Windows 7 上的代码签名驱动程序失败,返回 0xC0000428
Code Signed Driver on Windows 7 Fails with 0xC0000428
我签名的驱动程序生成 Windows(Windows 7 与 SHA256 修补程序)无法启动并生成错误代码 0xC0000428(Windows 无法验证此数字签名文件)。
我接手了一个驱动项目,使用Visual Studio 2010创建,我的第一个任务是更新过期的代码签名证书。最初的数字证书是使用 Global Sign,现在使用的是 Digi Cert。原来的程序员在给我的邮件中说,他每年都在这个话题上犯难。
我检查了工作但已过期的 icsflt.sys 驱动程序文件,发现它是 SHA256,指纹是 SHA1。其他一切都有效。我尝试了许多不同的变体(双签名证书、SHA1 和 SHA2)。我的最后一次尝试,直接来自 Digi Cert 技术支持,使用以下命令行。
C:\ICS\IM6000\Certificate>"C:\Program Files (x86)\Windows Kits.1\bin\x64\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"
Done Adding Additional Store
Successfully signed: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys
这是证书,和原来的差不多。
这是清楚显示摘要算法的 SHA256 的基本证书。证书来自构建机器。 "Windows Boot Manager"第一张截图来自测试机
这是我在 Digi Certs 网站上使用的一些链接。
Sign Code SignTool.exe Command Line
Installing Code Signing Certificate
这是有效的过期证书视图。
这是 good/working 驱动程序的驱动程序属性数字签名。
你可以区分它们,因为我将 good/working 重命名为 icflt-good.sys。除了公司名称、日期和证书颁发机构 (CA) 外,两者看起来完全相同,但 Windows 7 对来自 Digi Cert 的新证书大喊大叫。
这是前面signtool.exe命令行的代码,我把它注释掉了。
@echo on
@REM see "How to Release-Sign a Driver Package" and "Release-Signing a Driver through an Embedded Signature in Windows DDK"
@REM despite the store's name seems to be Personal we should use MY when using Signtool. Otherwise the certificate is not found.
@REM when Personal store is created with makecert, another Personal is created. Weird.
@REM Signtool sign /v /ac MSCV-GlobalSign.cer /s MY /sha1 5250f1a5ddd11e3e4e924757e6da1c43dd3487c0 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /ac MSCV-GlobalSign.cer /s MY /sha1 5D743B02DCDE74B16D133BDFEB2E1C5F6F44E966 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM check $\IM6000\Certificate\current for the exact file names and password
@REM Signtool sign /v /ac %PROJECT_DIR%\..\Certificate\current\MSCV-GlobalSign.cer /f %PROJECT_DIR%\..\Certificate\current\OS201602156091.pfx /p 1C73295775925A7EE1C6D35ADF9DF611A55A60B8 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /ac %PROJECT_DIR%\..\Certificate\current\GlobalSignRootCA.crt /f %PROJECT_DIR%\..\Certificate\current\OS201701106786.pfx /p ICScertificate2017 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /fd sha256 /ac %PROJECT_DIR%\..\Certificate\current\GlobalSignRootCA.crt /f %PROJECT_DIR%\..\Certificate\current\OS201701106786.pfx /p ICScertificate2017 /tr http://timestamp.globalsign.com/scripts/timstamp.dll?td=sha256 /td sha256 %mydriverpath%
经过大量研究,我找到了问题所在。
(请给问题点赞,特别是回答。)
签署内核级驱动程序需要使用 /AC 开关、附加证书进行交叉签署,创建到 Microsoft 根证书的交叉证书链。
相关links:
Microsoft Cross Certificate Links
注意:以下link中的文章是错误的。指纹不需要匹配。但是,发行人需要完全匹配。
Cross Signing Kernel Mode Drivers
需要获取发行者
我去了 mmc 并添加了证书(个人)。然后我双击我的 SHA256 证书并注意到 Issuer,在我的例子中是:
CN = DigiCert Assured ID Root CA
OU = www.digicert.com
O = DigiCert Inc
C = US
我的证书指纹,无所谓,是:
05 63 b8 63 0d 62 d7 5a bb c8 ab 1e 4b df b5 a8 99 b2 4d 43
Microsoft 交叉证书列表又是 here。我的下载是 DigiCert Assured ID Root CA,它的指纹是:
ba 3e a5 4d 72 c1 45 d3 7c 25 5e 1e a4 0a fb c6 33 48 b9 6e
我使用了downloadlink来获取文件。那给了我一个 "DigiCert Assured ID Root CA.crt".
