none
Driver signed properly, but still getting "driver code integrity determined that the hash image of a file is not valid" RRS feed

  • Question

  • Hello.

    I inherited some driver code that used to compile on 2003 and VC++ 6, and is now is being compiled on Windows 8.1 with VS 2013 and DDK 7600.16385.1.  The issue i am having is when i install the driver on a Windows 7 x64 box, i am getting the error in the device manager:  "Windows can not verify the digital signature", and the Audit Erorr:  "driver code integrity determined that the hash image of a file is not valid".  I ran the signtool verify command  against the sys and inf file, and using the /kp and /pa switches and setting /c to the cat file.  Everything passed as verified.

    The driver is being compiled at the CLI using the build.exe from the DDK, and i have set the I also added the "/INTEGRITYCHECK" to the $LINKER_FLAGS env var in the "sources" file.  This how i am signing the drivers:

    signtool.exe sign /v /ac "%CERTROOT%"\DigiCertHighAssuranceEVRootCA.crt /n "Company Name" /t http://timestamp.digicert.com driver/driver.sys

    inf2cat /driver:driver /os:XP_X64,Server2003_X64,Vista_X64,Server2008_X64,7_X64,Server2008R2_X64,8_X64 /verbose

    signtool.exe sign /v /ac "%CERTROOT%"\DigiCertHighAssuranceEVRootCA.crt /n "Company Name" /t http://timestamp.digicert.com driver/driver.cat

    Due to the installer not running for working on Windows 8, i have only tested it on Windows 7 x64.  Is there a step i am missing or any additional flags/options/etc. i need to set?

    thank you very much...






    Thursday, February 27, 2014 10:31 PM

All replies

  • The /INTEGRITYCHECK should do it. Verify that it actually makes it into the link command. 

    -- pa

    Thursday, February 27, 2014 11:08 PM
  • Thank you for your quick response.  I will make sure i configured everything properly.  Is there a way to have the build command explicitly output what it is doing?  right now, it just what process it is doing.  I looked at the switches available, and i did not see anything that would do that.

    Xavier Jonesberg

    Friday, February 28, 2014 12:48 AM
  • I checked the log,  and i am seeing this:


    1> C:\WinDDK\7600.16385.1\Bin\amd64\oacr\oacrlink /out:c:\users\agrossman\development\build_server\ssltunnel\nva\objfre_win7_amd64\amd64\netva.sys /machine:amd64 @c:\users\agrossman\development\build_server\ssltunnel\nva\objfre_win7_amd64\amd64\lnk.rsp 1>Microsoft (R) Incremental Linker Version 9.00.30729.207 1>Copyright (C) Microsoft Corporation. All rights reserved. 1>/MAP:.\netva.map 1>/INTEGRITYCHECK 1>/MAPINFO:EXPORTS 1>/MERGE:_PAGE=PAGE 1>/MERGE:_TEXT=.text 1>/SECTION:INIT,d 1>/OPT:REF 1>/OPT:ICF 1>/IGNORE:4198,4010,4037,4039,4065,4070,4078,4087,4089,4221,4108,4088,4218,4218,4235 1>/INCREMENTAL:NO 1>/release 1>/NODEFAULTLIB 1>/WX 1>/debug 1>/debugtype:cv,fixup,pdata 1>/version:6.1 1>/osversion:6.1 . .

