Signed driver package rejected by Win 7 RC, Why?

David and Tim, thanks for the additional input. I have looked at the
"AudioCodes, Inc." certificate that I have in my Personal store. I think it
is in my personal store, it can be seen via Internet Explorer: I click Tools
| Internet Options | Certificates | Other People tab | AudioCodes, Inc.
Within the certificate the Issuer is "VeriSign Class 3 Code Signing 2004 CA".
Under Enhanced Key Usage the value is "Code Signing (1.3.6.1.5.5.7.3.3). Is
there anything else I should check?

Yes, I did download the cross cert from Microsoft's page and unzipped on my
computer. The comamnd line references that .cer file. Is there something I
can do to verify that file?

I am stuck because very little of this process is clear in the docs or
examples. Is the AudioCodes, Inc. certificate in my "Personal" store even
though I have to click on the "Other People" tab in the Certificates window?

Thanks in advance. When we get this step of the process nailed down, the
release guy will codify it in batch scripts, etc., and we will be ready to go
with our push to a 64-bit driver.
--
Mr. Fixit needs your help! - John Bond , LLC


"David Craig" wrote:

> That is true, Tim. I also discovered that you can use Internet Exploder to
> view all the certificates and kill old certs. That should help him validate
> the name string. I suspect it is also case-sensitive, but I got the batch
> file from someone who had it working.
>
> "Tim Roberts" <> wrote in message
> news:...
> > John Bond <> wrote:
> >>
> >>SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n "AudioCodes,
> >>Inc." /t http://timestamp.verisign.com/scripts/timestamp.dll
> >>SmartWORKSDriver.sys
> >>
> >>Is giving the following error message:
> >>
> >>SignTool Error: No certificates were found that met all the given
> >>criteria.
> >>
> >>Number of files successfully Signed: 0
> >>Number of warnings: 0
> >>Number of errors: 1
> >>
> >>Is the .cer file found at:
> >>http://www.microsoft.com/whdc/winlog...crosscert.mspx
> >>the appropriate one to use? Or should I use the .cer I can export out of
> >>my
> >>certificate store?
> >
> > You must use the cross-certificate from Microsoft. That, of course,
> > assumes that you really do have a Verisign class 3 code-signing
> > certificate
> > in your certificate store with the name "AudioCodes, Inc.". The string
> > must match exactly.
> > --
> > Tim Roberts,
> > Providenza & Boekelheide, Inc.

John Bond <> wrote:
>
>David, are you saying that I cannot use KMDF 1.7 (WDK 6001.18002) and its
>signtool and inf2cat to produce 64-bit loadable drivers?

No, they work fine.

>If so I will upgrade to 7.0.0 WDK (KMDF 1.9??). (Did 7.0.0 reach released
>status recently? I must have had my head buried too deeply in the sand.)

Yes, it's been available for some time.
--
Tim Roberts,
Providenza & Boekelheide, Inc.

John Bond <> wrote:
>
>David and Tim, thanks for the additional input. I have looked at the
>"AudioCodes, Inc." certificate that I have in my Personal store. I think it
>is in my personal store, it can be seen via Internet Explorer: I click Tools
>| Internet Options | Certificates | Other People tab | AudioCodes, Inc.
>Within the certificate the Issuer is "VeriSign Class 3 Code Signing 2004 CA".
> Under Enhanced Key Usage the value is "Code Signing (1.3.6.1.5.5.7.3.3). Is
>there anything else I should check?

How did you install the certificate? Your signtool command line says it's
in the "My" store. Is that how you installed it? Can you find it in
certmgr.msc?
--
Tim Roberts,
Providenza & Boekelheide, Inc.

John Bond <> wrote:
>
>Cool, Tim, I now have a signed SwrxDriver.sys. What would have caused the
>first install of the certificate to have put in something besides the private
>key and tell me that the import was successful? I had two other people
>looking over my shoulder to verify that I was following the directions.

Digital signing is a maze of twisty passages, all alike. There's a fair
amount of shooting in the dark to get to the first success, and after that
you just follow the same recipe until the end of time.
--
Tim Roberts,
Providenza & Boekelheide, Inc.

David, I owe you an apology... you were right. I had to use the latest
SignTool AND Inf2Cat just to get the signed files to work with Win7. It took
me two more weeks of sweat and blood to get there. I should have tried it
without questioning it... JBond

"David Craig" wrote:

> Did you import the pfx into your local certificate store? Did you generate
> the inf with the inf2cat tool in the 7600.16385.0 (aka 7.0.0) WDK? Use the
> tools from that WDK as I know it works.
>
> "John Bond" <> wrote in message
> news:E34FBD0F-6332-4EEC-A1F9-...
> > The command line:
> >
> > SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n "AudioCodes,
> > Inc." /t http://timestamp.verisign.com/scripts/timestamp.dll
> > SmartWORKSDriver.sys
> >
> > Is giving the following error message:
> >
> > SignTool Error: No certificates were found that met all the given
> > criteria.
> >
> > Number of files successfully Signed: 0
> > Number of warnings: 0
> > Number of errors: 1
> >
> > Is the .cer file found at:
> > http://www.microsoft.com/whdc/winlog...crosscert.mspx
> > the appropriate one to use? Or should I use the .cer I can export out of
> > my
> > certificate store?
> > --
> > Mr. Fixit needs your help! - John Bond , LLC
> >
> >
> > "David Craig" wrote:
> >
> >> Look on Microsoft.com for a cross signing certificate that matches your
> >> corporate certificate. There are procedures documented in WHQL for
> >> driver
> >> and cat file signing. It is fairly easy to do once you have the correct
> >> certs, but since someone else provides those to us I have never done it
> >> myself. Once the certs are done and you have added the private key to
> >> your
> >> computer it is just a matter of running inf2cat and signtool on the sys
> >> and
> >> inf.
> >>
> >>
> >> "John Bond" <> wrote in message
> >> news:0785368D-EAE6-4496-AF6B-...
> >> >I thought it would be nice to test my 64-bit KMDF 1.7 driver on Win 7
> >> > Ultimate RC... well even with a digital certificate used to sign the
> >> > driver
> >> > package, it is rejected with the following message:
> >> >
> >> > A recently installed program tried to install an unsigned driver. This
> >> > version of Windows requires all drivers to have a valid digital
> >> > signature.
> >> > The driver is unavailable and ... (I get the message)
> >> >
> >> > So what must I do to bypass this and test my driver? Must I go back to
> >> > Server2008?
> >> > --
> >> > Mr. Fixit needs your help! - John Bond , LLC
> >>
> >>
> >> .
> >>
>
>
> .
>

