Windows 7上的代码签名驱动程序失败,出现0xC0000428

时间:2018-05-17 16:47:49

标签: windows visual-studio code-signing device-driver signtool

我签名的驱动程序产生一个Windows(带有SHA256热修复的Windows 7)无法启动并产生错误代码0xC0000428(Windows无法验证此文件的数字签名)。

Windows 7 Code Signed Driver Failure Screenshot

我接手了一个使用Visual Studio 2010创建的驱动程序项目,我的第一个任务是更新过期的代码签名证书。最初的数字证书是Global Sign,现在使用的是Digi Cert。最初的程序员在给我的电子邮件中说他每年都遇到这个问题。

我检查了工作但过期的icsflt.sys驱动程序文件,看到它是SHA256,指纹是SHA1。其他一切都有效。我尝试了许多不同的变体(双重签名证书,SHA1和SHA2)。我最后一次尝试,直接来自Digi Cert技术支持,使用以下命令行。

C:\ICS\IM6000\Certificate>"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"
Done Adding Additional Store
Successfully signed: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys

这是证书,看起来与原始证书类似。

Failing Driver Code Signing Certificate

这是基本证书,清楚地显示了摘要算法的SHA256。证书来自构建机器。 " Windows启动管理器"的第一个屏幕截图来自试验机。

Driver Properties Screenshot

以下是我在Digi Certs网站上使用的一些链接。

Dual Signing SHA256 and SHA1

Sign Code SignTool.exe Command Line

Installing Code Signing Certificate

这是工作过期的证书视图。

Working Driver View Certificate Details Screenshot

以下是适用于良好/工作驱动程序的驱动程序属性Digital Signature。

Working Driver Digital Signature

你可以区分它们,因为我重命名了好的/工作的icflt-good.sys。除了公司名称,日期和证书颁发机构(CA)之外,两者看起来完全相同,但Windows 7却在Digi Cert的新版本上咆哮。

以下是我注释掉的signtool.exe命令行的代码。

@echo on

@REM see "How to Release-Sign a Driver Package" and "Release-Signing a Driver through an Embedded Signature in Windows DDK"
@REM despite the store's name seems to be Personal we should use MY when using Signtool. Otherwise the certificate is not found.
@REM when Personal store is created with makecert, another Personal is created. Weird.
@REM Signtool sign /v /ac MSCV-GlobalSign.cer /s MY /sha1 5250f1a5ddd11e3e4e924757e6da1c43dd3487c0 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /ac MSCV-GlobalSign.cer /s MY /sha1 5D743B02DCDE74B16D133BDFEB2E1C5F6F44E966 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%

@REM check $\IM6000\Certificate\current for the exact file names and password
@REM Signtool sign /v /ac %PROJECT_DIR%\..\Certificate\current\MSCV-GlobalSign.cer /f %PROJECT_DIR%\..\Certificate\current\OS201602156091.pfx /p 1C73295775925A7EE1C6D35ADF9DF611A55A60B8 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /ac %PROJECT_DIR%\..\Certificate\current\GlobalSignRootCA.crt /f %PROJECT_DIR%\..\Certificate\current\OS201701106786.pfx /p ICScertificate2017 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /fd sha256 /ac %PROJECT_DIR%\..\Certificate\current\GlobalSignRootCA.crt /f %PROJECT_DIR%\..\Certificate\current\OS201701106786.pfx /p ICScertificate2017 /tr http://timestamp.globalsign.com/scripts/timstamp.dll?td=sha256 /td sha256 %mydriverpath%

1 个答案:

答案 0 :(得分:1)

经过大量研究,我发现了问题所在。 (请对问题竖起大拇指,特别是回答。)

签署内核级驱动程序需要使用/AC交换机进行交叉签名,附加证书可以创建到Microsoft根证书的交叉证书链。

相关链接:

Microsoft Cross Certificate Links

注意:以下链接中的文章是错误的。指纹不需要匹配。但是,发行人需要完全匹配。

Cross Signing Kernel Mode Drivers

Signing Windows Drivers

需要提取发布者

我去了mmc并添加了证书(个人)。然后,我双击了我的SHA256证书,并注明了发行人,在我的情况下是:

CN = DigiCert Assured ID Root CA
OU = www.digicert.com
O = DigiCert Inc
C = US

我的证书的指纹无关紧要:

05 63 b8 63 0d 62 d7 5a bb c8 ab 1e 4b df b5 a8 99 b2 4d 43

Microsoft Cross证书列表再次为here。我的下载是DigiCert Assured ID Root CA,其标记为:

ba 3e a5 4d 72 c1 45 d3 7c 25 5e 1e a4 0a fb c6 33 48 b9 6e

我使用download链接获取文件。这给了我一个" DigiCert Assured ID Root CA.crt"的文件。

注意:我被告知证书必须是CER扩展名。我的测试和与DigiCert的对话显示不是真的。 CRT非常好。

工作签名工具命令行是:

C:\ICS\IM6000\Certificate>"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /v /ac "DigiCert Assured ID Root CA.crt" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"

要验证签名是否正确交叉签收,我强烈建议您发出以下行:

"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /kp /v "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"

请注意验证测试的输出结果:

Verifying: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha256): FAFB2B31B8ED4A9E8F9EC84196E7E52009A4C709521457FD83FC1945DCF5872F

Signing Certificate Chain:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Sun Nov 09 17:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert SHA2 Assured ID Code Signing CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Sun Oct 22 05:00:00 2028
        SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6

            Issued to: JMR Electronics, Inc.
            Issued by: DigiCert SHA2 Assured ID Code Signing CA
            Expires:   Mon Jan 28 05:00:00 2019
            SHA1 hash: 9CDC225480659E8CDD6E794A81455C905403755B

The signature is timestamped: Mon Jun 04 16:35:45 2018
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Sun Nov 09 17:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert SHA2 Assured ID Timestamping CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Tue Jan 07 05:00:00 2031
        SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297

            Issued to: DigiCert SHA2 Timestamp Responder
            Issued by: DigiCert SHA2 Assured ID Timestamping CA
            Expires:   Mon Jan 17 17:00:00 2028
            SHA1 hash: 400191475C98891DEBA104AF47091B5EB6D4CBCB

Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires:   Sat Nov 01 06:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: DigiCert Assured ID Root CA
        Issued by: Microsoft Code Verification Root
        Expires:   Thu Apr 15 12:51:37 2021
        SHA1 hash: BA3EA54D72C145D37C255E1EA40AFBC63348B96E

            Issued to: DigiCert SHA2 Assured ID Code Signing CA
            Issued by: DigiCert Assured ID Root CA
            Expires:   Sun Oct 22 05:00:00 2028
            SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6

                Issued to: JMR Electronics, Inc.
                Issued by: DigiCert SHA2 Assured ID Code Signing CA
                Expires:   Mon Jan 28 05:00:00 2019
                SHA1 hash: 9CDC225480659E8CDD6E794A81455C905403755B


Successfully verified: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

此处的关键是Successfully verified交叉证书链以Issued to: Microsoft Code Verification Root开头,并以我的数字代码签名证书及其间的所有内容结束。这就是微软想要的Windows。 Windows 7或Windows 10无关紧要。

我还必须至少使用Windows 8.1中的signtool.exe。早期版本不支持我被告知要使用的所有必需的开关。

虽然我最后不需要SHA1证书,但找到如何获得一个证书需要几个周期。有几次我被告知我需要它,但我没有。对于有兴趣获得该指令的任何人here。现在,即使在带有修补程序的Windows 7上,一切都是SHA256。

相关问题
最新问题