windows - 使用 SHA-2 交叉签名证书使用 signtool 进行签名和验证后，Windows 驱动程序安装失败

Question

我有两个驱动程序文件似乎已经正确地被singned：

bobbarker@bobbarker-PC /cygdrive/c/Users/bobbarker/Desktop
$ ./SignTool.exe verify /kp /v /ph /d truecrypt.sys

Verifying: truecrypt.sys
Hash of file (sha1): 8562AC6F95298C1904DFC0B579C51CBB414D13C9

Signing Certificate Chain:
    Issued to: AddTrust External CA Root
    Issued by: AddTrust External CA Root
    Expires:   Sat May 30 05:48:38 2020
    SHA1 hash: 02FAF3E291435468607857694DF5E45B68851868

        Issued to: COMODO RSA Certification Authority
        Issued by: AddTrust External CA Root
        Expires:   Sat May 30 05:48:38 2020
        SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0

            Issued to: COMODO RSA Code Signing CA
            Issued by: COMODO RSA Certification Authority
            Expires:   Mon May 08 18:59:59 2028
            SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47

                Issued to: Jason Pyeron
                Issued by: COMODO RSA Code Signing CA
                Expires:   Wed Sep 16 18:59:59 2015
                SHA1 hash: 535A507A767922BE8C9BF959BCD2179DE626AAA4

The signature is timestamped: Tue Dec 30 00:29:01 2014
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   Thu Dec 31 18:59:59 2020
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   Wed Dec 30 18:59:59 2020
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   Tue Dec 29 18:59:59 2020
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires:   Sat Nov 01 08:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: AddTrust External CA Root
        Issued by: Microsoft Code Verification Root
        Expires:   Tue Aug 15 15:36:30 2023
        SHA1 hash: A75AC657AA7A4CDFE5F9DE393E69EFCAB659D250

            Issued to: COMODO RSA Certification Authority
            Issued by: AddTrust External CA Root
            Expires:   Sat May 30 05:48:38 2020
            SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0

                Issued to: COMODO RSA Code Signing CA
                Issued by: COMODO RSA Certification Authority
                Expires:   Mon May 08 18:59:59 2028
                SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47

                    Issued to: Jason Pyeron
                    Issued by: COMODO RSA Code Signing CA
                    Expires:   Wed Sep 16 18:59:59 2015
                    SHA1 hash: 535A507A767922BE8C9BF959BCD2179DE626AAA4

Successfully verified: truecrypt.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

bobbarker@bobbarker-PC /cygdrive/c/Users/bobbarker/Desktop
$ ./SignTool.exe verify /kp /v /ph /d truecrypt-x64.sys

Verifying: truecrypt-x64.sys
Hash of file (sha1): 5B9B534E682A8768F404B1A1CBFD9ACC98B8E195

Signing Certificate Chain:
    Issued to: AddTrust External CA Root
    Issued by: AddTrust External CA Root
    Expires:   Sat May 30 05:48:38 2020
    SHA1 hash: 02FAF3E291435468607857694DF5E45B68851868

        Issued to: COMODO RSA Certification Authority
        Issued by: AddTrust External CA Root
        Expires:   Sat May 30 05:48:38 2020
        SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0

            Issued to: COMODO RSA Code Signing CA
            Issued by: COMODO RSA Certification Authority
            Expires:   Mon May 08 18:59:59 2028
            SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47

                Issued to: Jason Pyeron
                Issued by: COMODO RSA Code Signing CA
                Expires:   Wed Sep 16 18:59:59 2015
                SHA1 hash: 535A507A767922BE8C9BF959BCD2179DE626AAA4

The signature is timestamped: Tue Dec 30 00:28:52 2014
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   Thu Dec 31 18:59:59 2020
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   Wed Dec 30 18:59:59 2020
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   Tue Dec 29 18:59:59 2020
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires:   Sat Nov 01 08:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: AddTrust External CA Root
        Issued by: Microsoft Code Verification Root
        Expires:   Tue Aug 15 15:36:30 2023
        SHA1 hash: A75AC657AA7A4CDFE5F9DE393E69EFCAB659D250

            Issued to: COMODO RSA Certification Authority
            Issued by: AddTrust External CA Root
            Expires:   Sat May 30 05:48:38 2020
            SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0

                Issued to: COMODO RSA Code Signing CA
                Issued by: COMODO RSA Certification Authority
                Expires:   Mon May 08 18:59:59 2028
                SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47

                    Issued to: Jason Pyeron
                    Issued by: COMODO RSA Code Signing CA
                    Expires:   Wed Sep 16 18:59:59 2015
                    SHA1 hash: 535A507A767922BE8C9BF959BCD2179DE626AAA4

Successfully verified: truecrypt-x64.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

bobbarker@bobbarker-PC /cygdrive/c/Users/bobbarker/Desktop
$

但是当我尝试安装它们时，我得到了清除错误：

Windows 无法验证此文件的数字签名。最近的硬件或软件更改可能安装了签名不正确或损坏的文件，或者可能是来自未知来源的恶意软件。

我已经发布了有问题的文件以及相关的 certs。我使用以下命令创建文件：

for i in *.sys; do 
 cp "$i" "$i".presignbak && \
 /cygdrive/c/WinDDK/7600.16385.1/bin/amd64/SignTool.exe sign /v /ac AddTrust_External_CA_Root-srosssigned-by-Microsoft.crt /f signkey.pfx /p password /t http://timestamp.verisign.com/scripts/timstamp.dll "$i" ; 
done

我的证书使用签名算法：sha256WithRSAEncryption

接下来我应该尝试什么？

Answer 1

事实证明，Microsoft 不支持 SHA-2 用于 Windows 7 上的驱动程序签名。

在某些情况下，您可能希望使用两个不同的签名对驱动程序包进行签名。例如，假设您希望驱动程序在 Windows 7 和 Windows 8 上运行。Windows 8 支持使用 SHA256 散列算法创建的签名，但 Windows 7 不支持。对于 Windows 7，您需要使用 SHA1 哈希算法创建的签名。

假设您要构建并签署一个驱动程序包，该驱动程序包将在 x64 硬件平台上的 Windows 7 和 Windows 8 上运行。您可以使用使用 SHA1 的主签名对驱动程序包进行签名。然后，您可以附加使用 SHA256 的辅助签名。您可以对两个签名使用相同的证书，也可以使用单独的证书。以下是使用 Visual Studio 创建两个签名的步骤。

Answer 2

可能是您的 Windows PC 没有安装与您用于签名和验证的机器相同的 CA 根？检查证书链中列出的 CA 是否在您尝试安装的位置正确安装（运行 > mmc）。