【发布时间】:2012-08-30 18:20:59
【问题描述】:
我的公司从 Go Daddy 购买了 Driver Signing Certificate。我用它签署了一个简单的 INF 文件,该文件是我们一些使用 Microsoft 的 usbser.sys 的 USB 设备的驱动程序。一切似乎都可以在我签名的 Windows 7 64 位计算机上运行:如果我右键单击 INF 文件并选择“安装”,那么我看到的第二个警告是这个很好的警告,它显示了正确的发布者名称:
但是,如果我转到另一台计算机(Windows Vista 64 位),右键单击 INF 文件,然后选择“安装”,则会收到以下错误消息:
这让我觉得我的驱动程序没有正确签名,它在我的计算机上看起来不错的唯一原因是因为我在 Go Daddy 的安装过程中安装了一些根/中间/交叉证书。我绝对希望我的用户能够看到我们是经过验证的发布者,而无需在他们的计算机上手动安装证书。
INF文件和.cat文件在同一个目录
有谁知道为什么会发生这种情况以及我该如何解决?
我怀疑主要问题是我在运行signtool verify /v pololu.cat 时收到此错误(下面有更多详细信息),我还没有弄清楚原因:
SignTool 错误:已处理证书链,但在根目录中终止 信任提供者不信任的证书。
我的程序的详细信息
驱动程序签名证书是 Go Daddy 几周前推出的新产品。我不完全确定它与 代码签名证书 有何不同,但价格相同。我遵循了instructions on Go Daddy's website to download and install the certificate,尽管说明与现实不完全相符。在步骤 1 中安装 Microsoft 交叉证书后,我看到一条红色警告消息:
在安装证书之前,您必须使用 Windows Update 更新您的根证书或从我们的存储库手动下载并安装根证书。
我不知道该怎么做。我确实从他们的存储库中安装了一些 GoDaddy 根证书,但没有明显区别。
我安装了Windows Driver Kit (WDK) 的最新版本(8.0),然后安装了Windows Software Development Kit (SDK) for Windows 8 的最新版本(8.0)。这使我可以访问inf2cat 和signtool 实用程序。这两个工具包都是在上个月发布的,所以我们可能正在处理一些新的错误。
在一个新目录下,我放了三个文件:
-
pololu_usb_to_serial.inf,我要签名的INF文件。它很长但很简单; you can read it here。这个 INF 文件是一个独立的驱动程序;我们的驱动程序包中不需要其他文件。该文件与我们公司多年来成功分发(未签名)的版本基本相同,但我必须进行一些更改才能让 Inf2Cat 接受。 -
mscvr-cross-gdroot-g2.crt,我从Go Daddy certificate repository下载的。我相信这是证明“Go Daddy Root Certificate Authority - G2”受 Microsoft 信任的交叉证书,但我不确定这是否是正确的证书。 -
sign_it.bat,我运行签名的批处理文件。
批处理文件只包含:
"C:\Program Files (x86)\Windows Kits\8.0\bin\x86\inf2cat" /v /driver:%~dp0 /os:XP_X86,Vista_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64
"C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool" sign /v /ac "mscvr-cross-gdroot-g2.crt" /n "Pololu Corporation" /t http://tsa.starfieldtech.com pololu.cat
第一个命令从 Windows Driver Kit 调用 inf2cat。 /v 选项使它变得冗长。 /driver:%~dp0 选项将其指向包含批处理文件的目录; . 出于某种原因不起作用,这比对完整路径进行硬编码要好。 /os 选项指定了我希望使用此驱动程序包支持的所有操作系统。此命令创建pololu.cat。
第二个命令从 Windows 软件开发工具包调用 signtool 以对目录文件进行签名。 /v 选项使它变得冗长。 /ac 选项指定使用哪个交叉证书(参见上面的#2)。 /n 选项指定要使用的证书的名称(该证书根据certmgr.msc 安装在我的计算机上)。 /t 选项指定 Go Daddy 时间戳服务器的 URL。
这是我运行批处理文件时命令提示符中的输出:
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\inf2cat" /v /driver:C:\Users\david.POLOLU\Desktop\sign_it\ /os:XP_X86,Vis
ta_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64
Processing directory (C:\Users\david.POLOLU\Desktop\sign_it\) file (mscvr-cross-
gdroot-g2.crt)
Processing directory (C:\Users\david.POLOLU\Desktop\sign_it\) file (pololu_usb_t
o_serial.inf)
Processing directory (C:\Users\david.POLOLU\Desktop\sign_it\) file (sign_it.bat)
Parsing INF: C:\Users\david.POLOLU\Desktop\sign_it\pololu_usb_to_serial.inf
Finished parsing INFs
Processing INF: C:\Users\david.POLOLU\Desktop\sign_it\pololu_usb_to_serial.inf
Finished processing INFs
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Testing driver package...