I am wondering if I have the same problem per-haps:
I was signing with WDK 6000 because of ease of the wizard mode.

Now I am trying the same thing with WDK 7600.16385.0


>SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n
"DATAWIND NET ACCESS CORPORATION"
/t http://timestamp.verisign.com/scripts/timestamp.dll AMD64\WideUsb.sys
The following certificate was selected:
Issued to: DATAWIND NET ACCESS CORPORATION
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Wed Sep 22 18:59:59 2010
SHA1 hash: 196399AA62717B1430405533474B44BDFD13C947

SignTool Error: An unexpected internal error has occurred.
Error information: "CryptQueryObject" (-2147024893/0x80070003)

I do not know what could have gone wrong here, any clue, any one?

Thanks.


"John Bond" <> wrote in message news:F8677212-D3E3-4EE9-A08D-...
> David, I owe you an apology... you were right. I had to use the latest
> SignTool AND Inf2Cat just to get the signed files to work with Win7. It took
> me two more weeks of sweat and blood to get there. I should have tried it
> without questioning it... JBond
>
> "David Craig" wrote:
>
>> Did you import the pfx into your local certificate store? Did you generate
>> the inf with the inf2cat tool in the 7600.16385.0 (aka 7.0.0) WDK? Use the
>> tools from that WDK as I know it works.
>>
>> "John Bond" <> wrote in message
>> news:E34FBD0F-6332-4EEC-A1F9-...
>> > The command line:
>> >
>> > SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n "AudioCodes,
>> > Inc." /t http://timestamp.verisign.com/scripts/timestamp.dll
>> > SmartWORKSDriver.sys
>> >
>> > Is giving the following error message:
>> >
>> > SignTool Error: No certificates were found that met all the given
>> > criteria.
>> >
>> > Number of files successfully Signed: 0
>> > Number of warnings: 0
>> > Number of errors: 1
>> >
>> > Is the .cer file found at:
>> > http://www.microsoft.com/whdc/winlog...crosscert.mspx
>> > the appropriate one to use? Or should I use the .cer I can export out of
>> > my
>> > certificate store?
>> > --
>> > Mr. Fixit needs your help! - John Bond , LLC
>> >
>> >
>> > "David Craig" wrote:
>> >
>> >> Look on Microsoft.com for a cross signing certificate that matches your
>> >> corporate certificate. There are procedures documented in WHQL for
>> >> driver
>> >> and cat file signing. It is fairly easy to do once you have the correct
>> >> certs, but since someone else provides those to us I have never done it
>> >> myself. Once the certs are done and you have added the private key to
>> >> your
>> >> computer it is just a matter of running inf2cat and signtool on the sys
>> >> and
>> >> inf.
>> >>
>> >>
>> >> "John Bond" <> wrote in message
>> >> news:0785368D-EAE6-4496-AF6B-...
>> >> >I thought it would be nice to test my 64-bit KMDF 1.7 driver on Win 7
>> >> > Ultimate RC... well even with a digital certificate used to sign the
>> >> > driver
>> >> > package, it is rejected with the following message:
>> >> >
>> >> > A recently installed program tried to install an unsigned driver. This
>> >> > version of Windows requires all drivers to have a valid digital
>> >> > signature.
>> >> > The driver is unavailable and ... (I get the message)
>> >> >
>> >> > So what must I do to bypass this and test my driver? Must I go back to
>> >> > Server2008?
>> >> > --
>> >> > Mr. Fixit needs your help! - John Bond , LLC
>> >>
>> >>
>> >> .
>> >>
>>
>>
>> .
>>

"Denis @ TheOffice" <> wrote:
>
>I am wondering if I have the same problem per-haps:
>I was signing with WDK 6000 because of ease of the wizard mode.
>
>Now I am trying the same thing with WDK 7600.16385.0
>
>>SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n
>"DATAWIND NET ACCESS CORPORATION"
>/t http://timestamp.verisign.com/scripts/timestamp.dll AMD64\WideUsb.sys
>The following certificate was selected:
> Issued to: DATAWIND NET ACCESS CORPORATION
> Issued by: VeriSign Class 3 Code Signing 2009-2 CA
> Expires: Wed Sep 22 18:59:59 2010
> SHA1 hash: 196399AA62717B1430405533474B44BDFD13C947
>
>SignTool Error: An unexpected internal error has occurred.
>Error information: "CryptQueryObject" (-2147024893/0x80070003)
>
>I do not know what could have gone wrong here, any clue, any one?

80070003 is COR_E_DIRECTORYNOTFOUND. Now, clearly it HAS found your
certificate, so it must be something else. Have you double-checked that
the cross-certificate is in C:\Verisign? You're sure that the driver is in
the AMD64 subdirectory when the command runs?
--
Tim Roberts,
Providenza & Boekelheide, Inc.