我的公司从 Go Daddy购买了司机签名证书。我用它签署了一个简单的 INF 文件,该文件是我们使用 Microsoft 的 usbser.sys 的一些 USB 设备的驱动程序。一切似乎都在我签署它的 Windows 7 64 位计算机上运行:如果我右键单击 INF 文件并选择“安装”,那么我看到的第二个警告是这个显示正确发布者名称的好警告:
但是,如果我转到另一台计算机(Windows Vista 64 位),右键单击 INF 文件,然后选择“安装”,然后我会收到以下错误消息:
这让我觉得我的驱动程序没有正确签名,它在我的计算机上看起来不错的唯一原因是因为我在 Go Daddy 的安装过程中安装了一些根/中间/交叉证书。我绝对希望我的用户能够看到我们是经过验证的发布者,而无需在他们的计算机上手动安装证书。
INF 文件和 .cat 文件在同一目录中。
有谁知道为什么会发生这种情况以及我该如何解决?
我怀疑主要问题是我在运行时收到此错误signtool verify /v pololu.cat(下面有更多详细信息),我还没有弄清楚原因:
SignTool 错误:已处理证书链,但在信任提供者不信任的根证书中终止。
我的程序的详细信息
司机签名证书是 Go Daddy 几周前推出的新产品。我不完全确定它与Code Signing Certificate有何不同,但价格相同。我按照Go Daddy 网站上的说明下载并安装了证书,但说明与实际情况并不完全相符。在步骤 1 中安装 Microsoft 交叉证书后,我看到一条红色警告消息,上面写着:
在安装证书之前,您必须使用 Windows 更新更新您的根证书或从我们的存储库手动下载并安装根证书。
我不知道该怎么办。我确实从他们的存储库中安装了一些 GoDaddy 根证书,但没有明显区别。
我安装了Windows Driver Kit (WDK)的最新版本 (8.0),然后安装了适用于 Windows 8 的 Windows Software Development Kit (SDK)的最新版本 (8.0) 。这使我可以访问inf2cat和signtool实用程序。这两个工具包都是在上个月发布的,所以我们可能正在处理一些新的错误。
在一个新目录中,我放了三个文件:
pololu_usb_to_serial.inf,我要签名的INF文件。它很长但很简单;你可以在这里阅读。这个 INF 文件是一个独立的驱动程序;我们的驱动程序包中不需要其他文件。该文件与我们公司多年来成功分发(未签名)的版本基本相同,但我必须对 Inf2Cat 进行一些更改才能接受它。mscvr-cross-gdroot-g2.crt,我从Go Daddy 证书存储库下载的。我相信这是证明“Go Daddy Root Certificate Authority - G2”受微软信任的交叉证书,但我不完全确定这是否是正确的证书。sign_it.bat,我运行的批处理文件进行签名。
批处理文件只包含:
"C:\Program Files (x86)\Windows Kits\8.0\bin\x86\inf2cat" /v /driver:%~dp0 /os:XP_X86,Vista_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64
"C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool" sign /v /ac "mscvr-cross-gdroot-g2.crt" /n "Pololu Corporation" /t http://tsa.starfieldtech.com pololu.cat
第一个命令inf2cat从 Windows Driver Kit 调用。该/v选项使其变得冗长。该/driver:%~dp0选项将其指向包含批处理文件的目录;a.由于某种原因不起作用,这比对完整路径进行硬编码要好。该/os选项指定了我希望使用此驱动程序包支持的所有操作系统。此命令创建pololu.cat.
第二个命令signtool从 Windows 软件开发工具包调用以对目录文件进行签名。该/v选项使其变得冗长。该/ac选项指定使用哪个交叉证书(参见上面的#2)。该/n选项指定要使用的证书的名称(该证书根据 安装在我的计算机上certmgr.msc)。该/t选项指定 Go Daddy 时间戳服务器的 URL。
这是我运行批处理文件时命令提示符中的输出:
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\inf2cat" /v /driver:C:\Users\david.POLOLU\Desktop\sign_it\ /os:XP_X86,Vis
ta_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64
Processing directory (C:\Users\david.POLOLU\Desktop\sign_it\) file (mscvr-cross-
gdroot-g2.crt)
Processing directory (C:\Users\david.POLOLU\Desktop\sign_it\) file (pololu_usb_t
o_serial.inf)
Processing directory (C:\Users\david.POLOLU\Desktop\sign_it\) file (sign_it.bat)
Parsing INF: C:\Users\david.POLOLU\Desktop\sign_it\pololu_usb_to_serial.inf
Finished parsing INFs
Processing INF: C:\Users\david.POLOLU\Desktop\sign_it\pololu_usb_to_serial.inf
Finished processing INFs
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Signability test complete.
Errors:
None
Warnings:
None
Catalog generation complete.
