none
Driver signed with EV Certificate on Windows 10 does not load on Windows 7 RRS feed

  • Question

  • Hi guys,

    I have a problem. If I sign a virtual audio device driver on Windows 10 using EV certificate then I can't load this driver on Windows 7. The driver gets installed, but there is an error that Windows cannot test the digital signature and the driver is not loaded. The driver is loaded on Windows 10 (prior 1607) without any problems.

    If I sign the same driver binary using the same EV certificate and the same cross-certificate and the same signtool.exe binary with absolutely the same parameters, but make all of this using Windows 7 then I don't have the issue. The driver can be loaded on Windows 7 and Windows 10 (prior 1607) without any problems.

    I've seen this with DigiCert and GlobalSign EV certificates.

    Does anybody know what can be the problem and how to solve this?


    Thanks,

    Roman


    • Edited by Romul15 Wednesday, November 30, 2016 12:10 PM
    Tuesday, November 29, 2016 11:57 AM

All replies

  • For Win7, a certain update is needed which enables support for new signatures.

    IIRC this was KB3033929.

    -- pa

    Tuesday, November 29, 2016 12:20 PM
  • This update is installed.

    As I wrote in my post if I sign the SAME driver by the SAME certificate using the SAME signtool.exe and with the SAME command-line parameters, but perform signing on Windows 7 then the driver can be loaded on all Windows 7 computers. So obviously the problem is because of using Windows 10 in the signing chain.

    The error on Windows 7 looks like this: "Cannot load driver for this device. Probably the driver is corrupted or missed. (Code 39)". But the properties of the device shows the presence of the digitally signed driver.

    Here is the output of signtool verify command:

    C:\Windows\System32\drivers>signtool.exe verify /v /debug /a /all /d /kp /ph /tw /o 2:6.1 my.sys

    Verifying: my.sys

    File is signed in catalog: c:\windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem145.CAT

    Hash of file (sha1): 6F8080BC32F14BF23B6F631ACFA89F559330281E

    Signing Certificate Chain:

        Issued to: GlobalSign Root CA

        Issued by: GlobalSign Root CA

        Expires:   Fri Jan 28 15:00:00 2028

        SHA1 hash: B1BC968BD4F49D622AA89A81F2150152A41D829C

            Issued to: GlobalSign

            Issued by: GlobalSign Root CA

            Expires:   Mon Mar 18 13:00:00 2019

            SHA1 hash: 4765557AF418C68A641199146A7E556AA8242996

                Issued to: GlobalSign Extended Validation CodeSigning CA - SHA256 -G3

                Issued by: GlobalSign

                Expires:   Sat Jun 15 03:00:00 2024

                SHA1 hash: 87A63D9ADB627D777836153C680A3DFCF27DE90C

                  Issued to: my company

                    Issued by: GlobalSign Extended Validation CodeSigning CA - SHA256 - G3

                    Expires:   Wed Nov 22 19:37:51 2017

                    SHA1 hash: 87C0FD5998F8D9864F766C4366D38403C86B08C6

    The signature is timestamped: Wed Nov 30 14:11:13 2016

    Timestamp Verified by:

        Issued to: GlobalSign Root CA

        Issued by: GlobalSign Root CA

        Expires:   Fri Jan 28 15:00:00 2028

        SHA1 hash: B1BC968BD4F49D622AA89A81F2150152A41D829C

            Issued to: GlobalSign Timestamping CA - G2

            Issued by: GlobalSign Root CA

            Expires:   Fri Jan 28 15:00:00 2028

            SHA1 hash: C0E49D2D7D90A5CD427F02D9125694D5D6EC5B71

                Issued to: GlobalSign TSA for Standard - G2

                Issued by: GlobalSign Timestamping CA - G2

                Expires:   Thu Jun 24 03:00:00 2027

                SHA1 hash: 83FDE1BA76FEF55291B50D6861906DAA45B58CB5

    Cross Certificate Chain:

        Issued to: Microsoft Code Verification Root

        Issued by: Microsoft Code Verification Root

        Expires:   Sat Nov 01 16:54:03 2025

        SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

            Issued to: GlobalSign Root CA

            Issued by: Microsoft Code Verification Root

            Expires:   Thu Apr 15 23:05:08 2021

            SHA1 hash: CC1DEEBF6D55C2C9061BA16F10A0BFA6979A4A32

                Issued to: GlobalSign

                Issued by: GlobalSign Root CA

                Expires:   Mon Mar 18 13:00:00 2019

                SHA1 hash: 4765557AF418C68A641199146A7E556AA8242996

                    Issued to: GlobalSign Extended Validation CodeSigning CA - SHA256 - G3

                    Issued by: GlobalSign

                    Expires:   Sat Jun 15 03:00:00 2024

                    SHA1 hash: 87A63D9ADB627D777836153C680A3DFCF27DE90C

                        Issued to: my company

                        Issued by: GlobalSign Extended Validation CodeSigning CA - SHA256 - G3

                        Expires:   Wed Nov 22 19:37:51 2017

                        SHA1 hash: 87C0FD5998F8D9864F766C4366D38403C86B08C6S

    SignTool Warning: No page hashes are present.

    Successfully verified: my.sys

    Number of signatures successfully Verified: 1

    Number of warnings: 1

    Number of errors: 0

    So everything seems to be correct. Unfortunately I don't have the ability to sign the driver using this certificate on Windows 7 because it's EV certificate and it's tied to the client's place.

    Wednesday, November 30, 2016 12:08 PM
  • The error on Windows 7 looks like this: "Cannot load driver for this device. Probably the driver is corrupted or missed. (Code 39)".

    So it really looks like the driver binary is corrupted, it won't start even if you boot in test-signing mode (or whatever this is called) and with debugger connected?

    Which WDK was used to build this driver?

    Could this be a DRM related issue (special requirements for protected media path, etc)?

    -- pa



    • Edited by Pavel A Wednesday, November 30, 2016 12:29 PM
    Wednesday, November 30, 2016 12:27 PM
  • WDK is pretty old - 7.1

    How DRM could be involved?

    Wednesday, November 30, 2016 1:38 PM
  • The self signed driver works just fine on Windows 8.1
    • Edited by Romul15 Wednesday, November 30, 2016 2:40 PM
    Wednesday, November 30, 2016 2:40 PM
  • It works on Windows 8 as well.

    It seems like to be one of the way to make Windows 7 outdated :)

    Wednesday, November 30, 2016 2:51 PM
  • How DRM could be involved?

    IIRC there are some additional build options for drivers in DRM-ized paths, to enable tampering detection. 

    --pa

    Wednesday, November 30, 2016 3:33 PM
  • I have a similar problem on Win7. The driver is sigened / tested with "Windows HCK 2.1 for Windows 8.1 and 7" on Win8 clients.

    KB3033929 seems not to solve the problem.

    https://social.msdn.microsoft.com/Forums/windowshardware/en-US/0b901d0f-847e-4185-9ec1-9f6d521a5023/kernel-driver-signing-so-it-works-on-windows-xp-vista-7-and-8?forum=whck

    Wednesday, December 7, 2016 6:28 AM
  • I didn't see the command you used to sign the file in the text...

    For installs on win 7 and win 10 it can be helpful to dual sign the files.

    First call to signtool does the sha1 (with a sha1 timestamp)

    second call to signtool appends sha2 sign (with a sha2 timestamp)

    signing tools in window 8.1 SDK and above support dual signing, so this won't work if you are using older SDK.

    Wednesday, December 7, 2016 3:09 PM