Can't sign my file properlly

This is my understanding so far, feel free to correct me if I am wrong.
Looking at my issue and others similar to mine as well as all the documentation I read so far.
That is in the context of 64 Bit Vista/7

The Logo certification is not mandatory in order to load a USB driver.
In order to load the package must be signed with a KMCS signature.

The KMCS signature is made based on a certification purchased from an authorized CA vendor,
and a Cross Certificate obtain found at:
http://www.microsoft.com/whdc/winlog...crosscert.mspx

Must also use the signtool provided in the latest WDK (such as WDK 7600.16385.0)

Now my situation and dilemma is at this point:
I have bought a VeriSign Authenticode certification.
Convert and import my spc file in my personal store.

Now when I try to sign my driver I am getting this error.

SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n "DATAWIND NET ACCESS CORPORATION"
/t http://timestamp.verisign.com/scripts/timestamp.dll MyUsb.sys
The following certificate was selected:
Issued to: DATAWIND NET ACCESS CORPORATION
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Wed Sep 22 18:59:59 2010
SHA1 hash: 196399AA62717B1430405533474B44BDFD13C947

SignTool Error: An unexpected internal error has occurred.
Error information: "CryptQueryObject" (-2147024893/0x80070003)


I am stuck help if you please?
Denis

I would probably try removing the cross-signing (/ac
c:\verisign\mscv-vsclass3.cer) and the timestamping (/t http....) and see if
still fails. And then add those two parameters one by one.

Just my two cents
GV

"Denis @ TheOffice" <> wrote in message
news:%23X9r$...
> This is my understanding so far, feel free to correct me if I am wrong.
> Looking at my issue and others similar to mine as well as all the
> documentation I read so far.
> That is in the context of 64 Bit Vista/7
>
> The Logo certification is not mandatory in order to load a USB driver.
> In order to load the package must be signed with a KMCS signature.
>
> The KMCS signature is made based on a certification purchased from an
> authorized CA vendor,
> and a Cross Certificate obtain found at:
> http://www.microsoft.com/whdc/winlog...crosscert.mspx
>
> Must also use the signtool provided in the latest WDK (such as WDK
> 7600.16385.0)
>
> Now my situation and dilemma is at this point:
> I have bought a VeriSign Authenticode certification.
> Convert and import my spc file in my personal store.
>
> Now when I try to sign my driver I am getting this error.
>
> SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n "DATAWIND NET
> ACCESS CORPORATION"
> /t http://timestamp.verisign.com/scripts/timestamp.dll MyUsb.sys
> The following certificate was selected:
> Issued to: DATAWIND NET ACCESS CORPORATION
> Issued by: VeriSign Class 3 Code Signing 2009-2 CA
> Expires: Wed Sep 22 18:59:59 2010
> SHA1 hash: 196399AA62717B1430405533474B44BDFD13C947
>
> SignTool Error: An unexpected internal error has occurred.
> Error information: "CryptQueryObject" (-2147024893/0x80070003)
>
>
> I am stuck help if you please?
> Denis
>
>

Main batch file:
call signem.bat objchk_win7_amd64\amd64 7_X64,Vista_X64,XP_X64
call signem.bat objfre_win7_amd64\amd64 7_X64,Vista_X64,XP_X64
call signem.bat objchk_win7_x86\i386 7_X86,Vista_X86,XP_X86
call signem.bat objfre_win7_x86\i386 7_X86,Vista_X86,XP_X86

signem.bat:
@echo off
set
PATH=%PATH%;c:\WINDDK\7600.16385.0\bin\x86;c:\WIND DK\7600.16385.0\bin\SelfSign
inf2cat /drv:%1 /os:%2 /verbose

@echo ************************************************** **************
@echo * Signing catalog files *
@echo ************************************************** **************
for /r %1 %%I in (*.cat *.sys) do (
@echo signing %%I
signtool sign /v /ac C:\Depot\dk\win\verisign\MSCV-VSClass3.cer /s my /n
"My Company" /t http://timestamp.verisign.com/scripts/timestamp.dll %%I
)


I don't see any attempt to sign or create a cat file. It does a lot of
checking in the inf2cat program that may catch some errors in the inf.


