Windows 内核模式代码签名问题
Windows kernel mode code signing problems
问题总结
我的 Windows 应用程序包含一个加载相当简单 driver 的服务。此 driver 包含嵌入式 SHA1 和 SHA256 签名,并包含两者的 cross-signing 证书链,根据 MS Kernel Signing doc 中描述的用于签署 driver 的 KMCS 要求没有 CAT 文件。
driver 在大多数 Windows 安装上都能完美加载,但在极少数情况下无法加载,主要是在 Windows 7 x64 和 Windows 10 x64 上。错误为 0x241 (577):Windows 无法验证此文件的数字签名。最近的硬件或软件更改可能安装了签名不正确或已损坏的文件,或者可能是来自未知来源的恶意软件。
更多信息
在两周的大部分时间里,我一直在努力找出导致此问题的原因。如您所料,此错误只会出现在用户的机器上。我安装了 4 台 Windows 7 x64 的虚拟机和另外 4 台 Windows 10 x64 的虚拟机,配置不同,更新级别也不同。我什至在 Windows 10 个虚拟机中的一个虚拟机中完全重现了用户的设置——我花了一整天的时间安装正确的 Windows 版本,使用正确的语言和他们拥有的所有软件精确版本以尝试重现问题。但是,没有这样的运气:在安装我的应用程序时,driver 加载得非常好。
希望有人知道可能发生的事情或者至少可以指出正确的方向,我决定在这里问:什么可能导致 driver 显然已正确签名,无法在某些 Windows 安装中验证失败?
更多详情
我正在使用 StartCom Class 3 代码签名证书。我从 Microsoft Cross-Certificates for Kernel Mode Code Signing 页面下载了 cross-signing StartCom 证书。
我的证书在一个 pfx 文件中,我正在签署 driver 如下:
signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll /p %1 driver.sys
signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /p %1 driver.sys
由于这不是需要安装的硬件 driver,因此它不包含 .CAT 文件或 .INF 文件。它只是一个 driver,在服务启动时加载,在服务停止时卸载。
可以注意到,SHA256 签名添加在 SHA1 签名之后(使用 /as),并且它还使用了 SHA256 时间戳服务器。它采用双重签名以兼容旧操作系统,但我必须说它无法在 Vista x64 中加载,大概是因为我的证书使用 SHA256 作为签名算法。值得注意的是 driver 在 Windows XP x64 上可以正常加载。还值得一提的是,在检查文件属性的“数字签名”选项卡时,加载失败的所有用户都报告两个签名均已通过验证。我可以在没有 Vista x64 兼容性的情况下生活,但是 Windows 7 和 Windows 10 问题非常令人担忧,并迫使我将应用程序保持在 beta 测试中。
在各种 Windows 版本的大约 150 多个安装中,我有:
- 3 位用户在 Windows 7 x64 中验证失败。其中一个没有安装所有更新,继续安装了大约 200 个更新,然后通过了验证并解决了问题。我建议更新给其他 2 个有同样问题的用户,但我没有收到任何反馈,所以我不知道问题是否已解决,我什至不知道他们的 Windows 是否是最新的开始有无。
- 3 位用户 driver 在 Windows 10 x64 上加载失败。他们所有人都比 Windows 7 位用户反应更快,我发现他们都安装了所有更新。使用Windows10周年纪念版安装包安装的三个用户中的两个。
- 1 位用户 driver 在 Windows 2003 R2 x86 上加载失败。我还用这个 OS 创建了一个虚拟机,但未能重现问题。
每次 driver 加载失败时,都会在安全事件类别中生成审计失败事件,文本如下:
*代码完整性确定文件的图像哈希无效。文件可能因未经授权的修改而损坏,或者无效的散列可能表明存在潜在的磁盘设备错误。
文件名:\Device\HarddiskVolumeX\Program 文件 (x86)\path\to\driver.sys*
我在 Vista x64 中遇到了完全相同的错误,启用代码完整性详细日志会导致出现大量有关加载所有 .CAT 文件的消息,而没有其他任何有趣的消息。当然,在 Vista x64 中,代码完整性操作日志包含有关文件未得到验证的错误,与上面的审计错误非常相似。
运行
signtool.exe verify /v /kp driver.sys
结果:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 16:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: StartCom Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 23:23:19 2021
