Signtool /ac option does nothing

[Christian Studer]

Signing my driver works fine, no errors or warnings, but the cross certificate, MSCV-VSClass3.cer, doesn't get added to the certificate chain, so 64-bit Vista still treats the driver as unsigned.

Any idea what might cause this?

Thanks,

Christian Studer

[Tim Roberts]

Christian Studer <no...@none.none> wrote:
>
>Signing my driver works fine, no errors or warnings, but the cross
>certificate, MSCV-VSClass3.cer, doesn't get added to the certificate
>chain, so 64-bit Vista still treats the driver as unsigned.
>
>Any idea what might cause this?

You're sure that the certificate you have is a class 3 code signing
certificate? You can't use the other kinds of certificates that Verisign
sells.

The /ac thing does work; I've been able to do it with my GlobalSign
certificate.
--
Tim Roberts, ti...@probo.com
Providenza & Boekelheide, Inc.

[Wilhelm Noeker]

Christian Studer wrote:

> Signing my driver works fine, no errors or warnings, but the cross
> certificate, MSCV-VSClass3.cer, doesn't get added to the certificate
> chain, so 64-bit Vista still treats the driver as unsigned.

How did you determine "doesn't get added"? As far as I know, file
properties do not indicate the presence of a cross certificate, not even
if viewed on Vista64 itself. This may be quite confusing, and like you,
I thought at first that "signtool /ac option does nothing". But you will
notice that the output file size is different, if /ac is not present.

By the way, my company uses a Verisign certificate, too, and it works
fine for Vista64 kernel signing.

[Christian Studer]

That looks okay, the two certificates above mine are:

Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: 2028-08-02 01:59:59
SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2

Issued to: VeriSign Class 3 Code Signing 2004 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 2014-07-16 01:59:59
SHA1 hash: 197A4AEBDB25F0170079BB8C73CB2D655E0018A4

Thanks,

Christian Studer

[Christian Studer]

I'm using signtool with the verify command to display details about the signature:

signtool verify /kp /v <driver>

This shows the following certificate chain:

Signing Certificate Chain:

Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: 2028-08-02 01:59:59
SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2

Issued to: VeriSign Class 3 Code Signing 2004 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 2014-07-16 01:59:59
SHA1 hash: 197A4AEBDB25F0170079BB8C73CB2D655E0018A4

Issued to: Realtime Soft Ltd
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 2009-01-08 01:59:59

According to the Kernel-Mode Code Signing Walkthrough from http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx, there should be an additional certificate named 'Microsoft Code Verification Root' above Class 3 Public Primary Certification Authority.

Thanks,

Christian Studer

[Christian Studer]

I just checked the file size, it's the same with and without the cross certificate.

[Wilhelm Noeker]

Christian Studer wrote:

> I'm using signtool with the verify command to display details about the
> signature:
>
> signtool verify /kp /v <driver>

[...]

> According to the Kernel-Mode Code Signing Walkthrough from
> http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx,
> there should be an additional certificate named 'Microsoft Code
> Verification Root' above Class 3 Public Primary Certification Authority.

That's right, the same command executed for my own driver shows that
additional ceritficate. Here's the command that I use for signing:

signtool sign /v /ac xcert.cer /n "my company" driver.sys

Could it be that you try to invoke your company's certificate directly
from a .pfx file? AFAIR, that does not work in combination with /ac.

[Christian Studer]

I also have the certificate installed in the personal store, and use a similar command to sign the driver. I also tested with exactly the same command line you use, but get the same results (signed successfully but missing Microsoft root certificate).

Are you running this as administrator? Haven't tried this yet, I'm logged on as a standard user (on 64-bit Vista).

Regards,

Christian Studer
http://www.realtimesoft.com

[Wilhelm Noeker]

Christian Studer wrote:

> I also have the certificate installed in the personal store, and use a
> similar command to sign the driver. I also tested with exactly the same
> command line you use, but get the same results (signed successfully but
> missing Microsoft root certificate).
>
> Are you running this as administrator? Haven't tried this yet, I'm
> logged on as a standard user (on 64-bit Vista).

I use Vista only as a playground for testing. All my compilers and other
tools run on XP, and I'm logged on with power user rights.

[Christian Studer]

Running signtool as administrator didn't fix the problem, the Microsoft root certificate still didn't get added.

Regards,

Christian Studer
http://www.realtimesoft.com

[Tim Roberts]

Christian Studer <no...@none.none> wrote:

>That looks okay, the two certificates above mine are:
>
>Issued to: Class 3 Public Primary Certification Authority
>Issued by: Class 3 Public Primary Certification Authority
>Expires: 2028-08-02 01:59:59
>SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2
>
> Issued to: VeriSign Class 3 Code Signing 2004 CA
> Issued by: Class 3 Public Primary Certification Authority
> Expires: 2014-07-16 01:59:59
> SHA1 hash: 197A4AEBDB25F0170079BB8C73CB2D655E0018A4

One other thought: does the cross-certificate file actually exist in the
directory where you are running "signtool"? The /ac parameter specifies a
pathname.

[Christian Studer]

The path should be okay, I got an error when I used only the file name of the cross certificate.

I'm using the following command to sign the driver:

signtool.exe sign /ac "<path>\MSCV-VSClass3.cer" /s my /n "Realtime Soft Ltd" /du http://www.realtimesoft.com /t http://timestamp.verisign.com/scripts/timstamp.dll "<driver>"

Something else I tried was running signtool with the signwizard command, but this gave the same results. I had converted the cross certificate to an .spc file in order to use it with the wizard.

Regards,

Christian Studer
http://www.realtimesoft.com

[Ian Blake]

On Wed, 17 Sep 2008 15:33:52 +0200, Christian Studer <no...@none.none> wrote:

>The path should be okay, I got an error when I used only the file name of the cross certificate.
>
>I'm using the following command to sign the driver:
>
>signtool.exe sign /ac "<path>\MSCV-VSClass3.cer" /s my /n "Realtime Soft Ltd" /du http://www.realtimesoft.com /t http://timestamp.verisign.com/scripts/timstamp.dll "<driver>"
>
>Something else I tried was running signtool with the signwizard command, but this gave the same results. I had converted the cross certificate to an .spc file in order to use it with the wizard.
>
>Regards,
>

Are you signing the cat file?
signtool ... <driver>
inf2cat ...
signtool ... <catfile>

[Christian Studer]

Only the driver, it's a simple non-plug and play driver with no inf or cat file. Installation is via CreateService.

Christian Studer

[Christian Studer]

I found the problem, happens if the VeriSign root certificates also get installed in the personal certificate store, instead of only your own certificate. Apparently installing the certificate by double-clicking it in Explorer only installs that certificate, while installing the certificate via certmgr.msc also installs the VeriSign root certificates.

This seems to be a known issue, I found the solution in a post by Peter Viscarola from OSR: http://www.osronline.com/showthread.cfm?link=135850

Christian Studer
http://www.realtimesoft.com