WHCK/WLK 'Embedded Signature Verification' fails

Hi

I have same driver for 2k8_R2_x64 and 2k8 Sp2 x64. My driver is BOOT start driver.
‘Embedded Signature Verification’ WLK test fails for 2k8_sp2_x64 but passes for the other. So on failing config I changed after install in services section registry ‘start’ value to other than 0, then it passes.

[A] = “This same driver passes on 2k8_R2_x64.”

I have another BOOT start driver but that passes everywhere. Only difference between that and mine is

  1. I started using latest Win8 WDK to build the failing driver (ofcourse I use msbuild ‘WLH’ etc and anyways [A] happens).
  2. Our signifing infrastrucre might have updated to use latest windows signtool etc (I am awaiting details on this, like what version of signtool used, parameters passed etc. But then [A] happens).

o/p below.

Ofcourse it is a signed driver (and [A] happens)
When I run below all comes up good
SignTool Verify /v /kp DriverFileName.sys

Please let me what else to look for while I await on 2).
The same happens to a 2k8_sp2_x86 driver. Seems like it is somethig related to signtool vs. 2k8_sp2_* config.


Runtime Index: 3779089280
Process Name: C:\WLK.…\Tasks…\embeddedsignature.exe
Process ID: 2684
Thread ID: 2584
Context _ _
Context Index: 1305374785
Current: My_BOOT_START_DRV
Parent: WTTLOG
Start Test 8/3/2012 11:38:59.045 AM My_BOOT_START_DRV
*****
Error 8/3/2012 11:39:02.045 AM The Driver D:\Windows\system32\DRIVERS\My_BOOT_START_DRV.sys is not a signed driver
******
File: Line: 0
Error Type:
Error Code: 0x0
Error Text: Error 0x00000000
End Test 8/3/2012 11:39:02.045 AM My_BOOT_START_DRV
Result: Fail

The embedded signature test not only checks for the presence of a signature but that the binaries are embed signed. This helps with the speed of loading the drivers during boot for boot load drivers.

*****
Issue Resolution
Use SignTool to Validate your signature:
SignTool Verify /v /kp DriverFileName.sys
******
The TOP certificate in the chain should be: Microsoft Code Verification Root

Are you building with a target of w8 or the minimum target os with the win8 wdk? Are you signing with a sha1 or sha2 cert? Are you using the wdk to sign automatically or your own signing logic?

d

debt from my phone


From: xxxxx@yahoo.com
Sent: 8/7/2012 7:54 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] WHCK/WLK ‘Embedded Signature Verification’ fails

Hi

I have same driver for 2k8_R2_x64 and 2k8 Sp2 x64. My driver is BOOT start driver.
‘Embedded Signature Verification’ WLK test fails for 2k8_sp2_x64 but passes for the other. So on failing config I changed after install in services section registry ‘start’ value to other than 0, then it passes.

[A] = “This same driver passes on 2k8_R2_x64.”

I have another BOOT start driver but that passes everywhere. Only difference between that and mine is

  1. I started using latest Win8 WDK to build the failing driver (ofcourse I use msbuild ‘WLH’ etc and anyways [A] happens).
  2. Our signifing infrastrucre might have updated to use latest windows signtool etc (I am awaiting details on this, like what version of signtool used, parameters passed etc. But then [A] happens).

o/p below.

Ofcourse it is a signed driver (and [A] happens)
When I run below all comes up good
SignTool Verify /v /kp DriverFileName.sys

Please let me what else to look for while I await on 2).
The same happens to a 2k8_sp2_x86 driver. Seems like it is somethig related to signtool vs. 2k8_sp2_* config.


Runtime Index: 3779089280
Process Name: C:\WLK.…\Tasks…\embeddedsignature.exe
Process ID: 2684
Thread ID: 2584
Context _ _
Context Index: 1305374785
Current: My_BOOT_START_DRV
Parent: WTTLOG
Start Test 8/3/2012 11:38:59.045 AM My_BOOT_START_DRV
*****
Error 8/3/2012 11:39:02.045 AM The Driver D:\Windows\system32\DRIVERS\My_BOOT_START_DRV.sys is not a signed driver
******
File: Line: 0
Error Type:
Error Code: 0x0
Error Text: Error 0x00000000
End Test 8/3/2012 11:39:02.045 AM My_BOOT_START_DRV
Result: Fail

The embedded signature test not only checks for the presence of a signature but that the binaries are embed signed. This helps with the speed of loading the drivers during boot for boot load drivers.

*****
Issue Resolution
Use SignTool to Validate your signature:
SignTool Verify /v /kp DriverFileName.sys
******
The TOP certificate in the chain should be: Microsoft Code Verification Root


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

My settings below

set SignMode=off (–>own signing logic)

C:\Program Files (x86)\Microsoft Visual Studio 11.0\Common7\
Tools\…..\VC\vcvarsall.bat" x86_amd64

msbuild drv.VcxProj /p:Configuration=“Windows Vista Release” /t:build /p:platform=x64

my Vcxproj below.