SHA1 hash: E6069E048DEA8D817AFC4188B1BEF1D888D0AF17
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
Successfully verified: driver.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
运行
signtool.exe verify /v /pa /all driver.sys
结果:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Signature Index: 1
Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:53 2016
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-256 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA
Successfully verified: driver.sys
Number of signatures successfully Verified: 2
Number of warnings: 0
Number of errors: 0
有点奇怪的是,不使用特殊开关进行验证会导致证书链错误。再一次,我在检查 VMWare 时遇到了同样的错误driver 所以我想这没什么好担心的。无论如何,运行:
signtool.exe verify /v /all driver.sys
结果:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Signature Index: 1
Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:53 2016
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-256 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of signatures successfully Verified: 0
Number of warnings: 0
Number of errors: 2
我正在使用 VS 2015 附带的 8.1 Windows 套件中的 signtool.exe,其版本为 6.3.9600.17298。对于它的价值,driver 是使用 WDK 7.1.0 (7600.13685.1) 编译的。
正如 Martin Drab 在上面发布的那样,问题是双重的。顺便说一句,谢谢 Martin,你的评论帮助我解决了问题,我能够通过设置启用安全启动的 VM 来重现 Windows 10 问题。
对于早于 Windows10 的操作系统,问题似乎可以通过安装所有最新更新来解决。如果 PC 在 2015 年 11 月 1 日之前(当新的 Microsoft 代码验证根证书颁发时)没有更新,它将无法验证,因为内核无法识别根证书。
对于 Windows 10 有一个新的 Kernel Mode Code Signining Policy 指定 Windows 10 周年纪念版的所有全新安装将不会验证任何未经 Microsoft Dev 签名的内核代码门户(需要 EV 证书),除非它是使用 2015 年 7 月 29 日之前颁发的交叉签名证书签名的,或者安全启动已禁用。
问题很少发生的原因是大多数人没有 Windows 7 台机器已经很久没有更新了,而大多数人有 Windows 10 台机器撰写本文时并未使用全新安装的周年纪念版。
Windows10 唯一真正的解决方案是获得 EV 证书。
问题总结
我的 Windows 应用程序包含一个加载相当简单 driver 的服务。此 driver 包含嵌入式 SHA1 和 SHA256 签名,并包含两者的 cross-signing 证书链,根据 MS Kernel Signing doc 中描述的用于签署 driver 的 KMCS 要求没有 CAT 文件。
driver 在大多数 Windows 安装上都能完美加载,但在极少数情况下无法加载,主要是在 Windows 7 x64 和 Windows 10 x64 上。错误为 0x241 (577):Windows 无法验证此文件的数字签名。最近的硬件或软件更改可能安装了签名不正确或已损坏的文件,或者可能是来自未知来源的恶意软件。
更多信息
在两周的大部分时间里,我一直在努力找出导致此问题的原因。如您所料,此错误只会出现在用户的机器上。我安装了 4 台 Windows 7 x64 的虚拟机和另外 4 台 Windows 10 x64 的虚拟机,配置不同,更新级别也不同。我什至在 Windows 10 个虚拟机中的一个虚拟机中完全重现了用户的设置——我花了一整天的时间安装正确的 Windows 版本,使用正确的语言和他们拥有的所有软件精确版本以尝试重现问题。但是,没有这样的运气:在安装我的应用程序时,driver 加载得非常好。
希望有人知道可能发生的事情或者至少可以指出正确的方向,我决定在这里问:什么可能导致 driver 显然已正确签名,无法在某些 Windows 安装中验证失败?
