number of errors: 1

     

    Friday, March 16, 2012 4:16 PM
  • This certificate does not chain to the Microsoft root, so you probably need a new cert.

    The reason the 32-bit "works" is that the policy on x86 still allows the driver to load.  There is most likely an error in the Event Log under "Event Viewer->Applications and Services Logs->Microsoft->Windows->CodeIntegrity".


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, March 16, 2012 4:20 PM
  • >This certificate does not chain to the Microsoft root

    How do I know?

    > so you probably need a new cert.

    I just got the "cert" last month.

    Today I spent an hour on the phone with Verisign.  The certificate path in the store seems correct. 

    Do I need a cross certificate for driver signing? The instructions on http://msdn.microsoft.com/en-us/library/windows/hardware/ff549830(v=vs.85).aspx seem to say that. But nonoe of the certificates on the page http://msdn.microsoft.com/en-us/windows/hardware/gg487315.aspx match my thumbprint (according to the instructions).


    • Edited by megabitee Friday, March 16, 2012 4:41 PM
    Friday, March 16, 2012 4:36 PM
  • The certificate you use for signing must be cross-certified, yes.  You should check with the issuer.

    Did you try to do the verification using "signtool verify /kp /v"?  It will spit out a chain that goes up to the Microsoft root if it can build one.


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, March 16, 2012 4:40 PM
  • > You should check with the issuer.

    I did check with the issuer.  They have no idea what a cross certificate is or why I should use one.  This is a Microsoft requirement since 1) it is included in the driver signing steps, 2) cross certificates are supplied by Microsoft.

    > Did you try to do the verification using "signtool verify /kp /v"? 

    Verifying: PyroCam3Wdf.sys

    Hash of file (sha1): 0F2BFDF400D3CF575334F63DCE460E827D97451C

    Signing Certificate Chain:
        Issued to: Class 3 Public Primary Certification Authority

        Issued by: Class 3 Public Primary Certification Authority

        Expires:   Wed Aug 02 17:59:59 2028

        SHA1 hash: A1DB6393916F17E4185509400415C70240B0AE6B


            Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

            Issued by: Class 3 Public Primary Certification Authority

            Expires:   Sun Nov 07 17:59:59 2021

            SHA1 hash: 32F30882622B87CF8856C63DB873DF0853B4DD27


                Issued to: VeriSign Class 3 Code Signing 2010 CA

                Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

                Expires:   Fri Feb 07 17:59:59 2020

                SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F


                    Issued to: Ophir-Spiricon, LLC

                    Issued by: VeriSign Class 3 Code Signing 2010 CA

                    Expires:   Tue Feb 11 17:59:59 2014

                    SHA1 hash: 652B3E57F9E63AA2BC59E4CD3D6EC1DA86570D8A


    The signature is timestamped: Fri Mar 16 10:02:14 2012

    Timestamp Verified by:
        Issued to: Thawte Timestamping CA

        Issued by: Thawte Timestamping CA

        Expires:   Thu Dec 31 17:59:59 2020

        SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656


            Issued to: VeriSign Time Stamping Services CA

            Issued by: Thawte Timestamping CA

            Expires:   Tue Dec 03 17:59:59 2013

            SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D


                Issued to: VeriSign Time Stamping Services Signer - G2

                Issued by: VeriSign Time Stamping Services CA

                Expires:   Thu Jun 14 17:59:59 2012

                SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE


    Cross Certificate Chain:
        Issued to: Microsoft Code Verification Root

        Issued by: Microsoft Code Verification Root

        Expires:   Sat Nov 01 07:54:03 2025

        SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3


            Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

            Issued by: Microsoft Code Verification Root

            Expires:   Mon Feb 22 13:35:17 2021

            SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B


                Issued to: VeriSign Class 3 Code Signing 2010 CA

                Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

                Expires:   Fri Feb 07 17:59:59 2020

                SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F


                    Issued to: Ophir-Spiricon, LLC

                    Issued by: VeriSign Class 3 Code Signing 2010 CA

                    Expires:   Tue Feb 11 17:59:59 2014

                    SHA1 hash: 652B3E57F9E63AA2BC59E4CD3D6EC1DA86570D8A


    Successfully verified: PyroCam3Wdf.sys


    Number of files successfully Verified: 1

    Number of warnings: 0

    Number of errors: 0


    • Edited by megabitee Friday, March 16, 2012 4:45 PM
    Friday, March 16, 2012 4:45 PM
  • Your output from signtool seems to indicate that the certificate is good.  Do you see any errors in the event log?  What did you use to get the first output above?

