"Unknown Publisher" with kernel-mode driver signed with VeriSign c

Discussion in 'Windows Vista Drivers' started by Loring, Apr 26, 2010.

  1. Loring

    Loring Guest

    I have been unsuccessful signing a kernel-mode driver for use in 64-bit
    Windows 7. I am using a certificate from VeriSign but no WHQL certificate.

    Note that I've replaced the company's name with "XXX" below.

    I sign the catalog with the following (PASSWORD is replaced with the actual
    password for the key):
    signtool sign /v /ac "MSCV-VSClass3.cer" /f iLabDriver.pfx /p PASSWORD /n
    "XXX" /t http://timestamp.verisign.com/scripts/timstamp.dll "ilabamd64.cat

    This returns:
    The following certificate was selected:
    Issued to: XXX
    Issued by: VeriSign Class 3 Code Signing 2009-2 CA
    Expires: Tue Apr 19 19:59:59 2011
    SHA1 hash: 599F2301A083500D52D0917CCCCC8FE86F8DF3B7

    Cross certificate chain (using machine store):
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires: Sat Nov 01 09:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

    Issued to: Class 3 Public Primary Certification Authority
    Issued by: Microsoft Code Verification Root
    Expires: Mon May 23 13:11:29 2016
    SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408

    Issued to: VeriSign Class 3 Code Signing 2009-2 CA
    Issued by: Class 3 Public Primary Certification Authority
    Expires: Mon May 20 19:59:59 2019
    SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3

    Issued to: XXX
    Issued by: VeriSign Class 3 Code Signing 2009-2 CA
    Expires: Tue Apr 19 19:59:59 2011
    SHA1 hash: 599F2301A083500D52D0917CCCCC8FE86F8DF3B7

    Done Adding Additional Store
    Successfully signed and timestamped: ilabamd64.cat

    Number of files successfully Signed: 1
    Number of warnings: 0
    Number of errors: 0



    I verified the signing with:
    signtool verify /kp /v ilabamd64.cat

    which returned:
    Verifying: ilabamd64.cat
    Hash of file (sha1): 558B5720B0A7BEB6AD43763DF17ADE1163B27A27

    Signing Certificate Chain:
    Issued to: Class 3 Public Primary Certification Authority
    Issued by: Class 3 Public Primary Certification Authority
    Expires: Tue Aug 01 19:59:59 2028
    SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2

    Issued to: VeriSign Class 3 Code Signing 2009-2 CA
    Issued by: Class 3 Public Primary Certification Authority
    Expires: Mon May 20 19:59:59 2019
    SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3

    Issued to: XXX
    Issued by: VeriSign Class 3 Code Signing 2009-2 CA
    Expires: Tue Apr 19 19:59:59 2011
    SHA1 hash: 599F2301A083500D52D0917CCCCC8FE86F8DF3B7

    The signature is timestamped: Mon Apr 26 13:13:13 2010
    Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires: Thu Dec 31 19:59:59 2020
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

    Issued to: VeriSign Time Stamping Services CA
    Issued by: Thawte Timestamping CA
    Expires: Tue Dec 03 19:59:59 2013
    SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

    Issued to: VeriSign Time Stamping Services Signer - G2
    Issued by: VeriSign Time Stamping Services CA
    Expires: Thu Jun 14 19:59:59 2012
    SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

    Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires: Sat Nov 01 09:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

    Issued to: Class 3 Public Primary Certification Authority
    Issued by: Microsoft Code Verification Root
    Expires: Mon May 23 13:11:29 2016
    SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408

    Issued to: VeriSign Class 3 Code Signing 2009-2 CA
    Issued by: Class 3 Public Primary Certification Authority
    Expires: Mon May 20 19:59:59 2019
    SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3

    Issued to: XXX
    Issued by: VeriSign Class 3 Code Signing 2009-2 CA
    Expires: Tue Apr 19 19:59:59 2011
    SHA1 hash: 599F2301A083500D52D0917CCCCC8FE86F8DF3B7

    Successfully verified: ilabamd64.cat

    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0

    But when I try to install the driver I get a dialog box with:
    Would you like to install this device software?
    Name: Unidentified Device
    Publisher: Unknown Publisher


    The dialog gives an option to Install or Don't Install. If I click on
    Install the driver will be installed, but if I click on Don't Install I get:
    The publisher of an Authenticode(tm) signed catalog was not established as
    trusted.

    The setupapi.dev.log file includes the following if I choose "Don't Install":
    sig: Success: File is signed in Authenticode(tm) catalog.
    sig: Error 0xe0000242: The publisher of an Authenticode(tm)
    signed catalog has not yet been established as trusted

    and the following if I choose "Install"
    ! sig: Verifying file against specific (valid) catalog
    failed! (0x800b0109)
    ! sig: Error 0x800b0109: A certificate chain processed,
    but terminated in a root certificate which is not trusted by the trust
    provider

    I guess the driver won't be automatically installed without user
    intervention since it doesn't have a WHQL certificate, but:
    1) Why isn't the catalog established as trusted?
    2) Can I fix the name and publisher so they are the actual device name and
    publisher name even though the catalog isn't trusted?

    Is it a problem in the verify output that "Signing Certificate Chain" does
    not chain to the root and "Cross Certificate Chain" does?

    I can post the .inf file if needed.
     
    Loring, Apr 26, 2010
    #1
    1. Advertisements

  2. Loring

    Matt Barker

    Joined:
    May 13, 2016
    Messages:
    1
    Likes Received:
    0
    I know this is an old thread but if anyone else comes across this issue when creating a .inf with a signed .cat file and it says 'unknown device' when installing check that you have got a .DeviceDesc="Device Name" setting in the [Strings] section of your .inf file
     
    Matt Barker, May 13, 2016
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.