none
Signed driver not recognized by Windows - CodeIntegrity 3004 RRS feed

  • Question

  • Short description: I have a signed driver that passes SignTool verification but Windows refuses to load it with error: CodeIntegrity 3004 - file hash not found on system. How do I fix this?

    Long description: I'm using the Cypress Suite USB 3.4.7 development kit to create a USB driver for our instrument to run under Windows 7 64-bit. I've configured the INF with the proper IDs and the unsigned driver works fine as long as I by bypass driver signature enforcement. I want to create a signed driver and have been following the steps described in http://www.davidegrayson.com/signing/

    I've created a catalog file using Inf2Cat v3.2 with the /os:7_X64 flag among others. I'm using SignTool (v6.2.92) /sha1 to sign and can verify signatures on the .cat and cyusb.sys files. File explorer shows that both files have digital signatures and the advanced tab shows "This digital signature is OK."

    I plug in my USB device and it shows up as an Unknown device in device manager. I select Update Driver and I see a screen stating that the driver is signed by me. I continue and after a few moments the installation fails stating that the driver is not properly signed. The eventviewer shows a CodeIntegrity error 3004, "Windows is unable to verify the image integrity of CYUSB.sys because the file hash could not be found on the system"

    ------------

    ANSWER:  Use the /kp switch with SignTool Verify to show if the signature is good enough for kernal mode.  In my case I did not include a coss-certificate using /ac to link my certificate to the Microsoft root one.

    • Edited by Voripteth Tuesday, February 4, 2014 10:01 PM
    Monday, February 3, 2014 9:19 PM

Answers

  • signtool.exe sign /v /sha1 (hex cert thumbprint) /t http://timestamp.verisign.com/scripts/timestamp.dll cyusb.cat
    • signtool verify /v /pa cyusb.cat

    Where do you specify the cross-certificates? (/ac  switch)?

    For signtool /verify, specify also /kp switch.

    -- pa


    • Edited by Pavel A Tuesday, February 4, 2014 4:18 PM
    • Marked as answer by Voripteth Tuesday, February 4, 2014 9:58 PM
    Tuesday, February 4, 2014 4:18 PM

All replies

  • Perhaps you need to enable testsigning on your target system.

    Bcdedit.exe -set TESTSIGNING ON

    http://msdn.microsoft.com/en-us/library/windows/hardware/ff553484(v=vs.85).aspx

    Monday, February 3, 2014 11:49 PM
  • You don't need to sign both .cat and .sys files. Signing .cat only is enough. I also recommend to run Windows Update to check if root certificates need to be updated. BTW, which CA provided you with the certificate?

    http://www.jungo.com/st/products/windriver/

    Tuesday, February 4, 2014 9:17 AM
  • I tried using an unsigned Cyusb.sys with signed cyusb.cat and got the same CodeIntegrity error 3004 "file hash could not be found in CYUSB.SYS"

    I ran Windows Update and it did not find any updates needed. 

    We are using:  GlobalSign ObjectSign CA

    Tuesday, February 4, 2014 2:47 PM
  • Can you specify the exact set of commands that you use to sign the driver?

    http://www.jungo.com/st/products/windriver/

    Tuesday, February 4, 2014 3:12 PM
  • Here are the commands we're using to create the catalog, sign and verify the driver.  All commands complete without errors:

    • INf2Cat /v /uselocaltime /driver:"C:\Cypress\Driver x64" /os:XP_X86,Vista_X86,Vista_X64,7_X86,7_X64
    • signtool.exe sign /v /sha1 (hex cert thumbprint) /t http://timestamp.verisign.com/scripts/timestamp.dll cyusb.cat
    • signtool verify /v /pa cyusb.cat

    The driver cyusb.sys isn't signed so we originally used signtool on that as well but have stopped signing it as recommended above.

    When I use SignTool Verify I do see SHA1 hash values for cyusb.cat as well as ones for each link in the certificate chain.  Why can't Windows see this?  :(
    • Edited by Voripteth Tuesday, February 4, 2014 3:55 PM added SHA1 info
    Tuesday, February 4, 2014 3:37 PM
  • Perhaps you need to enable testsigning on your target system.

    Bcdedit.exe -set TESTSIGNING ON

    http://msdn.microsoft.com/en-us/library/windows/hardware/ff553484(v=vs.85).aspx

    I'm signing the driver we intend to release, not a test driver.
    Tuesday, February 4, 2014 3:40 PM
  • I am not sure that the last command is correct. I always use (with Verisign certificate):

    signtool.exe sign /v /ac MSCV-VSClass3.cer /s my /n "Company Name" /t http://timestamp.verisign.com/scripts/timestamp.dll catalog_file_name.cat


    http://www.jungo.com/st/products/windriver/

    Tuesday, February 4, 2014 5:29 PM

  • Where do you specify the cross-certificates? (/ac  switch)?

    For signtool /verify, specify also /kp switch.

    -- pa

    Thanks Pavel, you got me headed in the right direction!

    Using the /kp switch, the verify step now fails with "Signing Cert does not chain to a Microsoft Root Cert."

    I wasn't using a cross-certificate so I added the GlobalSign one that I got here

    With the /ac switch in place the Verify step now passes and the driver now installs.

    Victory!!

    Tuesday, February 4, 2014 9:58 PM