更多详情
我正在使用 StartCom Class 3 代码签名证书。我从 Microsoft Cross-Certificates for Kernel Mode Code Signing 页面下载了 cross-signing StartCom 证书。
我的证书在一个 pfx 文件中,我正在签署 driver 如下:
signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll /p %1 driver.sys
signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /p %1 driver.sys
由于这不是需要安装的硬件 driver,因此它不包含 .CAT 文件或 .INF 文件。它只是一个 driver,在服务启动时加载,在服务停止时卸载。
可以注意到,SHA256 签名添加在 SHA1 签名之后(使用 /as),并且它还使用了 SHA256 时间戳服务器。它采用双重签名以兼容旧操作系统,但我必须说它无法在 Vista x64 中加载,大概是因为我的证书使用 SHA256 作为签名算法。值得注意的是 driver 在 Windows XP x64 上可以正常加载。还值得一提的是,在检查文件属性的“数字签名”选项卡时,加载失败的所有用户都报告两个签名均已通过验证。我可以在没有 Vista x64 兼容性的情况下生活,但是 Windows 7 和 Windows 10 问题非常令人担忧,并迫使我将应用程序保持在 beta 测试中。
在各种 Windows 版本的大约 150 多个安装中,我有:
- 3 位用户在 Windows 7 x64 中验证失败。其中一个没有安装所有更新,继续安装了大约 200 个更新,然后通过了验证并解决了问题。我建议更新给其他 2 个有同样问题的用户,但我没有收到任何反馈,所以我不知道问题是否已解决,我什至不知道他们的 Windows 是否是最新的开始有无。
- 3 位用户 driver 在 Windows 10 x64 上加载失败。他们所有人都比 Windows 7 位用户反应更快,我发现他们都安装了所有更新。使用Windows10周年纪念版安装包安装的三个用户中的两个。
- 1 位用户 driver 在 Windows 2003 R2 x86 上加载失败。我还用这个 OS 创建了一个虚拟机,但未能重现问题。
每次 driver 加载失败时,都会在安全事件类别中生成审计失败事件,文本如下: *代码完整性确定文件的图像哈希无效。文件可能因未经授权的修改而损坏,或者无效的散列可能表明存在潜在的磁盘设备错误。
文件名:\Device\HarddiskVolumeX\Program 文件 (x86)\path\to\driver.sys*
我在 Vista x64 中遇到了完全相同的错误,启用代码完整性详细日志会导致出现大量有关加载所有 .CAT 文件的消息,而没有其他任何有趣的消息。当然,在 Vista x64 中,代码完整性操作日志包含有关文件未得到验证的错误,与上面的审计错误非常相似。
运行
signtool.exe verify /v /kp driver.sys
结果:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 16:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: StartCom Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 23:23:19 2021
SHA1 hash: E6069E048DEA8D817AFC4188B1BEF1D888D0AF17
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
Successfully verified: driver.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
运行
signtool.exe verify /v /pa /all driver.sys
结果:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Signature Index: 1
Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:53 2016
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-256 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA
Successfully verified: driver.sys
Number of signatures successfully Verified: 2
Number of warnings: 0
Number of errors: 0
有点奇怪的是,不使用特殊开关进行验证会导致证书链错误。再一次,我在检查 VMWare 时遇到了同样的错误driver 所以我想这没什么好担心的。无论如何,运行:
signtool.exe verify /v /all driver.sys
结果:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Signature Index: 1
Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:53 2016
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-256 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of signatures successfully Verified: 0
Number of warnings: 0
Number of errors: 2
我正在使用 VS 2015 附带的 8.1 Windows 套件中的 signtool.exe,其版本为 6.3.9600.17298。对于它的价值,driver 是使用 WDK 7.1.0 (7600.13685.1) 编译的。
正如 Martin Drab 在上面发布的那样,问题是双重的。顺便说一句,谢谢 Martin,你的评论帮助我解决了问题,我能够通过设置启用安全启动的 VM 来重现 Windows 10 问题。
对于早于 Windows10 的操作系统,问题似乎可以通过安装所有最新更新来解决。如果 PC 在 2015 年 11 月 1 日之前(当新的 Microsoft 代码验证根证书颁发时)没有更新,它将无法验证,因为内核无法识别根证书。
对于 Windows 10 有一个新的 Kernel Mode Code Signining Policy 指定 Windows 10 周年纪念版的所有全新安装将不会验证任何未经 Microsoft Dev 签名的内核代码门户(需要 EV 证书),除非它是使用 2015 年 7 月 29 日之前颁发的交叉签名证书签名的,或者安全启动已禁用。
问题很少发生的原因是大多数人没有 Windows 7 台机器已经很久没有更新了,而大多数人有 Windows 10 台机器撰写本文时并未使用全新安装的周年纪念版。
Windows10 唯一真正的解决方案是获得 EV 证书。