none
Why would a code signing certificate show up as valid on one machine, but NOT valid on another? RRS feed

  • Question

  • Hello,

    I am trying to understand why the exact same driver package behaves differently between two machine during its install process.

    I have a kernel mode driver that I've signed using the Windows 8 WDK and VS 2012 Pro (VS 2012 Pro does the driver package signing for me). My signing machine is a Windows 7 (x64) pro box, and the target machines are either the same, or Windows Ultimate (x64).

    I am pretty sure the driver package has been signed correctly, because I am able to install it on some target machines without Windows giving me a warning.

    In the instances where there are no Windows security warnings, I get the standard Windows Security prompt asking me if I want to install the device software. I see my company name as the publisher, I click the install, and the install proceeds OK. I do see an error in the setupapi.dev.log file, (see http://social.msdn.microsoft.com/Forums/en-US/wdk/thread/b5fea469-b886-4e90-a521-5686197fb3bb) but this does not seem to impede the install or the operation of the driver.

    In the instances where I see Windows security warnings, I'm using the exact same driver package, but copied to a different target machine prior to attempting the install. In this case, I get the Windows Security window pop up that says "Windows can't verify the publisher of this driver software", with options for "Don't install this driver software" and "Install this driver software anyway". I can select the "Install this driver software anyway" option, and the driver installs and operates just fine.

    My question is, why would the same driver package install differently on two different machines?

    Is there something I can look at to determine why I'm seeing the securuty warning one machine and not the other?

    The certificate that's part of the driver package even looks different when I double click it. One the machine where the install proceeds without warning, I can see the entire certification path (Root->Intermediate->My Code Signing Cert), and on the machine where the warning pops up, I only see my cert in the path.

    Any ideas anyone?

    Thank you,

    Geoff

    Wednesday, March 6, 2013 9:24 PM

All replies

  • Yes, that could be... I'm looking into that, I'm just not sure which updates would be needed, there appear to be many available.

    I'm also looking at something else I found while digging around the MSDN.

    I'm looking at two other articles/bulletins:

    http://technet.microsoft.com/en-us/library/cc731638.aspx and

    http://technet.microsoft.com/en-us/library/cc754841.aspx?ppud=4

    I think it's a long shot, but there might be something different with the way certificate policies are being set up.

    The one thing I have found is the certificate installs/management is not consisitent from machine to machine, nor is it a straightforward process. I've verified my driver package has been signed correctly using my signing machine, and for what it's worth I had the output from signtool verified by the vendor of my code signing cert. So... I'm pretty sure it's something local to the machine showing the problem.

    What's weird is I see the root CA on one of the machines warning me about the driver publisher. It's in the trusted root store of the current user. I've seen some discussions that say to try moving the root to the trusted publishers, and even the code signing cert to the trusted publishers store. What I don't see is "why". The kernel signing docs David mentions don't specify where the root cert needs to be stored, just that the OS has to find it.

    I am sure I'll eventually figure this out, I just wish it were more straight forward. David's doc is a big help, but I haven't found my solution yet. Still more things to try.

    Thanks Pavel.

    Thursday, March 7, 2013 9:16 PM