"Gianluca Varenni" <> wrote in message
news:%...
>I would probably try removing the cross-signing (/ac
>c:\verisign\mscv-vsclass3.cer) and the timestamping (/t http....) and see
>if still fails. And then add those two parameters one by one.
>
> Just my two cents
> GV
>
> "Denis @ TheOffice" <> wrote in message
> news:%23X9r$...
>> This is my understanding so far, feel free to correct me if I am wrong.
>> Looking at my issue and others similar to mine as well as all the
>> documentation I read so far.
>> That is in the context of 64 Bit Vista/7
>>
>> The Logo certification is not mandatory in order to load a USB driver.
>> In order to load the package must be signed with a KMCS signature.
>>
>> The KMCS signature is made based on a certification purchased from an
>> authorized CA vendor,
>> and a Cross Certificate obtain found at:
>> http://www.microsoft.com/whdc/winlog...crosscert.mspx
>>
>> Must also use the signtool provided in the latest WDK (such as WDK
>> 7600.16385.0)
>>
>> Now my situation and dilemma is at this point:
>> I have bought a VeriSign Authenticode certification.
>> Convert and import my spc file in my personal store.
>>
>> Now when I try to sign my driver I am getting this error.
>>
>> SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n "DATAWIND NET
>> ACCESS CORPORATION"
>> /t http://timestamp.verisign.com/scripts/timestamp.dll MyUsb.sys
>> The following certificate was selected:
>> Issued to: DATAWIND NET ACCESS CORPORATION
>> Issued by: VeriSign Class 3 Code Signing 2009-2 CA
>> Expires: Wed Sep 22 18:59:59 2010
>> SHA1 hash: 196399AA62717B1430405533474B44BDFD13C947
>>
>> SignTool Error: An unexpected internal error has occurred.
>> Error information: "CryptQueryObject" (-2147024893/0x80070003)
>>
>>
>> I am stuck help if you please?
>> Denis
>>
>>
>
>

The OP is actually trying to sign the sys file itself, so inf2cat is not
involved in this case.

GV

"David Craig" <> wrote in message
news:...
> Main batch file:
> call signem.bat objchk_win7_amd64\amd64 7_X64,Vista_X64,XP_X64
> call signem.bat objfre_win7_amd64\amd64 7_X64,Vista_X64,XP_X64
> call signem.bat objchk_win7_x86\i386 7_X86,Vista_X86,XP_X86
> call signem.bat objfre_win7_x86\i386 7_X86,Vista_X86,XP_X86
>
> signem.bat:
> @echo off
> set
> PATH=%PATH%;c:\WINDDK\7600.16385.0\bin\x86;c:\WIND DK\7600.16385.0\bin\SelfSign
> inf2cat /drv:%1 /os:%2 /verbose
>
> @echo ************************************************** **************
> @echo * Signing catalog files *
> @echo ************************************************** **************
> for /r %1 %%I in (*.cat *.sys) do (
> @echo signing %%I
> signtool sign /v /ac C:\Depot\dk\win\verisign\MSCV-VSClass3.cer /s my
> /n "My Company" /t http://timestamp.verisign.com/scripts/timestamp.dll %%I
> )
>
>
> I don't see any attempt to sign or create a cat file. It does a lot of
> checking in the inf2cat program that may catch some errors in the inf.
>
>
> "Gianluca Varenni" <> wrote in message
> news:%...
>>I would probably try removing the cross-signing (/ac
>>c:\verisign\mscv-vsclass3.cer) and the timestamping (/t http....) and see
>>if still fails. And then add those two parameters one by one.
>>
>> Just my two cents
>> GV
>>
>> "Denis @ TheOffice" <> wrote in message
>> news:%23X9r$...
>>> This is my understanding so far, feel free to correct me if I am wrong.
>>> Looking at my issue and others similar to mine as well as all the
>>> documentation I read so far.
>>> That is in the context of 64 Bit Vista/7
>>>
>>> The Logo certification is not mandatory in order to load a USB driver.
>>> In order to load the package must be signed with a KMCS signature.
>>>
>>> The KMCS signature is made based on a certification purchased from an
>>> authorized CA vendor,
>>> and a Cross Certificate obtain found at:
>>> http://www.microsoft.com/whdc/winlog...crosscert.mspx
>>>
>>> Must also use the signtool provided in the latest WDK (such as WDK
>>> 7600.16385.0)
>>>
>>> Now my situation and dilemma is at this point:
>>> I have bought a VeriSign Authenticode certification.
>>> Convert and import my spc file in my personal store.
>>>
>>> Now when I try to sign my driver I am getting this error.
>>>
>>> SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n "DATAWIND
>>> NET ACCESS CORPORATION"
>>> /t http://timestamp.verisign.com/scripts/timestamp.dll MyUsb.sys
>>> The following certificate was selected:
>>> Issued to: DATAWIND NET ACCESS CORPORATION
>>> Issued by: VeriSign Class 3 Code Signing 2009-2 CA
>>> Expires: Wed Sep 22 18:59:59 2010
>>> SHA1 hash: 196399AA62717B1430405533474B44BDFD13C947
>>>
>>> SignTool Error: An unexpected internal error has occurred.
>>> Error information: "CryptQueryObject" (-2147024893/0x80070003)
>>>
>>>
>>> I am stuck help if you please?
>>> Denis
>>>
>>>
>>
>>
>
>

