none
Minifilter Driver: Windows cannot verify the digital signature for this file. RRS feed

  • Question

  • I have downloaded the Microsoft "Scanner File System Minifilter Driver" example and compiled everything. I put the INF file and SYS file in the same directory, installed it by right-clicking the INF file, enabled kernel debugging and started the kernel debugger to bypass signature verification but I always get the "Windows cannot verify the digital signature for this file" error regardless of that when I try to activate the driver. I'm trying to run it on Windows Server 2008 R2 64bit, according to the documentation it isn't supposed to verify the signatures with the kernel debugger is attached to the local system so I wonder why it does.

    I created a new test certificate and followed all the steps in the How to Test-Sign a Driver Package (Windows Drivers) article to create a signed CAT file from the INF file to avoid testing with an unsigned driver but testing with the signed driver doesn't make any difference, it gets the exact same error. I can see the certificate on the system I'm trying to start the driver on.  I always make sure to delete the previous version and install the new version and I'm sure I signed it for the target OS.

    Error returned:

    >net start scanner
    System error 577 has occurred.

    Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Thanks for looking into this.


    • Edited by Hoshisato Friday, March 8, 2013 2:23 PM
    Friday, March 8, 2013 2:22 PM

Answers

  • Let the wdk build create the package for you. A debug build will sign everything as well. If you use the wdk to deploy, it will install the cert used to sign in the trusted root store of the machine under test. Signing is not enough, the cert needs to be in the right chain of trust. I would suggest starting with x86 to get past the signing problems initially


    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, March 8, 2013 3:20 PM

All replies

  • Let the wdk build create the package for you. A debug build will sign everything as well. If you use the wdk to deploy, it will install the cert used to sign in the trusted root store of the machine under test. Signing is not enough, the cert needs to be in the right chain of trust. I would suggest starting with x86 to get past the signing problems initially


    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, March 8, 2013 3:20 PM
  • Thanks for the reply, makes sense. As I'm new to device drivers, what would the package you refer to look like? Before I started messing with certificates myself,  I built the project in VS 2012 and I took the SYS file under the <TargetOS>\Package directory. The Description.html that comes with the example was not very clear what SYS file to take as there are several generated by the build process. Other then that, I followed the steps in that file one by one.
    Friday, March 8, 2013 3:33 PM