我的Windows应用程序包含一个加载相当简单的驱动程序的服务。此驱动程序包含嵌入式SHA1和SHA256签名,并且根据MS Kernel Signing doc中描述的用于签署没有CAT文件的驱动程序的KMCS要求,包括两者的交叉签名证书链。
驱动程序在大多数Windows安装中都可以正常加载,但在极少数情况下无法加载,主要是在Windows 7 x64和Windows 10 x64上。错误是0x241(577): Windows无法验证此文件的数字签名。最近的硬件或软件更改可能安装了一个未正确签名或损坏的文件,或者可能是来自未知来源的恶意软件。
在两周的大部分时间里,我一直试图弄清楚这个问题可能是什么原因。正如您所期望的那样,此错误仅出现在用户的计算机上。我已经安装了4台带有Windows 7 x64的虚拟机和另外4台带有Windows 10 x64的虚拟机,这些虚拟机具有各种配置和不同级别的更新。我甚至在其中一个Windows 10虚拟机中完全复制了用户的设置 - 我花了一整天的时间用正确的语言安装完整的Windows版本,并将所有软件安装到精确的版本中。试图重现这个问题。不过没有这样的运气:安装我的应用程序时,驱动程序加载完全正常。
希望有人可能知道可能会发生什么或者至少可以指出我正确的方向,我决定在这里问:什么可能导致显然正确签署的驱动程序在某些Windows安装上验证失败?
我正在使用StartCom Class 3代码签名证书。我从Microsoft Cross-Certificates for Kernel Mode Code Signing页面下载了交叉签名的StartCom证书。
我的证书是在pfx文件中,我按如下方式签署了驱动程序:
signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll /p %1 driver.sys
signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /p %1 driver.sys
由于这不是需要安装的硬件驱动程序,因此它不包含.CAT文件或.INF文件。它只是一个在服务启动时加载的驱动程序,在服务停止时卸载。
可以注意到,在SHA1签名(带/ as)之后添加SHA256签名,它还使用SHA256时间戳服务器。它是双重签名的兼容旧版操作系统,虽然我必须说它无法在Vista x64中加载,大概是因为我的证书使用SHA256作为签名算法。值得注意的是,驱动程序在Windows XP x64上加载正常。还值得一提的是,无法加载的所有用户都会在检查文件属性的“数字签名”选项卡时报告两个签名都已正确验证。我可以在没有Vista x64兼容性的情况下生活,但是Windows 7和Windows 10的问题非常令人担忧,迫使我将应用程序保持在beta测试阶段。
在各种Windows版本的150多个安装中,我已经:
每次驱动程序加载失败时,都会在安全事件类别中生成一个审核失败事件,其中包含以下文本: *代码完整性确定文件的图像哈希无效。由于未经授权的修改,文件可能已损坏,或者无效的哈希可能表示潜在的磁盘设备错误。
文件名:\ Device \ HarddiskVolumeX \ Program Files(x86)\ path \ to \ driver.sys *
我在Vista x64中得到了完全相同的错误,并且启用代码完整性详细日志会导致很多关于加载所有.CAT文件的消息,而没有任何其他感兴趣的内容。当然,在Vista x64中,代码完整性操作日志包含有关未验证文件的错误,与上面的审核错误类似。
运行
signtool.exe verify /v /kp driver.sys
结果:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 16:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: StartCom Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 23:23:19 2021
SHA1 hash: E6069E048DEA8D817AFC4188B1BEF1D888D0AF17
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
Successfully verified: driver.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
运行
signtool.exe verify /v /pa /all driver.sys
结果:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Signature Index: 1
Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:53 2016
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-256 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA
Successfully verified: driver.sys
Number of signatures successfully Verified: 2
Number of warnings: 0
Number of errors: 0
有点奇怪的是,没有特殊开关的验证会导致证书链错误。然后再次,我在检查VMWare驱动程序时遇到同样的错误,所以我猜它不值得担心。在任何情况下,运行:
signtool.exe verify /v /all driver.sys
结果:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Signature Index: 1
Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:53 2016
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-256 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of signatures successfully Verified: 0
Number of warnings: 0
Number of errors: 2
我使用VS 2015附带的8.1 Windows工具包中的signtool.exe,其版本为6.3.9600.17298。对于它的价值,驱动程序是使用WDK 7.1.0(7600.13685.1)编译的。
答案 0 :(得分:3)
正如Martin Drab上面所说,问题是双重的。顺便说一句,感谢Martin,你的评论帮助我解决了问题,通过设置启用了安全启动的虚拟机,我能够重现Windows 10问题。
对于早于Windows 10的操作系统,似乎可以通过安装所有最新更新来解决问题。如果PC自2015年11月1日之前(当发布新的Microsoft代码验证根证书时)未更新,则它无法验证,因为内核无法识别根证书。
对于Windows 10,有一个新的Kernel Mode Code Signining Policy,它指定Windows 10 Anniversary Edition的所有全新安装都不会验证未由Microsoft Dev Portal(需要EV证书)签名的任何内核代码,除非它与2015年7月29日之前签发的交叉签名证书签署或禁用安全启动。
这个问题很少发生的原因是,大多数人都没有Windows 7的机器,这些机器在很长时间内都没有更新过,而且在编写本文时,大多数拥有Windows 10的机器都不是&# 39;使用全新安装的周年纪念版。
Windows 10唯一真正的解决方案是获得EV证书。