Yes, I saw that but since I KNOW that doing the inf and cat signing works,
maybe it is just a good idea to do it all and take what you need. The batch
files I use do both - note the 'for' loop.

"Gianluca Varenni" <> wrote in message
news:...
> The OP is actually trying to sign the sys file itself, so inf2cat is not
> involved in this case.
>
> GV
>
> "David Craig" <> wrote in message
> news:...
>> Main batch file:
>> call signem.bat objchk_win7_amd64\amd64 7_X64,Vista_X64,XP_X64
>> call signem.bat objfre_win7_amd64\amd64 7_X64,Vista_X64,XP_X64
>> call signem.bat objchk_win7_x86\i386 7_X86,Vista_X86,XP_X86
>> call signem.bat objfre_win7_x86\i386 7_X86,Vista_X86,XP_X86
>>
>> signem.bat:
>> @echo off
>> set
>> PATH=%PATH%;c:\WINDDK\7600.16385.0\bin\x86;c:\WIND DK\7600.16385.0\bin\SelfSign
>> inf2cat /drv:%1 /os:%2 /verbose
>>
>> @echo ************************************************** **************
>> @echo * Signing catalog files *
>> @echo ************************************************** **************
>> for /r %1 %%I in (*.cat *.sys) do (
>> @echo signing %%I
>> signtool sign /v /ac C:\Depot\dk\win\verisign\MSCV-VSClass3.cer /s my
>> /n "My Company" /t http://timestamp.verisign.com/scripts/timestamp.dll
>> %%I
>> )
>>
>>
>> I don't see any attempt to sign or create a cat file. It does a lot of
>> checking in the inf2cat program that may catch some errors in the inf.
>>
>>
>> "Gianluca Varenni" <> wrote in message
>> news:%...
>>>I would probably try removing the cross-signing (/ac
>>>c:\verisign\mscv-vsclass3.cer) and the timestamping (/t http....) and see
>>>if still fails. And then add those two parameters one by one.
>>>
>>> Just my two cents
>>> GV
>>>
>>> "Denis @ TheOffice" <> wrote in message
>>> news:%23X9r$...
>>>> This is my understanding so far, feel free to correct me if I am wrong.
>>>> Looking at my issue and others similar to mine as well as all the
>>>> documentation I read so far.
>>>> That is in the context of 64 Bit Vista/7
>>>>
>>>> The Logo certification is not mandatory in order to load a USB driver.
>>>> In order to load the package must be signed with a KMCS signature.
>>>>
>>>> The KMCS signature is made based on a certification purchased from an
>>>> authorized CA vendor,
>>>> and a Cross Certificate obtain found at:
>>>> http://www.microsoft.com/whdc/winlog...crosscert.mspx
>>>>
>>>> Must also use the signtool provided in the latest WDK (such as WDK
>>>> 7600.16385.0)
>>>>
>>>> Now my situation and dilemma is at this point:
>>>> I have bought a VeriSign Authenticode certification.
>>>> Convert and import my spc file in my personal store.
>>>>
>>>> Now when I try to sign my driver I am getting this error.
>>>>
>>>> SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n "DATAWIND
>>>> NET ACCESS CORPORATION"
>>>> /t http://timestamp.verisign.com/scripts/timestamp.dll MyUsb.sys
>>>> The following certificate was selected:
>>>> Issued to: DATAWIND NET ACCESS CORPORATION
>>>> Issued by: VeriSign Class 3 Code Signing 2009-2 CA
>>>> Expires: Wed Sep 22 18:59:59 2010
>>>> SHA1 hash: 196399AA62717B1430405533474B44BDFD13C947
>>>>
>>>> SignTool Error: An unexpected internal error has occurred.
>>>> Error information: "CryptQueryObject" (-2147024893/0x80070003)
>>>>
>>>>
>>>> I am stuck help if you please?
>>>> Denis
>>>>
>>>>
>>>
>>>
>>
>>
>
>

OOpsi!

