I have been unsuccessful signing a kernel-mode driver for use in 64-bit
Windows 7. I am using a certificate from VeriSign but no WHQL certificate.
Note that I've replaced the company's name with "XXX" below.
I sign the catalog with the following (PASSWORD is replaced with the actual
password for the key):
signtool sign /v /ac "MSCV-VSClass3.cer" /f iLabDriver.pfx /p PASSWORD /n
"XXX" /t
http://timestamp.verisign.com/scripts/timstamp.dll "ilabamd64.cat
This returns:
The following certificate was selected:
Issued to: XXX
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Tue Apr 19 19:59:59 2011
SHA1 hash: 599F2301A083500D52D0917CCCCC8FE86F8DF3B7
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 09:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Class 3 Public Primary Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Mon May 23 13:11:29 2016
SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Mon May 20 19:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: XXX
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Tue Apr 19 19:59:59 2011
SHA1 hash: 599F2301A083500D52D0917CCCCC8FE86F8DF3B7
Done Adding Additional Store
Successfully signed and timestamped: ilabamd64.cat
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
I verified the signing with:
signtool verify /kp /v ilabamd64.cat
which returned:
Verifying: ilabamd64.cat
Hash of file (sha1): 558B5720B0A7BEB6AD43763DF17ADE1163B27A27
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: Tue Aug 01 19:59:59 2028
SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Mon May 20 19:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: XXX
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Tue Apr 19 19:59:59 2011
SHA1 hash: 599F2301A083500D52D0917CCCCC8FE86F8DF3B7
The signature is timestamped: Mon Apr 26 13:13:13 2010
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 19:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Tue Dec 03 19:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: Thu Jun 14 19:59:59 2012
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 09:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Class 3 Public Primary Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Mon May 23 13:11:29 2016
SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Mon May 20 19:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: XXX
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Tue Apr 19 19:59:59 2011
SHA1 hash: 599F2301A083500D52D0917CCCCC8FE86F8DF3B7
Successfully verified: ilabamd64.cat
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
But when I try to install the driver I get a dialog box with:
Would you like to install this device software?
Name: Unidentified Device
Publisher: Unknown Publisher
The dialog gives an option to Install or Don't Install. If I click on
Install the driver will be installed, but if I click on Don't Install I get:
The publisher of an Authenticode(tm) signed catalog was not established as
trusted.
The setupapi.dev.log file includes the following if I choose "Don't Install":
sig: Success: File is signed in Authenticode(tm) catalog.
sig: Error 0xe0000242: The publisher of an Authenticode(tm)
signed catalog has not yet been established as trusted
and the following if I choose "Install"
! sig: Verifying file against specific (valid) catalog
failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed,
but terminated in a root certificate which is not trusted by the trust
provider
I guess the driver won't be automatically installed without user
intervention since it doesn't have a WHQL certificate, but:
1) Why isn't the catalog established as trusted?
2) Can I fix the name and publisher so they are the actual device name and
publisher name even though the catalog isn't trusted?
Is it a problem in the verify output that "Signing Certificate Chain" does
not chain to the root and "Cross Certificate Chain" does?
I can post the .inf file if needed.
Similar Threads
Linear Mode
