6

If this question is off-topic, please recommend another StackExchange site to post this on :-)

Our company recently purchased G2 code signing certificate from Thawte. I've run through all steps neccessary to sign a 64-bit driver, so it can be installed under Windows 7 64-bit.

Namely, I have:

  • downloaded a G2 Thawte cross-certificate
  • obtained our own Thawte certificate (actually a .p12 file which I had to import and re-export as .pfx file for it to work)
  • successfully signed the driver via the following command: signtool.exe sign /ac cross.cer /f private_key.pfx /p ***** /t "http://timestamp.verisign.com/scripts/timstamp.dll" /v my_driver.sys
  • imported our company certificate (and even all those Thawte certificates when the first didn't work) into machine's trusted root authorities and trusted publishers
  • importted thawte cross-certificate into Intermediate Certification Authorities

I've tried to verify the signature using signtool.exe verify /pa /v my_driver.sys, which has passed. If I do not use /pa in the command line, this would say "SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider." (is that something I should be worried about?)

Now when I try to install the driver using a simple INF file (not a cab file), the result is red warning about Windows not being able to verify the issuer of the driver. When I choose not to install the driver, I get a following extra message: A file could not be verified because it does not have an associated catalog signed via Authenticode(tm).

I've read that Thawte could not really be used to sign drivers like this in the past because somehow MS stopped to support it, yet it's still listing a cross-certificate on their website. Not sure if this is still valid, cannot find any proof of it.

Any advice would be greatly appreciated.

Bruno
  • 119,590
  • 31
  • 270
  • 376
Zathrus Writer
  • 4,311
  • 5
  • 27
  • 50
  • Please pick only one SE site. Ask for the question to be migrated if necessary. http://security.stackexchange.com/q/14568/2435 – Bruno May 03 '12 at 14:50
  • is there any official way to ask for migration? I couldn't fine one... – Zathrus Writer May 03 '12 at 14:59
  • do you have the thawte cross certificate installed? see http://msdn.microsoft.com/en-us/windows/hardware/gg487315 – msam May 03 '12 at 15:28
  • AFAIK Verisign and GlobalSign are the only CAs that issue certificates, usable for driver signing (i.e. the cross-certificate is provided for them). – Eugene Mayevski 'Callback May 03 '12 at 15:50
  • Eugene, where does your information come from please? I'd like to see some source of this, since I've heard that myself but can't seem to find any proof ... and yes, I have the cross-certificate installed – Zathrus Writer May 03 '12 at 22:51
  • Better later than never. That came from availability of the cross-certificate. Looks like Microsoft has updated the list of cross-certificates so more CAs are supported now. – Eugene Mayevski 'Callback Jul 14 '13 at 16:53

1 Answers1

5

You need to add a CatalogFile reference to your inf file, run Inf2Cat.exe (in the DDK) to generate the cat file, then use signtool.exe to sign that too.

PhilMY
  • 2,621
  • 21
  • 29
  • I'll try that first thing in the morning and see if that works... thanks :) – Zathrus Writer May 03 '12 at 22:52
  • I'm using a GlobalSign cert though – PhilMY May 04 '12 at 05:46
  • where do I get inf2cat.exe please? I've tried to search Google and nothing seems to tell me what is this file a part of – Zathrus Writer May 04 '12 at 07:24
  • nevermind, I've found it... although it did require me to needlessly go through some Microsoft registration, so here's a link for the rest of us: http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=11800 – Zathrus Writer May 04 '12 at 10:00
  • it worked! you're my personal hero, thanks a million... I wouldn't have figured this out on my own, and NONE of the websites I studied mentioned this requirement... thanks again! – Zathrus Writer May 04 '12 at 10:27