    1>/driver .

    and then

    1>send.obj : MSIL .netmodule or module compiled with /GL found; restarting link with /LTCG; add /LTCG to the link command line to improve linker performance
    1>Microsoft (R) Incremental Linker Version 9.00.30729.207
    1>Copyright (C) Microsoft Corporation.  All rights reserved.
    1>/MAP:.\netva.map 
    1>/INTEGRITYCHECK 
    1>/MAPINFO:EXPORTS 
    1>/MERGE:_PAGE=PAGE 
    1>/MERGE:_TEXT=.text 
    1>/SECTION:INIT,d 
    1>/OPT:REF 
    1>/OPT:ICF 
    1>/IGNORE:4198,4010,4037,4039,4065,4070,4078,4087,4089,4221,4108,4088,4218,4218,4235 
    1>/INCREMENTAL:NO 
    1>/release 
    1>/NODEFAULTLIB 
    1>/WX 
    1>/debug 
    1>/debugtype:cv,fixup,pdata 
    1>/version:6.1 
    1>/osversion:6.1 
    1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hotpatch.obj 
    1>/functionpadmin:6 
    1>/pdbcompress 
    1>/STACK:0x40000,0x1000 
    1>/driver 
    .
    .
    .
    .
    

    when i go update the driver from device manager, i get the error:

    "Windows cannot verify the digital signature for the drivers..."

    are there any other switches i should look for, any switches should not be there, set some cross compiler options? 

    thank you so much for the quick responses... i am a Linux programmer who was asked to get this up and running ASAP, so i appreciate all the help with the noobie questions...


    Friday, February 28, 2014 6:46 PM
  • Ok you indeed link with /integritycheck . what now?

    1. signtool switch /ac specifies a cross-certificate (provided by MS for your certificate issuer). But where do  you specify your own cert? Read the driver signing instruction on MSDN and follow it *accurately*. This is a very hard task for a software developer, but must be done.

    2. Get a clean machine (restore or reimage), verify that no stale version of the driver is lingering somewhere.

    -- pa 

    Friday, February 28, 2014 9:14 PM
  • i followed:

    http://msdn.microsoft.com/en-us/library/windows/hardware/ff549830%28v=vs.85%29.aspx

    when sign it,  using /n "Company Name", where "Company Name" is the Subject of the cert, and i am using the "My" store, so i did not specify as a switch.  i am going to try signing it with the /f switch and try using the pfx file directly and see if that makes a difference.  When i do the verify, i assumed the cert chain looked correct, but evidently i am doing something wrong...

    As for using a clean machine, i am using a VM that i rollback to a snapshot of a freshly installed Win7 x64, with only the latest updates and the DDK installed (so i can verify the driver signing).

    Since i "signtool verify" does say everything is good, is there a manual way to do the same exact check the kernel is doing, because whatever the signtool is verify is not exactly the same as what the kernel is doing.  e.g., go through the same lookup process the kernel does to match the cat and the sys, to make sure it is not the signing that is the problem, but maybe some kind of lookup issue...

    thank you.

    Friday, February 28, 2014 9:38 PM
  • Our certs are all SHA1.  I tried directly using the pfx file, and no change in behavior.  Is there any chance a bad INF file could cause problems, cause Win 7 to look at the wrong places to look for files (even though are installed in correct place)?  i looked at it, and it still has sections that say "; Use for Win98".  I do not mind learning how to write an INF file, i just want to be sure it is in the realm of possibilities that this can be the issue.

    thank you.

    Saturday, March 1, 2014 12:03 AM
  • i feel so stupid....  it is a SHA2 cert.  i was looking under "Digital Signature" on the file itself, where it said it was signed with SHA1, and then i was looking at "Fingerprint Algorithm" on the certificate which is SHA1...

    According to Digcert, they can't give out code signing certs with SHA1 that expire past 01/2016...  i am finding out what my options are with them right now.

    Saturday, March 1, 2014 12:53 AM
  • I wasted a few days until I found out that a SHA2 cert works perfectly on applications on windows 7 and 8 and also with drivers in windows 8, but a signed "with SHA2 cert" driver does not work in windows 7, because of the signature is being rejected. Unfortunately, the Symantec/VeriSign request form proposed to use SHA2 because being better.

    I wonder  if the windows 7 kernel policy is being updated, so a W7 SP2 might accept that.

    I had to issue the cert as SHA1 to make it work on all machines.

    Thursday, October 2, 2014 7:18 AM