C:\Users\david.POLOLU\Desktop\sign_it\pololu.cat
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\signtool" sign /v /ac "mscvr-cross-gdroot-g2.crt" /n "Pololu Corporation"
/t http://tsa.starfieldtech.com pololu.cat
The following certificate was selected:
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
Done Adding Additional Store
Successfully signed: pololu.cat
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
正如我所说,我将 .cat 和 .inf 文件一起保存在同一个目录中,但它们只有在我签名后才能在计算机上正常工作。
使用 Signtool 进行验证
Microsoft的signtool实用程序还具有“验证”功能,可让您验证您的签名是否正确。验证时可以使用三种不同的策略,它们各自给出不同的结果:
- Windows 驱动程序验证策略说我的签名链不会追溯到 Microsoft,并打印一条错误消息,说明我的 root 是如何不受信任的。这对我来说似乎是个问题。
- 默认 Authenticode 验证策略( ) 还说我的
/pa签名链不会追溯到 Microsoft,但它没有给出错误。 - 内核模式驱动程序签名策略(可能不适用,
/kp因为我没有签署内核模式驱动程序)说我的签名链确实可以追溯到 Microsoft,并且没有给出错误。
有谁知道 Windows 对 INF 文件使用哪种策略?这至少可以帮助我缩小问题的范围。
以下是来自的完整、详细的输出signtool verify:
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\signtool" verify /v pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 09A611ECC83E61646DB967D4C23EED725B903C1B
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 16:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 05 16:22:34 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\signtool" verify /v /pa pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 09A611ECC83E61646DB967D4C23EED725B903C1B
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 16:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 05 16:22:34 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
Successfully verified: pololu.cat
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\signtool" verify /v /kp pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 09A611ECC83E61646DB967D4C23EED725B903C1B
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 16:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 05 16:22:34 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
Successfully verified: pololu.cat
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
在我签署驱动程序的计算机(它正在工作的地方)和另一台计算机(它不工作的地方)上运行时,输出看起来相同。
StackOverflow 上的类似问题
Thawte 64 位 Windows 驱动程序签名- 这个人的问题的解决方案是将 CatalogFile 指令添加到 INF 文件,但我已经有了。( CatalogFile=pololu.cat)。
编辑#1:签署可执行文件有效
我使用带有相同选项的 signtool 来签署可执行文件(NSIS 安装程序),它在两台计算机上的第一次尝试中都能正常工作。所以我认为 INF 驱动程序文件的签名策略有些不同,这就是让我搞砸的原因。
编辑 #2:GoDaddy 证书上的警告
如果我双击mscvr-cross-gdroot-g2.crt,在“常规”选项卡中会显示“Windows 没有足够的信息来验证此证书”。在“证书路径”选项卡的“证书状态:”下,显示“找不到此证书的颁发者。”。如果我双击gd_ms_drv_sign_bundle.p7b(来自 GoDaddy 的证书包)并打开第一个证书,我也会看到相同的警告。
这两个证书的颁发者应该是 Microsoft 代码验证根。我应该担心那个警告信息吗?
编辑#3:删除 GoDaddy 的证书
GoDaddy 高级支持团队的 Lindsay 回复了我。她从 globalsign 链接到此页面,该页面解释了如何在签署驱动程序的计算机上从 CA 卸载根证书和中间证书。Lindsay 说,如果您不执行此步骤,签名工具将假定这些证书存在于其他计算机上,因此不会将它们包含在签名中。
有谁知道如何检查哪些证书被“导入”到签名中?我可以使用哪些工具来查看 Lindsay 和 GlobalSign 是否正确?
顺便说一句,我们周围有 Windows XP 计算机,但微软很快就会停止支持该操作系统。尽管 GlobalSign 说了什么,但必须有一种方法可以在 Windows 7 上完成这项工作。
根据 Lindsay 的建议,我按照 Microsoft 的说明关闭自动根证书更新,然后使用 UIcertmgr.msc删除“受信任的根证书颁发机构”和“中级证书颁发机构”中的所有 GoDaddy 证书。然后我重新签署了我的 inf 文件。
不幸的是,那没有用!签名后,我仔细检查了所有 GoDaddy 证书是否仍被删除。
我没有收到来自 GoDaddy 的关于 的输出的反馈signtool verify,或者我在进行验证时应该检查的驱动程序签名策略的任何输入。我希望他们可以只查看验证输出并告诉我我做错了什么,或者告诉我正确的输出是什么样的。
signtool verify为了完整起见,以下是我删除这些证书并重新签署驱动程序后的三个输出:
C:\Users\david.POLOLU\Desktop\sign_inf>"C:\Program Files (x86)\Windows Kits\8.0\
bin\x86\signtool.exe" verify /v pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 5AE4F370471009C8B0ED936C9AE19ED14ABD67D7
