Hi experts,
has anyone ever successfully signed a driver package?
I have one here with altered .inf file to reflect our customer's company name with its unique USB PID (leaving chip producer's VID untouched), which messes up the driver package signing for installation.
So I guess that I have to re-sign the .cat file:
S:\>signtool sign /f OS201502104819.pfx /p password /fd SHA256 ftdibus.cat
Done Adding Additional Store
Successfully signed: ftdibus.cat
Looks like that worked perfectly well. But upon plugging the matching USB device in and telling the pop-up dialogue to use my signed driver, Windows8.1 refuses to install it:
(German)"The hash for the file is not present in the catalog file. The file is probably damaged or has been changed without permission."
So I tried to verify the signature on the test machine
T:\Path>signtool.exe verify /v ftdibus.cat
Verifying: ftdibus.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha256): 1007B5F2850B4A2CF7070E9F09FB904D65EA703F9FB44771D31B63F60
4B733F3
Signing Certificate Chain:
Issued to: GlobalSign
Issued by: GlobalSign
Expires: Sun Mar 18 11:00:00 2029
SHA1 hash: D69B561148F01C77C54578C10926DF5B856976AD
Issued to: GlobalSign CodeSigning CA - SHA256 - G2
Issued by: GlobalSign
Expires: Fri Aug 02 11:00:00 2019
SHA1 hash: 4E34C4841080D07059EFC1F3C5DE4D79905A36FF
Issued to: Interroll Engineering GmbH
Issued by: GlobalSign CodeSigning CA - SHA256 - G2
Expires: Wed Feb 10 12:55:44 2016
SHA1 hash: CE7405715A80F1EF77BCC6F30729CD1691CB356F
File is not timestamped.
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
I also checked
T:\Path>powershell -Command Get-ChildItem -Recurse Cert:
Location : CurrentUser
StoreNames : {SmartCardRoot, Root, Trust, AuthRoot...}
Name : SmartCardRoot
Name : Root
--snip--
Subject : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Issuer : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Thumbprint : D69B561148F01C77C54578C10926DF5B856976AD
FriendlyName : GlobalSign
NotBefore : 18.03.2009 11:00:00
NotAfter : 18.03.2029 11:00:00
Extensions : {System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid}
--snip--
Name : Trust
Name : AuthRoot
--snip--
Subject : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Issuer : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Thumbprint : D69B561148F01C77C54578C10926DF5B856976AD
FriendlyName : GlobalSign
NotBefore : 18.03.2009 11:00:00
NotAfter : 18.03.2029 11:00:00
Extensions : {System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid}
--snip--
Name : CA
--snip--
Name : UserDS
Name : Disallowed
Name : My
Name : TrustedPeople
Name : TrustedPublisher
Name : ClientAuthIssuer
Name : MSIEHistoryJournal
--snip--
Location : LocalMachine
StoreNames : {TrustedPublisher, ClientAuthIssuer, Remote Desktop, Root...}
Name : TrustedPublisher
Name : ClientAuthIssuer
Name : Remote Desktop
Name : Root
--snip--
Subject : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Issuer : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Thumbprint : D69B561148F01C77C54578C10926DF5B856976AD
FriendlyName : GlobalSign
NotBefore : 18.03.2009 11:00:00
NotAfter : 18.03.2029 11:00:00
Extensions : {System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid}
--snip--
Name : TrustedDevices
Name : WebHosting
Name : CA
--snip--
Name : Windows Live ID Token Issuer
--snip--
Name : AuthRoot
--snip--
Subject : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Issuer : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Thumbprint : D69B561148F01C77C54578C10926DF5B856976AD
FriendlyName : GlobalSign
NotBefore : 18.03.2009 11:00:00
NotAfter : 18.03.2029 11:00:00
Extensions : {System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid}
--snip--
Name : TrustedPeople
Name : My
Name : SmartCardRoot
Name : Trust
Name : Disallowed
And it seems that a certificate with the correct thumbprint is in the test machine's trusted certificate store.
But why on earth doesn't that work out then?