问题总结
我的 Windows 应用程序包含一个加载相当简单的驱动程序的服务。此驱动程序包含嵌入式 SHA1 和 SHA256 签名,并包括它们的交叉签名证书链,根据MS Kernel Signing 文档中描述的 KMCS 要求,用于签署没有 CAT 文件的驱动程序。
该驱动程序在大多数 Windows 安装上都可以正常加载,但在极少数情况下无法加载,主要是在 Windows 7 x64 和 Windows 10 x64 上。错误为 0x241 (577):Windows 无法验证此文件的数字签名。最近的硬件或软件更改可能安装了签名不正确或损坏的文件,或者可能是来自未知来源的恶意软件。
更多信息
在两周的大部分时间里,我一直在试图找出导致这个问题的原因。正如您所料,这个错误只会出现在用户的机器上。我已经安装了 4 台使用 Windows 7 x64 的虚拟机和另外 4 台使用不同配置和不同级别更新的 Windows 10 x64 的虚拟机。我甚至在其中一个 Windows 10 虚拟机中完全复制了用户的设置——我花了一整天时间用正确的语言和他们拥有的所有软件安装了精确的 Windows 版本,以试图复制问题。但是,没有这样的运气:安装我的应用程序时,驱动程序加载得非常好。
希望有人可能对可能发生的事情有所了解,或者至少可以为我指明正确的方向,我决定在这里问:什么可能导致显然正确签名的驱动程序在某些 Windows 上无法通过验证安装?
更多细节
我正在使用 StartCom Class 3 代码签名证书。我从Microsoft Cross-Certificates for Kernel Mode Code Signing页面下载了交叉签名 StartCom 证书。
我的证书在 pfx 文件中,我正在签署驱动程序,如下所示:
signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll /p %1 driver.sys
signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /p %1 driver.sys
由于这不是需要安装的硬件驱动程序,因此它不包含 .CAT 文件或 .INF 文件。它只是一个在服务启动时加载并在服务停止时卸载的驱动程序。
可以注意到,SHA256 签名添加在 SHA1 签名之后(使用 /as),并且它还使用 SHA256 时间戳服务器。它是双重签名的,以便与旧操作系统兼容,尽管我必须说它无法在 Vista x64 中加载,大概是因为我的证书使用 SHA256 作为签名算法。值得注意的是,驱动程序可以在 Windows XP x64 上正常加载。还值得一提的是,在检查文件属性的“数字签名”选项卡时,无法为其加载的所有用户都报告说,这两个签名都得到了很好的验证。我可以在没有 Vista x64 兼容性的情况下生活,但是 Windows 7 和 Windows 10 的问题非常令人担忧,并迫使我将应用程序保持在 beta 测试中。
在各种 Windows 版本的大约 150 多次安装中,我有:
- 在 Windows 7 x64 中验证失败的 3 个用户。其中一个没有安装所有更新,继续安装了大约 200 个更新,之后验证通过并解决了问题。我建议更新给其他 2 个有同样问题的用户,但我没有收到任何反馈,所以我不知道问题是否已解决,我什至不知道他们的 Windows 是否是最新的。
- 3 个在 Windows 10 x64 上无法加载驱动程序的用户。他们所有人都比 Windows 7 用户响应更快,我发现他们所有人都安装了所有更新。使用 Windows 10 周年版安装工具包安装的三个用户中有两个。
- 在 Windows 2003 R2 x86 上无法加载驱动程序的 1 个用户。我还使用此操作系统创建了一个 VM,但未能重现该问题。
每次驱动程序加载失败时,都会在安全事件类别中生成一个审核失败事件,其中包含以下文本:*代码完整性确定文件的图像哈希无效。该文件可能由于未经授权的修改而损坏,或者无效的哈希可能表示潜在的磁盘设备错误。
文件名:\Device\HarddiskVolumeX\Program Files (x86)\path\to\driver.sys*
我在 Vista x64 中遇到了完全相同的错误,并且启用代码完整性详细日志会导致大量关于加载所有 .CAT 文件的消息,而没有其他感兴趣的内容。自然,在 Vista x64 中,代码完整性操作日志包含有关文件未得到验证的错误,与上面的审核错误非常相似。
跑步
signtool.exe verify /v /kp driver.sys
结果是:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 16:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: StartCom Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 23:23:19 2021
SHA1 hash: E6069E048DEA8D817AFC4188B1BEF1D888D0AF17
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
Successfully verified: driver.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
跑步
signtool.exe verify /v /pa /all driver.sys
结果是:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Signature Index: 1
Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:53 2016
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-256 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA
Successfully verified: driver.sys
Number of signatures successfully Verified: 2
Number of warnings: 0
Number of errors: 0
有点奇怪的是,在没有特殊开关的情况下进行验证会导致证书链错误。再一次,我在检查 VMWare 驱动程序时遇到了同样的错误,所以我想这没什么好担心的。无论如何,运行:
signtool.exe verify /v /all driver.sys
结果是:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Signature Index: 1
Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:53 2016
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-256 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of signatures successfully Verified: 0
Number of warnings: 0
Number of errors: 2
我正在使用 VS 2015 附带的 8.1 Windows 工具包中的 signtool.exe,它的版本是 6.3.9600.17298。值得一提的是,该驱动程序是使用 WDK 7.1.0 (7600.13685.1) 编译的。