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 12 14:52:19 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
C:\Users\david.POLOLU\Desktop\sign_inf>"C:\Program Files (x86)\Windows Kits\8.0\
bin\x86\signtool.exe" verify /v /pa pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 5AE4F370471009C8B0ED936C9AE19ED14ABD67D7
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 12 14:52:19 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
SignTool Error: WinVerifyTrust returned error: 0x800B010A
A certificate chain could not be built to a trusted root authority.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
C:\Users\david.POLOLU\Desktop\sign_inf>"C:\Program Files (x86)\Windows Kits\8.0\
bin\x86\signtool.exe" verify /v /kp pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 5AE4F370471009C8B0ED936C9AE19ED14ABD67D7
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 12 14:52:19 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
SignTool Error: WinVerifyTrust returned error: 0x800B010A
A certificate chain could not be built to a trusted root authority.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
编辑#4:DefaultInstall 部分是禁止的
在Microsoft的 DefaultInstall 部分的文档中,我发现了这一点:
注意如果要对驱动程序包进行数字签名,则驱动程序包 的 INF 文件不得包含 INF DefaultInstall部分。
有谁知道为什么这是真的?我找不到解释。
无论如何,我取出了我的 INF 文件的 DefaultInstall 部分,所以从现在开始我必须通过运行我编写的一个名为 SetupCopyOemInf的小 DLL 来测试它。
仍然没有运气;我不断在 Windows Vista 计算机上收到未经验证的发布者警告。
编辑 #5:JLink 驱动程序已正确签名
我在 C:\Windows\System32\DriverStore\FileRepository 中四处寻找,试图找到一些正确签名的驱动程序包。我发现的第一个有趣的是 JLinkCDC.cat/JLinkCDC.inf。Inf 文件的版本是DriverVer=01/25/2012,6.0.2600.4. 在 Windows Vista 机器上,如果我在 inf 文件上调用 SetupCopyOemInf(使用我的 DLL),那么我会收到一条正确的消息,告诉我发布者是谁(Segger GMBH 或类似的东西)。因此,可以正确签署像我这样的驱动程序包,但不知何故 GoDaddy 或我做错了什么。
JLinkCDC.inf 驱动程序和我的驱动程序非常相似,因为它只是一个文件并且使用了 usbser.sys。他们签名的信任链可以追溯到 VeriSign Class 3 Public Primary Certificate Authority - G5。
基本上,这个 JLinkCDC 驱动程序和我的很相似并且可以工作,所以我打算仔细研究一下,看看有什么不同。
JLinkCDC.cat 的 signtool verify的输出看起来与我的非常相似,只是它追溯到 Verisign 而不是 GoDaddy。
编辑#6:微小的变化
为了使我的驱动程序更像 JLinkCDC.inf,我添加DriverPackageType=PlugAndPlay到 INF 文件并缩短了文件名:这些文件现在称为 polser.cat 和 polser.inf。还是没有运气!
编辑#7:一些成功!
我认为以下几点是正确的;如果我错了,请纠正我:
- 对于驱动程序包(.cat 文件),正确的选项
signtool verify是/pa. 我从KMCS_Walkthrough.doc推断出这一点。 - 对于驱动程序包,如果信任链返回到 certmgr.msc 中“受信任的根证书颁发机构”文件夹中的证书,Windows 只会考虑验证发布者。
- 对于驱动程序包,您可以使用交叉证书对其进行签名(将信任链从 gdroot-g2.crt 扩展到 Microsoft 代码验证根),但 Windows 似乎忽略了这一点。这是因为 Microsoft 代码验证根不是“受信任的根证书颁发机构”。
- 有当前用户的证书存储和本地计算机的证书。它们都很重要,因此您应该使用MMC 证书管理单元来查看两者。Certmgr.msc 仅显示当前用户的那些。
- Windows应该在需要时将“Go Daddy 根证书颁发机构 - G2”(gdroot-g2.crt) 无缝添加到“受信任的根证书颁发机构”文件夹中,从 Windows 更新下载它,但它没有。 更多信息在这里。
我在测试机器上使用了 Windows 事件查看器来查看发生了什么。看起来 Windows 会自动获取“Go Daddy Root Certificate Authority - G2”,但只有在它显示不受欢迎的未经验证的发布者警告对话框之后。一旦用户关闭该对话框,就会从 Windows 更新中获取证书,因此下一次安装尝试应该会成功。有趣的是,它确实会及时自动下载 Starfield 证书(它是我的时间戳的信任链的根)。
通过双击 gdroot-g2.crt 并在尝试安装驱动程序之前将其导入,我已经获得了在 Windows 7 和 Windows Vista 计算机上工作的签名。我会看看这个过程是否可以自动化并添加到安装程序中。
我找到了来自另一家公司 (JLinkCDC.cat) 的驱动程序包,该驱动程序包使用 VeriSign 证书签名,该证书植根于“VeriSign Class 3 Public Primary Certification Authority - G5”。该证书在我查看过的所有计算机上,因此如果您使用 VeriSign 而不是 Go Daddy,我认为您可以使用 Windows Update 避免这个问题。
我确实注意到 VeriSign 证书使用 SHA1,而我的 Go Daddy 证书使用 SHA256 作为签名算法和签名哈希算法。不确定这是否重要。
编辑#8:向微软寻求帮助
请参阅 MSDN 论坛上的讨论和我的结论:http: //social.msdn.microsoft.com/Forums/en-US/wdk/thread/1fede768-7925-4f30-8eef-ce5bd08b0b60