的文件
注意:我被告知证书必须是 CER 扩展。我的测试和与 DigiCert 的谈话表明这不是真的。 CRT 完全没问题。
工作标志工具命令行为:
C:\ICS\IM6000\Certificate>"C:\Program Files (x86)\Windows Kits.1\bin\x64\signtool.exe" sign /v /ac "DigiCert Assured ID Root CA.crt" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"
为了验证标志是否正确,我强烈建议发出以下行:
"C:\Program Files (x86)\Windows Kits.1\bin\x64\signtool.exe" verify /kp /v "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"
注意验证测试的输出:
Verifying: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha256): FAFB2B31B8ED4A9E8F9EC84196E7E52009A4C709521457FD83FC1945DCF5872F
Signing Certificate Chain:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Nov 09 17:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Issued to: DigiCert SHA2 Assured ID Code Signing CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Oct 22 05:00:00 2028
SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6
Issued to: JMR Electronics, Inc.
Issued by: DigiCert SHA2 Assured ID Code Signing CA
Expires: Mon Jan 28 05:00:00 2019
SHA1 hash: 9CDC225480659E8CDD6E794A81455C905403755B
The signature is timestamped: Mon Jun 04 16:35:45 2018
Timestamp Verified by:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Nov 09 17:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Issued to: DigiCert SHA2 Assured ID Timestamping CA
Issued by: DigiCert Assured ID Root CA
Expires: Tue Jan 07 05:00:00 2031
SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297
Issued to: DigiCert SHA2 Timestamp Responder
Issued by: DigiCert SHA2 Assured ID Timestamping CA
Expires: Mon Jan 17 17:00:00 2028
SHA1 hash: 400191475C98891DEBA104AF47091B5EB6D4CBCB
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: DigiCert Assured ID Root CA
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 12:51:37 2021
SHA1 hash: BA3EA54D72C145D37C255E1EA40AFBC63348B96E
Issued to: DigiCert SHA2 Assured ID Code Signing CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Oct 22 05:00:00 2028
SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6
Issued to: JMR Electronics, Inc.
Issued by: DigiCert SHA2 Assured ID Code Signing CA
Expires: Mon Jan 28 05:00:00 2019
SHA1 hash: 9CDC225480659E8CDD6E794A81455C905403755B
Successfully verified: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
这里的关键是除了 Successfully verified 之外,交叉证书链以 Issued to: Microsoft Code Verification Root 开头,以我的数字代码签名证书以及介于两者之间的所有内容结尾。这就是微软 Windows 想要的。 Windows 7 或 Windows 10 无关紧要。
我还必须使用至少 Windows 8.1 的 signtool.exe。早期版本不支持我被告知要使用的所有必需开关。
虽然最后我不需要SHA1证书,但是找了几个周期才知道如何获取。有人多次告诉我我需要那个,但我不需要。对于任何感兴趣的人,获得该指令的是 here。现在一切都是 SHA256,即使在 Windows 7 上也有修补程序。
我签名的驱动程序生成 Windows(Windows 7 与 SHA256 修补程序)无法启动并生成错误代码 0xC0000428(Windows 无法验证此数字签名文件)。
我接手了一个驱动项目,使用Visual Studio 2010创建,我的第一个任务是更新过期的代码签名证书。最初的数字证书是使用 Global Sign,现在使用的是 Digi Cert。原来的程序员在给我的邮件中说,他每年都在这个话题上犯难。
我检查了工作但已过期的 icsflt.sys 驱动程序文件,发现它是 SHA256,指纹是 SHA1。其他一切都有效。我尝试了许多不同的变体(双签名证书、SHA1 和 SHA2)。我的最后一次尝试,直接来自 Digi Cert 技术支持,使用以下命令行。
C:\ICS\IM6000\Certificate>"C:\Program Files (x86)\Windows Kits.1\bin\x64\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"
Done Adding Additional Store
Successfully signed: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys
这是证书,和原来的差不多。
这是清楚显示摘要算法的 SHA256 的基本证书。证书来自构建机器。 "Windows Boot Manager"第一张截图来自测试机
这是我在 Digi Certs 网站上使用的一些链接。
Sign Code SignTool.exe Command Line
Installing Code Signing Certificate
这是有效的过期证书视图。
这是 good/working 驱动程序的驱动程序属性数字签名。
你可以区分它们,因为我将 good/working 重命名为 icflt-good.sys。除了公司名称、日期和证书颁发机构 (CA) 外,两者看起来完全相同,但 Windows 7 对来自 Digi Cert 的新证书大喊大叫。
这是前面signtool.exe命令行的代码,我把它注释掉了。
@echo on
@REM see "How to Release-Sign a Driver Package" and "Release-Signing a Driver through an Embedded Signature in Windows DDK"
@REM despite the store's name seems to be Personal we should use MY when using Signtool. Otherwise the certificate is not found.
@REM when Personal store is created with makecert, another Personal is created. Weird.
