How to add second sign to kernel mode driver ? RRS feed

  • Question

  • Hello,

    I am trying to sign kernel mode driver with two signatures, sha1 for Win7 and sha256 for Win8. The first sign is ok, the driver is installable and loadable by Win7x64, but the second sign is incomplete. In Properties->Digital Sign are visible both lines, first has digest algorithm  sha1, the second has sha256. the first is valid, but the second shows error: "No signature was present in the subject".

    Command: "signtool.exe" verify /ds 0 /v /kp filename.cat" outputs three chains: Signing Certificate Chain, Timestamp verified chain and Cross-certificate chain, but
    Command: "signtool.exe" verify /ds 1 /v /kp filename.cat" outputs only two chains: Signing Certificate Chain, Timestamp verified chain and outputs error "No signature found".

    When I add only one signature sha256, it is valid and usable with Win8. Only case when I try to add both - the second is incomplete.

    I use this commands:

    signtool.exe sign /debug /v /ac "..\cross-certificate.crt" /sha1 signercertificatehash /fd sha1 /t http://timestamp.comodoca.com/authenticode /d "ServiceName" filename.cat
    signtool.exe sign /debug /v /ac "..\cross-certificate.crt" /sha1 signercertificatehash /fd sha256 /as /tr http://timestamp.comodoca.com/rfc3161 /td sha256 /d "ServiceName" filename.cat

    How to add valid second sha256 signature ?


    Sunday, May 17, 2015 8:34 AM

All replies

  • Additionally, when I try to add both signatures to drivername.sys then both signatures are valid. Only when signing *.cat then the second signature is incomplete like described in first post. I tried to create catalog with inf2cat and makecat. Problem is present on both cases. 


    Sunday, May 17, 2015 10:20 AM
  • I have the same problem, have you found a fix for this yet?


    Monday, July 20, 2015 9:27 AM