Properly signed kernel 64bit driver rejected to run on Vista 64bit

Discussion in 'Windows Vista Drivers' started by Jan, May 7, 2007.

  1. Jan

    Jan Guest

    Hello,
    Our problem is simple: We've got a 64bit kernel startup driver and a
    certificate purchased from GlobalSign (should be ok for Vista kernel 64bit
    signing). We followed guide at
    http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx and
    signed the file using signtool with embedded signature (we signed the driver
    file itself) and verified it with "signtool verify /kp file.sys" command. All
    check were OK. - BUT after the installation (system start driver) on testing
    machine with Vista Ultimate 64bit, OS rejected to run this file with
    CodeIntegrity message:

    "Windows is unable to verify the image integrity of the file file.sys
    because file hash could not be found on the system. A recent hardware or
    software change might have installed a file that is signed incorrectly or
    damaged, or that might be malicious software from an unknown source."

    This doesn't give us any sense. What does this message mean? What went
    wrong? Unsupported certificate? Not properly signed file? Should we install
    any root certificates or something on users'/testing machine?

    We tried solve this issue with GlobalSign staff, but they seem to be totally
    incompetent.

    Thanks for any help.

    Regards,
    Jan
     
    Jan, May 7, 2007
    #1
    1. Advertisements

  2. If the driver has a companion WHQL test then self-signing will only work for
    testing on x64. And then only if testsigning is enabled. There is (I
    believe) an F8 boot-time option to enable testsigning on Vista. You can also
    use BCDEDIT /set testsigning on to run a test-signed driver on Vista x64 for
    testing.

    If your driver type has a companion WHQL test, then you must get the driver
    signed by WHQL before you distribute it. This restriction amy also apply to
    boot-time drivers regardless of type, but I am not an authority on this.

    You should open a support incident with Microsoft to get this resolved. Any
    guidance that you may get from newsgroups will be second-hand and may not
    apply to your specific issue.

    Thomas F. Divine
     
    Thomas F. Divine, May 7, 2007
    #2
    1. Advertisements

  3. Jan

    Jan Guest

    The driver doesn't have companion WHQL test. When we enable testsigning, then
    it works fine, off course.
    Our driver was signed for release with the real authenticode certificate
    from real CA - it shoul work, but it doesn't.

    Jan
     
    Jan, May 7, 2007
    #3
  4. I suppose you signed and cross-signed the binary, right?
    Can you load your driver after the boot in some way, to see if the signature
    is valid?



    Have a nice day
    GV
     
    Gianluca Varenni, May 7, 2007
    #4
  5. Have you signed the driver binary and the .CAT (if there is a .CAT file...).

    Thomas F. Divine
     
    Thomas F. Divine, May 7, 2007
    #5
  6. Jan

    Jan Guest

    We used this signtool command to sign driver file:

    signtool sign /ac MSCV-GlobalSign.cer /s my /n "Our store name" /t
    http://timestamp.verisign.com/scripts/timestamp.dll ourfile.sys

    and then verification command:
    signtool verify /kp ourfile.sys

    All was OK - but the driver is disabled to run on Vista 64bit.

    When we check the singature thru the files' properties, the we receive
    message Digital signature is OK.

    The only way to run the driver is to disable signature checking om Vista
    64bit, but it is useless - we're testing the signature not the driver
    functionality.

    Jan
     
    Jan, May 7, 2007
    #6
  7. Jan

    Jan Guest

    It is written in the title of this thread - yes, the driver file is signed
    and seems to be corectly signed - but it doesn't run.
    We used embedded signing - we signed the driver file (ourfile.sys) not the
    ..cat file, that we don't use at all.

    Regards,
    Jan
     
    Jan, May 7, 2007
    #7
  8. Open a support incident. I don't think you'll find the answer here.

    Sorry.

    Thomas F. Divine
     
    Thomas F. Divine, May 7, 2007
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.