@REM Signtool sign /v /ac MSCV-GlobalSign.cer /s MY /sha1 5250f1a5ddd11e3e4e924757e6da1c43dd3487c0 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /ac MSCV-GlobalSign.cer /s MY /sha1 5D743B02DCDE74B16D133BDFEB2E1C5F6F44E966 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM check $\IM6000\Certificate\current for the exact file names and password
@REM Signtool sign /v /ac %PROJECT_DIR%\..\Certificate\current\MSCV-GlobalSign.cer /f %PROJECT_DIR%\..\Certificate\current\OS201602156091.pfx /p 1C73295775925A7EE1C6D35ADF9DF611A55A60B8 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /ac %PROJECT_DIR%\..\Certificate\current\GlobalSignRootCA.crt /f %PROJECT_DIR%\..\Certificate\current\OS201701106786.pfx /p ICScertificate2017 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /fd sha256 /ac %PROJECT_DIR%\..\Certificate\current\GlobalSignRootCA.crt /f %PROJECT_DIR%\..\Certificate\current\OS201701106786.pfx /p ICScertificate2017 /tr http://timestamp.globalsign.com/scripts/timstamp.dll?td=sha256 /td sha256 %mydriverpath%
经过大量研究,我找到了问题所在。 (请给问题点赞,特别是回答。)
签署内核级驱动程序需要使用 /AC 开关、附加证书进行交叉签署,创建到 Microsoft 根证书的交叉证书链。
相关links:
Microsoft Cross Certificate Links
注意:以下link中的文章是错误的。指纹不需要匹配。但是,发行人需要完全匹配。
Cross Signing Kernel Mode Drivers
需要获取发行者
我去了 mmc 并添加了证书(个人)。然后我双击我的 SHA256 证书并注意到 Issuer,在我的例子中是:
CN = DigiCert Assured ID Root CA
OU = www.digicert.com
O = DigiCert Inc
C = US
我的证书指纹,无所谓,是:
05 63 b8 63 0d 62 d7 5a bb c8 ab 1e 4b df b5 a8 99 b2 4d 43
Microsoft 交叉证书列表又是 here。我的下载是 DigiCert Assured ID Root CA,它的指纹是:
ba 3e a5 4d 72 c1 45 d3 7c 25 5e 1e a4 0a fb c6 33 48 b9 6e
我使用了downloadlink来获取文件。那给了我一个 "DigiCert Assured ID Root CA.crt".
的文件注意:我被告知证书必须是 CER 扩展。我的测试和与 DigiCert 的谈话表明这不是真的。 CRT 完全没问题。
工作标志工具命令行为:
C:\ICS\IM6000\Certificate>"C:\Program Files (x86)\Windows Kits.1\bin\x64\signtool.exe" sign /v /ac "DigiCert Assured ID Root CA.crt" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"
为了验证标志是否正确,我强烈建议发出以下行:
"C:\Program Files (x86)\Windows Kits.1\bin\x64\signtool.exe" verify /kp /v "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"
注意验证测试的输出:
Verifying: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha256): FAFB2B31B8ED4A9E8F9EC84196E7E52009A4C709521457FD83FC1945DCF5872F
Signing Certificate Chain:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Nov 09 17:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Issued to: DigiCert SHA2 Assured ID Code Signing CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Oct 22 05:00:00 2028
SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6
Issued to: JMR Electronics, Inc.
Issued by: DigiCert SHA2 Assured ID Code Signing CA
Expires: Mon Jan 28 05:00:00 2019
SHA1 hash: 9CDC225480659E8CDD6E794A81455C905403755B
The signature is timestamped: Mon Jun 04 16:35:45 2018
Timestamp Verified by:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Nov 09 17:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Issued to: DigiCert SHA2 Assured ID Timestamping CA
Issued by: DigiCert Assured ID Root CA
Expires: Tue Jan 07 05:00:00 2031
SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297
Issued to: DigiCert SHA2 Timestamp Responder
Issued by: DigiCert SHA2 Assured ID Timestamping CA
Expires: Mon Jan 17 17:00:00 2028
SHA1 hash: 400191475C98891DEBA104AF47091B5EB6D4CBCB
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: DigiCert Assured ID Root CA
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 12:51:37 2021
SHA1 hash: BA3EA54D72C145D37C255E1EA40AFBC63348B96E
Issued to: DigiCert SHA2 Assured ID Code Signing CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Oct 22 05:00:00 2028
SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6
Issued to: JMR Electronics, Inc.
Issued by: DigiCert SHA2 Assured ID Code Signing CA
Expires: Mon Jan 28 05:00:00 2019
SHA1 hash: 9CDC225480659E8CDD6E794A81455C905403755B
Successfully verified: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
这里的关键是除了 Successfully verified 之外,交叉证书链以 Issued to: Microsoft Code Verification Root 开头,以我的数字代码签名证书以及介于两者之间的所有内容结尾。这就是微软 Windows 想要的。 Windows 7 或 Windows 10 无关紧要。
我还必须使用至少 Windows 8.1 的 signtool.exe。早期版本不支持我被告知要使用的所有必需开关。
虽然最后我不需要SHA1证书,但是找了几个周期才知道如何获取。有人多次告诉我我需要那个,但我不需要。对于任何感兴趣的人,获得该指令的是 here。现在一切都是 SHA256,即使在 Windows 7 上也有修补程序。