Signability test complete.
Errors:
None
Warnings:
None
Catalog generation complete.
C:\Users\david.POLOLU\Desktop\sign_it\pololu.cat
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\signtool" sign /v /ac "mscvr-cross-gdroot-g2.crt" /n "Pololu Corporation"
/t http://tsa.starfieldtech.com pololu.cat
The following certificate was selected:
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
Done Adding Additional Store
Successfully signed: pololu.cat
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
正如我所说,我将 .cat 和 .inf 文件放在同一个目录中,但它们只有在我签名后才能在计算机上正常工作。
使用 Signtool 验证
Microsoft 的signtool 实用程序还具有“验证”功能,可让您验证您的签名是否正确。您可以在验证时使用三种不同的策略,它们各自给出不同的结果:
- Windows 驱动程序验证策略 表示我的签名链不会追溯到 Microsoft,并会打印一条错误消息,说明我的 root 是如何不受信任的。这对我来说似乎是个问题。
-
默认 Authenticode 验证策略 (
/pa) 还说我的签名链不会追溯到 Microsoft,但不会出错。 -
内核模式驱动程序签名政策(
/kp,这可能不适用,因为我没有签署内核模式驱动程序)说我的签名链确实可以追溯到 Microsoft,并且没有给出错误。
有谁知道 Windows 对 INF 文件使用哪种策略?这至少可以帮助我缩小问题的范围。
这是来自signtool verify 的完整详细输出:
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\signtool" verify /v pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 09A611ECC83E61646DB967D4C23EED725B903C1B
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 16:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 05 16:22:34 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\signtool" verify /v /pa pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 09A611ECC83E61646DB967D4C23EED725B903C1B
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 16:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 05 16:22:34 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
Successfully verified: pololu.cat
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
in\x86\signtool" verify /v /kp pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 09A611ECC83E61646DB967D4C23EED725B903C1B
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Thu Dec 31 16:59:59 2037
SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 05 16:22:34 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
Successfully verified: pololu.cat
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
在我签署了驱动程序的计算机(它正在工作)和另一台计算机(它不工作)上运行时,输出看起来相同。
StackOverflow 上的类似问题
Thawte driver signing for 64-bit Windows - 这个人的问题的解决方案是在 INF 文件中添加一个 CatalogFile 指令,但我已经有了。 (CatalogFile=pololu.cat)。
编辑 #1:签署可执行文件有效
我使用带有相同选项的 signtool 对可执行文件(NSIS 安装程序)进行签名,它在第一次尝试时在两台计算机上都能正常工作。所以我认为 INF 驱动程序文件的签名政策有些不同,这就是让我搞砸的原因。
编辑 #2:GoDaddy 证书上的警告
如果我双击mscvr-cross-gdroot-g2.crt,在常规选项卡中会显示“Windows 没有足够的信息来验证此证书”。在“证书路径”选项卡中,在“证书状态:”下,显示“找不到此证书的颁发者。”。如果我双击 gd_ms_drv_sign_bundle.p7b(来自 GoDaddy 的证书包)并打开第一个证书,我也会看到同样的警告。
这两个证书的颁发者应该是 Microsoft 代码验证根。我应该担心那个警告信息吗?
编辑 #3:删除 GoDaddy 的证书
GoDaddy 高级支持团队的 Lindsay 回复了我。她链接到this page from globalsign,它解释了如何在签署驱动程序的计算机上从 CA 卸载根证书和中间证书。 Lindsay 说,如果您不执行此步骤,签名工具将假定这些证书存在于其他计算机上,因此不会将它们包含在签名中。
有谁知道如何检查哪些证书“导入”到签名中?我可以使用哪些工具来查看 Lindsay 和 GlobalSign 是否正确?