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, March 16, 2012 7:43 PM
  • Turns out I did have the right cross certificate but I was confused by the instructions.

    On the web page http://msdn.microsoft.com/en-us/windows/hardware/gg487315.aspx it says to find "Find the Issuer and Thumbprint for this certificate. Then locate the corresponding entry for this CA in the list below"

    The Issuer is Verisign but the Thumbprint does not match the "Root certificate thumbprint" of VeriSign Class 3 Public Primary Certification Authority – G5. Turns out that the thumbprint is thumbprint of the cross certificate, not the root certificate.

    When I use the new cross certificate then signing, verification, and installation succeed.

    • Marked as answer by megabitee Friday, March 16, 2012 7:46 PM
    Friday, March 16, 2012 7:46 PM
  • I am also having the same problem but my drivers appear to be signed correctly. I used the "Go Daddy Root Certificate Authority – G2" cross certificate for kernel-mode signing from Microsoft. The only thing I can't explain is when I open up the cross certificate it says "Windows does not have enough information to verify this certificate". Please help.

    Verifying: i386\driver.cat
    Hash of file (sha1): 266D45B8181B3E7B06715C8DFD44662F97BEF40F

    Signing Certificate Chain:
        Issued to: Go Daddy Root Certificate Authority - G2
        Issued by: Go Daddy Root Certificate Authority - G2
        Expires:   Thu Dec 31 18:59:59 2037
        SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B

            Issued to: Go Daddy Secure Certificate Authority - G2
            Issued by: Go Daddy Root Certificate Authority - G2
            Expires:   Sat May 03 02:00:00 2031
            SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8

                Issued to: Adaptive Micro-Ware, Inc.
                Issued by: Go Daddy Secure Certificate Authority - G2
                Expires:   Fri Jan 17 16:19:44 2014
                SHA1 hash: B71D22EFA5525986E714B11DA459C090592E04C2

    The signature is timestamped: Fri Jan 25 11:35:54 2013
    Timestamp Verified by:
        Issued to: Starfield Services Root Certificate Authority
        Issued by: Starfield Services Root Certificate Authority
        Expires:   Mon Dec 31 18:59:59 2029
        SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F

            Issued to: Starfield Services Timestamp Authority
            Issued by: Starfield Services Root Certificate Authority
            Expires:   Wed Apr 26 02:00:00 2017
            SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26

    Successfully verified: i386\driver.cat

    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0

    Verifying: i386\driver.sys
    File is signed in catalog: i386\driver.cat
    Hash of file (sha1): 266D45B8181B3E7B06715C8DFD44662F97BEF40F

    Signing Certificate Chain:
        Issued to: Go Daddy Root Certificate Authority - G2
        Issued by: Go Daddy Root Certificate Authority - G2
        Expires:   Thu Dec 31 18:59:59 2037
        SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B

            Issued to: Go Daddy Secure Certificate Authority - G2
            Issued by: Go Daddy Root Certificate Authority - G2
            Expires:   Sat May 03 02:00:00 2031
            SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8

                Issued to: Adaptive Micro-Ware, Inc.
                Issued by: Go Daddy Secure Certificate Authority - G2
                Expires:   Fri Jan 17 16:19:44 2014
                SHA1 hash: B71D22EFA5525986E714B11DA459C090592E04C2

    The signature is timestamped: Fri Jan 25 11:35:54 2013
    Timestamp Verified by:
        Issued to: Starfield Services Root Certificate Authority
        Issued by: Starfield Services Root Certificate Authority
        Expires:   Mon Dec 31 18:59:59 2029
        SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F

            Issued to: Starfield Services Timestamp Authority
            Issued by: Starfield Services Root Certificate Authority
            Expires:   Wed Apr 26 02:00:00 2017
            SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26

    Cross Certificate Chain:
        Issued to: Microsoft Code Verification Root
        Issued by: Microsoft Code Verification Root
        Expires:   Sat Nov 01 08:54:03 2025
        SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

            Issued to: Go Daddy Root Certificate Authority - G2
            Issued by: Microsoft Code Verification Root
            Expires:   Thu Apr 15 15:07:40 2021
            SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF

                Issued to: Go Daddy Secure Certificate Authority - G2
                Issued by: Go Daddy Root Certificate Authority - G2
                Expires:   Sat May 03 02:00:00 2031
                SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8

                    Issued to: Adaptive Micro-Ware, Inc.
                    Issued by: Go Daddy Secure Certificate Authority - G2
                    Expires:   Fri Jan 17 16:19:44 2014
                    SHA1 hash: B71D22EFA5525986E714B11DA459C090592E04C2

    Successfully verified: i386\driver.sys

    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0

    Verifying: amd64\driver.cat
    Hash of file (sha1): FB1AD869C9B4D37EABC2DE39B2CEAC2BCFC946E0

    Signing Certificate Chain:
        Issued to: Go Daddy Root Certificate Authority - G2
        Issued by: Go Daddy Root Certificate Authority - G2
        Expires:   Thu Dec 31 18:59:59 2037
        SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B

            Issued to: Go Daddy Secure Certificate Authority - G2
            Issued by: Go Daddy Root Certificate Authority - G2
            Expires:   Sat May 03 02:00:00 2031
            SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8

                Issued to: Adaptive Micro-Ware, Inc.
                Issued by: Go Daddy Secure Certificate Authority - G2
                Expires:   Fri Jan 17 16:19:44 2014
                SHA1 hash: B71D22EFA5525986E714B11DA459C090592E04C2

    The signature is timestamped: Fri Jan 25 11:35:57 2013
    Timestamp Verified by:
        Issued to: Starfield Services Root Certificate Authority
        Issued by: Starfield Services Root Certificate Authority
        Expires:   Mon Dec 31 18:59:59 2029
        SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F

            Issued to: Starfield Services Timestamp Authority
            Issued by: Starfield Services Root Certificate Authority
            Expires:   Wed Apr 26 02:00:00 2017
            SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26

    Successfully verified: amd64\driver.cat

    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0

    Verifying: amd64\driver64.sys
    File is signed in catalog: amd64\driver.cat
    Hash of file (sha1): FB1AD869C9B4D37EABC2DE39B2CEAC2BCFC946E0

    Signing Certificate Chain:
        Issued to: Go Daddy Root Certificate Authority - G2
        Issued by: Go Daddy Root Certificate Authority - G2
        Expires:   Thu Dec 31 18:59:59 2037
        SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B

            Issued to: Go Daddy Secure Certificate Authority - G2
            Issued by: Go Daddy Root Certificate Authority - G2
            Expires:   Sat May 03 02:00:00 2031
            SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8

                Issued to: Adaptive Micro-Ware, Inc.
                Issued by: Go Daddy Secure Certificate Authority - G2
                Expires:   Fri Jan 17 16:19:44 2014
                SHA1 hash: B71D22EFA5525986E714B11DA459C090592E04C2

    The signature is timestamped: Fri Jan 25 11:35:57 2013
    Timestamp Verified by:
        Issued to: Starfield Services Root Certificate Authority
        Issued by: Starfield Services Root Certificate Authority
        Expires:   Mon Dec 31 18:59:59 2029
        SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F

            Issued to: Starfield Services Timestamp Authority
            Issued by: Starfield Services Root Certificate Authority
            Expires:   Wed Apr 26 02:00:00 2017
            SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26

    Cross Certificate Chain:
        Issued to: Microsoft Code Verification Root
        Issued by: Microsoft Code Verification Root
        Expires:   Sat Nov 01 08:54:03 2025
        SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

            Issued to: Go Daddy Root Certificate Authority - G2
            Issued by: Microsoft Code Verification Root
            Expires:   Thu Apr 15 15:07:40 2021
            SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF

                Issued to: Go Daddy Secure Certificate Authority - G2
                Issued by: Go Daddy Root Certificate Authority - G2
                Expires:   Sat May 03 02:00:00 2031
                SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8

                    Issued to: Adaptive Micro-Ware, Inc.
                    Issued by: Go Daddy Secure Certificate Authority - G2
                    Expires:   Fri Jan 17 16:19:44 2014
                    SHA1 hash: B71D22EFA5525986E714B11DA459C090592E04C2

    Successfully verified: amd64\driver64.sys

    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0

    Friday, January 25, 2013 4:47 PM
  • Search on previous posts in this forum on go daddy certs. IIRC, they are not usable for KM signing.


    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, January 25, 2013 6:08 PM