How to sign a driver package

Question

0.00/5 (No votes)

See more:

Hi experts,

has anyone ever successfully signed a driver package?

I have one here with altered .inf file to reflect our customer's company name with its unique USB PID (leaving chip producer's VID untouched), which messes up the driver package signing for installation.

So I guess that I have to re-sign the .cat file:

S:\>signtool sign /f OS201502104819.pfx /p password /fd SHA256 ftdibus.cat
Done Adding Additional Store
Successfully signed: ftdibus.cat

Looks like that worked perfectly well. But upon plugging the matching USB device in and telling the pop-up dialogue to use my signed driver, Windows8.1 refuses to install it:
(German)"The hash for the file is not present in the catalog file. The file is probably damaged or has been changed without permission."
So I tried to verify the signature on the test machine

T:\Path>signtool.exe verify /v ftdibus.cat

Verifying: ftdibus.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha256): 1007B5F2850B4A2CF7070E9F09FB904D65EA703F9FB44771D31B63F60
4B733F3

Signing Certificate Chain:
    Issued to: GlobalSign
    Issued by: GlobalSign
    Expires:   Sun Mar 18 11:00:00 2029
    SHA1 hash: D69B561148F01C77C54578C10926DF5B856976AD

        Issued to: GlobalSign CodeSigning CA - SHA256 - G2
        Issued by: GlobalSign
        Expires:   Fri Aug 02 11:00:00 2019
        SHA1 hash: 4E34C4841080D07059EFC1F3C5DE4D79905A36FF

            Issued to: Interroll Engineering GmbH
            Issued by: GlobalSign CodeSigning CA - SHA256 - G2
            Expires:   Wed Feb 10 12:55:44 2016
            SHA1 hash: CE7405715A80F1EF77BCC6F30729CD1691CB356F

File is not timestamped.

SignTool Error: A certificate chain processed, but terminated in a root
        certificate which is not trusted by the trust provider.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

I also checked

T:\Path>powershell -Command Get-ChildItem -Recurse Cert:

Location   : CurrentUser
StoreNames : {SmartCardRoot, Root, Trust, AuthRoot...}

Name : SmartCardRoot

Name : Root
--snip--
Subject      : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Issuer       : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Thumbprint   : D69B561148F01C77C54578C10926DF5B856976AD
FriendlyName : GlobalSign
NotBefore    : 18.03.2009 11:00:00
NotAfter     : 18.03.2029 11:00:00
Extensions   : {System.Security.Cryptography.Oid, 
               System.Security.Cryptography.Oid, 
               System.Security.Cryptography.Oid}
--snip--
Name : Trust

Name : AuthRoot
--snip--
Subject      : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Issuer       : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Thumbprint   : D69B561148F01C77C54578C10926DF5B856976AD
FriendlyName : GlobalSign
NotBefore    : 18.03.2009 11:00:00
NotAfter     : 18.03.2029 11:00:00
Extensions   : {System.Security.Cryptography.Oid, 
               System.Security.Cryptography.Oid, 
               System.Security.Cryptography.Oid}
--snip--

Name : CA

--snip--

Name : UserDS

Name : Disallowed

Name : My

Name : TrustedPeople

Name : TrustedPublisher

Name : ClientAuthIssuer

Name : MSIEHistoryJournal

--snip--
Location   : LocalMachine
StoreNames : {TrustedPublisher, ClientAuthIssuer, Remote Desktop, Root...}

Name : TrustedPublisher

Name : ClientAuthIssuer

Name : Remote Desktop

Name : Root
--snip--
Subject      : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Issuer       : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Thumbprint   : D69B561148F01C77C54578C10926DF5B856976AD
FriendlyName : GlobalSign
NotBefore    : 18.03.2009 11:00:00
NotAfter     : 18.03.2029 11:00:00
Extensions   : {System.Security.Cryptography.Oid, 
               System.Security.Cryptography.Oid, 
               System.Security.Cryptography.Oid}
--snip--
Name : TrustedDevices

Name : WebHosting

Name : CA
--snip--
Name : Windows Live ID Token Issuer
--snip--
Name : AuthRoot
--snip--
Subject      : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Issuer       : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Thumbprint   : D69B561148F01C77C54578C10926DF5B856976AD
FriendlyName : GlobalSign
NotBefore    : 18.03.2009 11:00:00
NotAfter     : 18.03.2029 11:00:00
Extensions   : {System.Security.Cryptography.Oid, 
               System.Security.Cryptography.Oid, 
               System.Security.Cryptography.Oid}
--snip--

Name : TrustedPeople

Name : My

Name : SmartCardRoot

Name : Trust

Name : Disallowed

And it seems that a certificate with the correct thumbprint is in the test machine's trusted certificate store.

But why on earth doesn't that work out then?

Posted 13-Feb-15 2:35am

lukeer

Updated 13-Feb-15 3:18am

v3

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)