顺便说一句,我们周围有 Windows XP 计算机,但微软很快就会停止支持该操作系统。尽管 GlobalSign 说了什么,必须有一种方法可以在 Windows 7 上完成这项工作。
根据 Lindsay 的建议,我按照 Microsoft 的指示发送到 Turn off Automatic Root Certificates Update,然后使用 certmgr.msc 的 UI 从“受信任的根证书颁发机构”和“中级证书颁发机构”中删除所有 GoDaddy 证书。然后我重新签署了我的 inf 文件。
很遗憾,这不起作用!签名后,我仔细检查了所有 GoDaddy 证书是否仍被删除。
我没有收到来自 GoDaddy 的关于 signtool verify 输出的任何反馈,或者我在进行验证时应该检查的驱动程序签名策略的任何输入。我希望他们可以查看验证输出并告诉我我做错了什么,或者告诉我正确的输出是什么样的。
为了完整起见,以下是我删除这些证书并重新签署驱动程序后signtool verify 的三个输出:
C:\Users\david.POLOLU\Desktop\sign_inf>"C:\Program Files (x86)\Windows Kits\8.0\
bin\x86\signtool.exe" verify /v pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 5AE4F370471009C8B0ED936C9AE19ED14ABD67D7
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 12 14:52:19 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
C:\Users\david.POLOLU\Desktop\sign_inf>"C:\Program Files (x86)\Windows Kits\8.0\
bin\x86\signtool.exe" verify /v /pa pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 5AE4F370471009C8B0ED936C9AE19ED14ABD67D7
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 12 14:52:19 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
SignTool Error: WinVerifyTrust returned error: 0x800B010A
A certificate chain could not be built to a trusted root authority.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
C:\Users\david.POLOLU\Desktop\sign_inf>"C:\Program Files (x86)\Windows Kits\8.0\
bin\x86\signtool.exe" verify /v /kp pololu.cat
Verifying: pololu.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 5AE4F370471009C8B0ED936C9AE19ED14ABD67D7
Signing Certificate Chain:
Issued to: Go Daddy Root Certificate Authority - G2
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 13:07:40 2021
SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF
Issued to: Go Daddy Secure Certificate Authority - G2
Issued by: Go Daddy Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
Issued to: Pololu Corporation
Issued by: Go Daddy Secure Certificate Authority - G2
Expires: Sat Aug 31 11:35:25 2013
SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0
The signature is timestamped: Wed Sep 12 14:52:19 2012
Timestamp Verified by:
Issued to: Starfield Services Root Certificate Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Mon Dec 31 16:59:59 2029
SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F
Issued to: Starfield Services Timestamp Authority
Issued by: Starfield Services Root Certificate Authority
Expires: Wed Apr 26 00:00:00 2017
SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26
SignTool Error: WinVerifyTrust returned error: 0x800B010A
A certificate chain could not be built to a trusted root authority.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
编辑 #4:DefaultInstall 部分是禁止的
在微软的documentation of the DefaultInstall section 中,我发现了这个:
注意驱动包的INF文件不能包含INF DefaultInstall 部分,如果驱动程序包是数字化的 签名。
有人知道为什么这是真的吗?我找不到解释。
无论如何,我取出了我的 INF 文件的 DefaultInstall 部分,所以从现在开始我必须通过运行我编写的一个名为 SetupCopyOemInf 的小 DLL 来测试它。
仍然没有运气;我不断在 Windows Vista 计算机上收到未经验证的发布者警告。
编辑 #5:JLink 驱动程序已正确签名
我在 C:\Windows\System32\DriverStore\FileRepository 中寻找一些正确签名的驱动程序包。我发现的第一个有趣的是 JLinkCDC.cat/JLinkCDC.inf。 Inf 文件的版本是DriverVer=01/25/2012,6.0.2600.4。在 Windows Vista 机器上,如果我在 inf 文件上调用 SetupCopyOemInf(使用我的 DLL),那么我会收到一条正确的消息,告诉我发布者是谁(Segger GMBH 或类似的东西)。因此,可以正确签署像我这样的驱动程序包,但不知何故 GoDaddy 或我做错了什么。
JLinkCDC.inf 驱动程序与我的驱动程序非常相似,因为它只是一个文件并使用 usbser.sys。他们签名的信任链可以追溯到 VeriSign Class 3 Public Primary Certificate Authority - G5。
基本上,这个 JLinkCDC 驱动和我的很相似,而且可以正常工作,所以我打算仔细研究一下,看看有什么不同。
output of signtool verify for JLinkCDC.cat 看起来与我的非常相似,只是它可以追溯到 Verisign 而不是 GoDaddy。
编辑 #6:小改动
为了使我的驱动程序更像 JLinkCDC.inf,我在 INF 文件中添加了DriverPackageType=PlugAndPlay,并缩短了文件名:这些文件现在称为 polser.cat 和 polser.inf。还是没有运气!
编辑#7:一些成功!
我认为以下几点是正确的;如果我错了,请纠正我:
- 对于驱动程序包(.cat 文件),
signtool verify的正确选项是/pa。我从KMCS_Walkthrough.doc 推断出这一点。 - 对于驱动程序包,如果信任链返回到 certmgr.msc 中“受信任的根证书颁发机构”文件夹中的证书,Windows 只会考虑对发布者进行验证。
- 对于驱动程序包,您可以使用交叉证书对其进行签名(将信任链从 gdroot-g2.crt 扩展到 Microsoft 代码验证根),但 Windows 似乎忽略了这一点。这是因为 Microsoft 代码验证根不是“受信任的根证书颁发机构”。
- 有当前用户的证书存储和本地计算机的证书。两者都很重要,因此您应该使用MMC Certificates Snap-In 来查看两者。 Certmgr.msc 仅显示当前用户的。
- Windows should seamlessly add 需要时将“Go Daddy Root Certificate Authority - G2”(gdroot-g2.crt) 放到“Trusted Root Certification Authorities”文件夹中,从 Windows Update 下载它,但它没有。 More info here.
我在测试机器上使用了 Windows 事件查看器来查看发生了什么。看起来 Windows 将自动获取“Go Daddy Root Certificate Authority - G2”,但只有在它显示不受欢迎的未经验证的发布者警告对话框之后。一旦用户关闭该对话框,就会从 Windows 更新中获取证书,因此下一次安装尝试应该会成功。有趣的是,它确实会及时自动下载 Starfield 证书(这是我的时间戳的信任链的根)。
通过双击 gdroot-g2.crt 并在尝试安装驱动程序之前将其导入,我已经获得了在 Windows 7 和 Windows Vista 计算机上工作的签名。我会看看这个过程是否可以自动化并添加到安装程序中。
我发现了来自另一家公司 (JLinkCDC.cat) 的驱动程序包,该驱动程序包使用 VeriSign 证书签名,该证书植根于“VeriSign Class 3 Public Primary Certification Authority - G5”。该证书在我查看过的所有计算机上,因此如果您使用 VeriSign 而不是 Go Daddy,我认为您可以使用 Windows Update 避免这个问题。
我确实注意到 VeriSign 证书使用 SHA1,而我的 Go Daddy 证书使用 SHA256 作为签名算法和签名哈希算法。不确定这是否重要。
编辑 #8:向 Microsoft 寻求帮助
查看 MSDN 论坛上的讨论和我的结论:http://social.msdn.microsoft.com/Forums/en-US/wdk/thread/1fede768-7925-4f30-8eef-ce5bd08b0b60
【问题讨论】:
-
查看 certmgr.msc 我在我的任何 Windows 机器上都没有将“Microsoft 代码验证根”视为受信任的证书。我认为这样的签名验证不能通过。
-
感谢您提供的信息,@glagolig。那么 GoDaddy 是否错误地创建了他们的证书?我可以做些什么来解决这个问题吗?
-
事实证明我的假设是错误的。文章sourceforge.net/apps/mediawiki/libwdi/…间接指出“Microsoft Code Verification Root”未出现在受信任的证书列表中,但仍被操作系统识别。
-
感谢 libwdi 的链接!我通过阅读来自github.com/pbatard/libwdi/wiki/_pages 的签名驱动程序演练学到了很多东西;这是我发现的第一个资源,它开始解释签署驱动程序包(这是我开始做的)和签署驱动程序二进制文件之间的区别。
-
假设GoDaddy的booby女孩对他们颁发的证书不给用户太多信心,承诺驱动程序始终有效。 64 位版本的 Windows 驱动程序必须通过微软认证,而不是女孩。谷歌“whql 实验室认证”。
标签: windows driver authenticode inf driver-signing