Windows 7 上的代码签名驱动程序失败并显示 0xC0000428

【问题标题】:Code Signed Driver on Windows 7 Fails with 0xC0000428Windows 7 上的代码签名驱动程序失败并显示 0xC0000428
【发布时间】:2018-05-17 16:47:48
【问题描述】:

我签名的驱动程序生成的 Windows(带有 SHA256 修补程序的 Windows 7)无法启动并生成错误代码 0xC0000428(Windows 无法验证此文件的数字签名)。

我接手了一个使用 Visual Studio 2010 创建的驱动程序项目,我的首要任务是更新过期的代码签名证书。最初数字证书使用 Global Sign,现在使用 Digi Cert。最初的程序员在给我的一封电子邮件中说,他每年都在这个话题上遇到麻烦。

我检查了工作但已过期的icsflt.sys 驱动程序文件,发现它是 SHA256,指纹为 SHA1。其他一切都有效。我尝试了许多不同的变体(双签名证书、SHA1 和 SHA2)。我的最后一次尝试,直接来自 Digi Cert 技术支持,使用以下命令行。

C:\ICS\IM6000\Certificate>"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"
Done Adding Additional Store
Successfully signed: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys

这是证书,看起来和原来的很像。

这是清晰显示摘要算法的 SHA256 的基本证书。证书来自构建机器。 “Windows Boot Manager”的第一张截图来自测试机。

以下是我在 Digi Certs 网站上使用的一些链接。

Dual Signing SHA256 and SHA1

Sign Code SignTool.exe Command Line

Installing Code Signing Certificate

这是有效的过期证书视图。

这是良好/工作驱动程序的驱动程序属性数字签名。

您可以将它们区分开来,因为我将好的/工作的那一个重命名为 icflt-good.sys。除了公司名称、日期和证书颁发机构 (CA) 之外,两者看起来相同,但 Windows 7 使用来自 Digi Cert 的新证书。

这是前面signtool.exe 命令行的代码,我注释掉了。

@echo on

@REM see "How to Release-Sign a Driver Package" and "Release-Signing a Driver through an Embedded Signature in Windows DDK"
@REM despite the store's name seems to be Personal we should use MY when using Signtool. Otherwise the certificate is not found.
@REM when Personal store is created with makecert, another Personal is created. Weird.
@REM Signtool sign /v /ac MSCV-GlobalSign.cer /s MY /sha1 5250f1a5ddd11e3e4e924757e6da1c43dd3487c0 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /ac MSCV-GlobalSign.cer /s MY /sha1 5D743B02DCDE74B16D133BDFEB2E1C5F6F44E966 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%

@REM check $\IM6000\Certificate\current for the exact file names and password
@REM Signtool sign /v /ac %PROJECT_DIR%\..\Certificate\current\MSCV-GlobalSign.cer /f %PROJECT_DIR%\..\Certificate\current\OS201602156091.pfx /p 1C73295775925A7EE1C6D35ADF9DF611A55A60B8 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /ac %PROJECT_DIR%\..\Certificate\current\GlobalSignRootCA.crt /f %PROJECT_DIR%\..\Certificate\current\OS201701106786.pfx /p ICScertificate2017 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /fd sha256 /ac %PROJECT_DIR%\..\Certificate\current\GlobalSignRootCA.crt /f %PROJECT_DIR%\..\Certificate\current\OS201701106786.pfx /p ICScertificate2017 /tr http://timestamp.globalsign.com/scripts/timstamp.dll?td=sha256 /td sha256 %mydriverpath%

【问题讨论】:

    标签: windows visual-studio code-signing device-driver signtool


    【解决方案1】:

    经过大量研究,我发现了问题所在。 (请对问题竖起大拇指,特别是回答。)

    签署内核级驱动程序需要使用/AC 开关进行交叉签名,附加证书会创建到 Microsoft 根证书的交叉证书链。

    相关链接:

    Microsoft Cross Certificate Links

    注意:以下链接中的文章有误。指纹不需要匹配。但是,Issuer 需要完全匹配。

    Cross Signing Kernel Mode Drivers

    Signing Windows Drivers

    需要获取颁发者

    我去了 mmc 并添加了证书(个人)。然后我双击了我的 SHA256 证书并注意到了颁发者,在我的例子中是:

    CN = DigiCert Assured ID Root CA
OU = www.digicert.com
O = DigiCert Inc
C = US

    ‎ 我的证书的指纹,没关系,是:

    ‎05 63 b8 63 0d 62 d7 5a bb c8 ab 1e 4b df b5 a8 99 b2 4d 43

    Microsoft 交叉证书列表又是here。我的下载地址是DigiCert Assured ID Root CA,其指纹为:

    ba 3e a5 4d 72 c1 45 d3 7c 25 5e 1e a4 0a fb c6 33 48 b9 6e

    我使用download 链接来获取文件。这给了我一个“DigiCert Assured ID Root CA.crt”文件。

    注意:有人告诉我,证书必须是 CER 扩展。我的测试和与 DigiCert 的对话表明这不是真的。 CRT 完全没问题。

    工作标志工具命令行是:

    C:\ICS\IM6000\Certificate>"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /v /ac "DigiCert Assured ID Root CA.crt" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"

    要验证标志是否正确,我强烈建议发出以下行:

    "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /kp /v "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"

    请注意验证测试的输出:

    Verifying: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha256): FAFB2B31B8ED4A9E8F9EC84196E7E52009A4C709521457FD83FC1945DCF5872F

Signing Certificate Chain:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Sun Nov 09 17:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert SHA2 Assured ID Code Signing CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Sun Oct 22 05:00:00 2028
        SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6

            Issued to: JMR Electronics, Inc.
            Issued by: DigiCert SHA2 Assured ID Code Signing CA
            Expires:   Mon Jan 28 05:00:00 2019
            SHA1 hash: 9CDC225480659E8CDD6E794A81455C905403755B

The signature is timestamped: Mon Jun 04 16:35:45 2018
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Sun Nov 09 17:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert SHA2 Assured ID Timestamping CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Tue Jan 07 05:00:00 2031
        SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297

            Issued to: DigiCert SHA2 Timestamp Responder
            Issued by: DigiCert SHA2 Assured ID Timestamping CA
            Expires:   Mon Jan 17 17:00:00 2028
            SHA1 hash: 400191475C98891DEBA104AF47091B5EB6D4CBCB

Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires:   Sat Nov 01 06:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: DigiCert Assured ID Root CA
        Issued by: Microsoft Code Verification Root
        Expires:   Thu Apr 15 12:51:37 2021
        SHA1 hash: BA3EA54D72C145D37C255E1EA40AFBC63348B96E

            Issued to: DigiCert SHA2 Assured ID Code Signing CA
            Issued by: DigiCert Assured ID Root CA
            Expires:   Sun Oct 22 05:00:00 2028
            SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6

                Issued to: JMR Electronics, Inc.
                Issued by: DigiCert SHA2 Assured ID Code Signing CA
                Expires:   Mon Jan 28 05:00:00 2019
                SHA1 hash: 9CDC225480659E8CDD6E794A81455C905403755B


Successfully verified: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

    这里的关键是除了Successfully verified 之外,交叉证书链以Issued to: Microsoft Code Verification Root 开头,以我的数字代码签名证书以及介于两者之间的所有内容结束。这就是微软想要的 Windows。 Windows 7 或 Windows 10 无关紧要。

    我还必须至少在 Windows 8.1 中使用signtool.exe。早期版本不支持我被告知要使用的所有必需开关。

    虽然我最终不需要 SHA1 证书,但找到如何获得一个需要几个周期。有人告诉我好几次我需要那个,但我没有。对于任何有兴趣获得该指令的人来说,here。如今,即使在带有修补程序的 Windows 7 上,一切都是 SHA256。

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 2012-07-01
      • 1970-01-01
      • 1970-01-01
      • 2014-10-21
      • 2010-12-22
      • 2013-01-08
      • 2013-05-17
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode