Sign Windows x64 Driver - The system cannot find the file specified
Question
I have SafeNet token that contain 2 certificates (which the private key is not exported), one is sha256 EV code certificate and the other is sha1 EV code certificate.
I signed my drivers using signtool:
Signtool sign /v /s my /n "my_company" /sha1 my_sha256_hash /t http://timestamp.verisign.com/scripts/timestamp.dll mydriver.sys
when I tried to load the driver, I got an error said that the system cannot find the file specified, I look at driver with Depends and everything is OK.
When I run signtool verify mydriver.sys I got the following error: SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
I tried to sign my cat file as well with my associated binaries but still no luck with that.
I've read that there's a program called WHQL which in the end process Microsoft give me my "good" signed drivers, is it only for Windows Update distribution? or is it not necessary to run my driver in Windows 7 x64 and above?
2 answers
solution1
0 2018-02-08 21:33:29
You will need to have Microsoft sign your driver to run everywhere, but if you sign it correctly yourself, then you can run almost everywhere. Windows 10/Server 2016 running in Secure Boot mode will require a driver that MSFT has signed, which will require either using the WHQL or the Windows 10 attestation signing. Look at the dashboard on sysdev.microsoft.com for more information on both of these.
An unsigned driver usually doesn't give you a file not found error, so you might be looking at the wrong thing there. Make sure your driver is registered correctly to load from the right path. Use procmon to check that it can find the file correctly.
Once you're sure on that stuff, this link might be a good place to get you started with signing: https://www.osr.com/nt-insider/2016-issue1/today-in-driver-signing/
Unfortunately, it's a long and painful road to figure out driver signing. :(
solution2
0 2018-02-13 19:19:29
With globalsign I need to use a root certificate for kernel drivers with the /ac parameter (more Info is here https://support.globalsign.com/customer/portal/articles/1491089-kernel-mode-driver-signing-%E2%80%93-windows-7-8 ) Maybe you need similar with veriysign.
"...Windows 7 x64 and above": This depends on the APIs you are using in your driver and if it's x64. For win32 you need to build a win32 driver. On most Windows versions you can disable the driver sign check in the boot options. Doing this would show you if it's really signing related. Run this with the unsigned and signed driver.
"when I tried to load the driver...": First check the registry (HKLM:\\system\\currentcontrolset\\services\\).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.