Okay now it is different it says:
SignTool Error: No certificates were found that met all the given criteria.
What is wrong again?

Comment: There should be a better way to do this...

Denis



"Gianluca Varenni" <> wrote in message
news:%...
>I would probably try removing the cross-signing (/ac
>c:\verisign\mscv-vsclass3.cer) and the timestamping (/t http....) and see
>if still fails. And then add those two parameters one by one.
>
> Just my two cents
> GV
>
> "Denis @ TheOffice" <> wrote in message
> news:%23X9r$...
>> This is my understanding so far, feel free to correct me if I am wrong.
>> Looking at my issue and others similar to mine as well as all the
>> documentation I read so far.
>> That is in the context of 64 Bit Vista/7
>>
>> The Logo certification is not mandatory in order to load a USB driver.
>> In order to load the package must be signed with a KMCS signature.
>>
>> The KMCS signature is made based on a certification purchased from an
>> authorized CA vendor,
>> and a Cross Certificate obtain found at:
>> http://www.microsoft.com/whdc/winlog...crosscert.mspx
>>
>> Must also use the signtool provided in the latest WDK (such as WDK
>> 7600.16385.0)
>>
>> Now my situation and dilemma is at this point:
>> I have bought a VeriSign Authenticode certification.
>> Convert and import my spc file in my personal store.
>>
>> Now when I try to sign my driver I am getting this error.
>>
>> SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n "DATAWIND NET
>> ACCESS CORPORATION"
>> /t http://timestamp.verisign.com/scripts/timestamp.dll MyUsb.sys
>> The following certificate was selected:
>> Issued to: DATAWIND NET ACCESS CORPORATION
>> Issued by: VeriSign Class 3 Code Signing 2009-2 CA
>> Expires: Wed Sep 22 18:59:59 2010
>> SHA1 hash: 196399AA62717B1430405533474B44BDFD13C947
>>
>> SignTool Error: An unexpected internal error has occurred.
>> Error information: "CryptQueryObject" (-2147024893/0x80070003)
>>
>>
>> I am stuck help if you please?
>> Denis
>>
>>
>
>

"DenisCo @ Work" <> wrote:
>
>OOpsi!
>
>Okay now it is different it says:
>SignTool Error: No certificates were found that met all the given criteria.
>What is wrong again?

"Now it is different"? What did you change? You need the
cross-certificate and the timestamp to satisfy KMSC. The "no certificates
found" message means it didn't match your certificate name in the specified
store.

Are you using the 7600 WDK? There was a bug in signtool in the pre-release
7100 WDKs such that a search by cert name did not work -- you had to use a
hash. That was fixed in the final.

>Comment: There should be a better way to do this...

It's a complicated task. Once you get the recipe, you'll be set from then
on.
--
Tim Roberts,
Providenza & Boekelheide, Inc.

What did you change?
I forgot about the "VeriSign" path I just moved it.
Also I am at home right now and have imported my pfx in.

Something very troubling though...
In the KMCS_Walkthrough it talks about this in page 33 in step 2 Obtain an
SPC.
Would you know what does that mean?

Important: For signing kernel-mode drivers, the certificates and key stored
in the .pfx file must be imported into the local Personal certificate store.
SignTool does not support using .pfx files for signing kernel-mode drivers.
The restriction is due to a conflict in adding cross-certificates in the
signature while using a certificate from a .pfx file.


Denis


"Tim Roberts" <> wrote in message
news:...
> "DenisCo @ Work" <> wrote:
>>
>>OOpsi!
>>
>>Okay now it is different it says:
>>SignTool Error: No certificates were found that met all the given
>>criteria.
>>What is wrong again?
>
> "Now it is different"? What did you change? You need the
> cross-certificate and the timestamp to satisfy KMSC. The "no certificates
> found" message means it didn't match your certificate name in the
> specified
> store.
>
> Are you using the 7600 WDK? There was a bug in signtool in the
> pre-release
> 7100 WDKs such that a search by cert name did not work -- you had to use a
> hash. That was fixed in the final.
>
>>Comment: There should be a better way to do this...
>
> It's a complicated task. Once you get the recipe, you'll be set from then
> on.
> --
> Tim Roberts,
> Providenza & Boekelheide, Inc.