1

我是 Windows 驱动程序和生产使用所需的签名程序的新手。

我最近购买了一个 GoDaddy 驱动程序签名证书,他们向我保证它应该适用于内核模式驱动程序,但是我似乎无法让它工作。

编译后,我使用以下命令使用 signtool 对 .cat 文件进行签名:

"C:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool" sign /n "COMPANY_NAME" /t http://timestamp.verisign.com/scripts/timstamp.dll mydriver.cat

这成功完成,我使用以下命令验证证书:

"C:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool" verify /kp /v mydriver.cat

上述命令的输出表明成功。你可以看到下面的输出

Verifying: mydriver.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): AB24DC3601D29CE37CC2611EDEB7C8E3FBD89D04

Signing Certificate Chain:
    Issued to: Go Daddy Class 2 Certification Authority
    Issued by: Go Daddy Class 2 Certification Authority
    Expires:   Thu Jun 29 19:06:20 2034
    SHA1 hash: 2796BAE63F1801E277261BA0D77770028F20EEE4

        Issued to: Go Daddy Secure Certification Authority
        Issued by: Go Daddy Class 2 Certification Authority
        Expires:   Mon Nov 16 03:54:37 2026
        SHA1 hash: 7C4656C3061F7F4C0D67B319A855F60EBC11FC44

            Issued to: <COMPANY_NAME>
            Issued by: Go Daddy Secure Certification Authority
            Expires:   Sat Jul 23 19:23:39 2016
            SHA1 hash: B53404B368EED5A734D332C10702B5D5B5C8E5DE

The signature is timestamped: Sat Jul 25 11:37:02 2015
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   Fri Jan 01 01:59:59 2021
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   Thu Dec 31 01:59:59 2020
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   Wed Dec 30 01:59:59 2020
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires:   Sat Nov 01 15:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: Go Daddy Class 2 Certification Authority
        Issued by: Microsoft Code Verification Root
        Expires:   Sun Aug 27 19:48:23 2023
        SHA1 hash: D9612472EF0F2787E2B2D9E063A06B32FA5E333D

            Issued to: Go Daddy Secure Certification Authority
            Issued by: Go Daddy Class 2 Certification Authority
            Expires:   Mon Nov 16 03:54:37 2026
            SHA1 hash: 7C4656C3061F7F4C0D67B319A855F60EBC11FC44

                Issued to: <COMPANY_NAME>
                Issued by: Go Daddy Secure Certification Authority
                Expires:   Sat Jul 23 19:23:39 2016
                SHA1 hash: B53404B368EED5A734D332C10702B5D5B5C8E5DE


Successfully verified: mydriver.cat

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

交叉证书部分似乎很好。我从网上发现的类似输出(从 GlobalSign 签名)中注意到,签名证书链也一直延伸到 Microsoft 代码验证根。这可能是问题吗?如果是这样,我将如何解决这个问题?

安装 .inf 很顺利,但是当我使用

net start mydriver

我得到错误:

System error 577 has occurred.

Windows cannot verify the digital signature for this file. A recent hardware or
software change might have installed a file that is signed incorrectly or damage
d, or that might be malicious software from an unknown source.

如果我重新启动并强制执行驱动程序签名,则上述命令可以正常工作并且驱动程序可以正常工作。我还检查了 C:\Windows\System32\DriverStore\FileRepository 中的文件在安装后也以相同的方式签名。

有谁知道为什么签名不起作用,或者我该如何解决这个问题?

先感谢您!

4

1 回答 1

1

我设法解决了我的问题,感谢 Ashigore 为我指明了正确的方向。

问题与我的中间证书有关。我的证书存储似乎搞砸了,一些中间证书没有通往根 CA 的有效路径。

我删除了与我的证书相关的所有证书并从头开始。

现在路径是正确的:

  • 微软代码验证根
    • Go Daddy 2 类证书颁发机构
      • Go Daddy 安全证书颁发机构
      • 我的公司证书

根本没有找到 Microsoft Code Verification Root,我在某处读到该证书隐藏在内核中的某处,无法找到 certmgr。但是,如果需要,可以从微软安装它http://www.microsoft.com/pki/certs/MicrosoftCodeVerifRoot.crt 我认为没有必要...

我使用以下命令签署了驱动程序文件:

"C:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool" sign /v /ac "Go Daddy Class 2 Certification Authority.cer" /n "MY COMPANY" /t http://timestamp.verisign.com/scripts/timestamp.dll mydriver.cat
"C:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool" sign /v /ac "Go Daddy Class 2 Certification Authority.cer" /n "MY COMPANY" /t http://timestamp.verisign.com/scripts/timestamp.dll mydriver.sys

验证命令的新输出:

Verifying: mydriver.sys
File is signed in catalog: kaac.cat
Hash of file (sha1): 0AFAFD987F9C4B1D0BCBBD7851C0EA89AEF413C0

Signing Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires:   Sat Nov 01 15:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: Go Daddy Class 2 Certification Authority
        Issued by: Microsoft Code Verification Root
        Expires:   Sun Aug 27 19:48:23 2023
        SHA1 hash: D9612472EF0F2787E2B2D9E063A06B32FA5E333D

            Issued to: Go Daddy Secure Certification Authority
            Issued by: Go Daddy Class 2 Certification Authority
            Expires:   Mon Nov 16 03:54:37 2026
            SHA1 hash: 7C4656C3061F7F4C0D67B319A855F60EBC11FC44

                Issued to: MY COMPANY
                Issued by: Go Daddy Secure Certification Authority
                Expires:   Sat Jul 23 19:23:39 2016
                SHA1 hash: B53404B368EED5A734D332C10702B5D5B5C8E5DE

The signature is timestamped: Sat Jul 25 14:14:29 2015
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   Fri Jan 01 01:59:59 2021
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   Thu Dec 31 01:59:59 2020
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   Wed Dec 30 01:59:59 2020
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires:   Sat Nov 01 15:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: Go Daddy Class 2 Certification Authority
        Issued by: Microsoft Code Verification Root
        Expires:   Sun Aug 27 19:48:23 2023
        SHA1 hash: D9612472EF0F2787E2B2D9E063A06B32FA5E333D

            Issued to: Go Daddy Secure Certification Authority
            Issued by: Go Daddy Class 2 Certification Authority
            Expires:   Mon Nov 16 03:54:37 2026
            SHA1 hash: 7C4656C3061F7F4C0D67B319A855F60EBC11FC44

                Issued to: MY COMPANY
                Issued by: Go Daddy Secure Certification Authority
                Expires:   Sat Jul 23 19:23:39 2016
                SHA1 hash: B53404B368EED5A734D332C10702B5D5B5C8E5DE

Successfully verified: mydriver.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
于 2015-07-25T12:28:18.410 回答