Windows Vista Release


Windows Vista Debug
I use the same binary generated here from all of above both for sp2 and R2 x64.
Ofcourse on R2 it passes (and ofcourse the binary has embedded signature, else it wouldn’t even load on R2 and even Sp2 x64 maybe)

My signtool /verify dump

Verifying: MyDrv.sys

Signature Index: 0 (Primary Signature)
Hash of file (sha1): 42D36504E0AFC40D484118DF55C40835974E7FF6

Signing Certificate Chain:
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

Expires: Wed Jul 16 16:59:59 2036

SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5

Issued to: VeriSign Class 3 Code Signing 2010 CA

Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

Expires: Fri Feb 07 16:59:59 2020

SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: My Company

Issued by: VeriSign Class 3 Code Signing 2010 CA

Expires: Sat May 30 16:59:59 2015

SHA1 hash: 954830B1FD7C08820D58BDE167523B58DED768EA

The signature is timestamped: Mon Jul 23 17:21:18 2012

Timestamp Verified by:
Issued to: Thawte Timestamping CA

Issued by: Thawte Timestamping CA

Expires: Thu Dec 31 16:59:59 2020

SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA

Issued by: Thawte Timestamping CA

Expires: Tue Dec 03 16:59:59 2013

SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: Symantec Time Stamping Services Signer - G3

Issued by: VeriSign Time Stamping Services CA

Expires: Mon Dec 31 16:59:59 2012

SHA1 hash: 8FD99D63FB3AFBD534A4F6E31DACD27F59504021

Cross Certificate Chain:
Issued to: Microsoft Code Verification Root

Issued by: Microsoft Code Verification Root

Expires: Sat Nov 01 06:54:03 2025

SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5

Issued by: Microsoft Code Verification Root

Expires: Mon Feb 22 12:35:17 2021

SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B

Issued to: VeriSign Class 3 Code Signing 2010 CA

Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

Expires: Fri Feb 07 16:59:59 2020

SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: My Company

Issued by: VeriSign Class 3 Code Signing 2010 CA

Expires: Sat May 30 16:59:59 2015

SHA1 hash: 954830B1FD7C08820D58BDE167523B58DED768EA

Successfully verified: Mydrv.sys

Number of files successfully Verified: 1

Number of warnings: 0

Number of errors: 0

Also I am using signtool.exe from ‘Windows8 Signtool Preview’ version 1.0.

We sign as below using a .pfx file.

signtool.exe sign /ac “a.cer” /f “b.pfx” /p /n “My company” /t “http://timestamp.verisign.com/scripts/timstamp.dll” /v <file.>

Thx</file.>

Post the output of signtool verify /kp /v /c [cat file] [signed file]

Nik Twerdochlib
Software Developer

+1.601.607.8309 O
+1.866.522.8678 F

BOMGAR | The Box That’s Revolutionizing Remote Support™

One of the Fastest-Growing Technology Companies in America | Technology Fast 500™

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Thursday, August 09, 2012 5:50 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] WHCK/WLK ‘Embedded Signature Verification’ fails

Also I am using signtool.exe from ‘Windows8 Signtool Preview’ version 1.0.

We sign as below using a .pfx file.

signtool.exe sign /ac “a.cer” /f “b.pfx” /p /n “My company” /t “http://timestamp.verisign.com/scripts/timstamp.dll” /v <file.>

Thx


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</file.>

I get below.

Verifying: MyDrv.sys
File is signed in catalog: MyDrv.cat
Hash of file (sha1): 9EFF0A82BEC4CE8BA05241B6C0909535F669DB93

Signing Certificate Chain:
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Wed Jul 16 16:59:59 2036
SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5

Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Fri Feb 07 16:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: Mycompany
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Sat May 30 16:59:59 2015
SHA1 hash: 954830B1FD7C08820D58BDE167523B58DED768EA

The signature is timestamped: Thu Aug 09 11:15:48 2012
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 16:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Tue Dec 03 16:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

Issued to: Symantec Time Stamping Services Signer - G3
Issued by: VeriSign Time Stamping Services CA
Expires: Mon Dec 31 16:59:59 2012
SHA1 hash: 8FD99D63FB3AFBD534A4F6E31DACD27F59504021

Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: Microsoft Code Verification Root
Expires: Mon Feb 22 12:35:17 2021
SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B

Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Fri Feb 07 16:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: Mycompany
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Sat May 30 16:59:59 2015
SHA1 hash: 954830B1FD7C08820D58BDE167523B58DED768EA

Successfully verified: MyDrv.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0