我的Windows应用程序包含一个加载相当简单的驱动程序的服务。 此驱动程序包含embedded式SHA1以及SHA256签名,并包含两个交叉签名证书链,根据MS Kernel Signing文档中描述的用于在没有CAT文件的情况下签署驱动程序的KMCS要求。
该驱动程序在大多数Windows安装中加载完全正常,但在极less数情况下无法加载,主要在Windows 7 x64和Windows 10 x64上加载。 错误是0x241(577): Windows无法validation此文件的数字签名。 最近的硬件或软件更改可能安装了签名不正确或损坏的文件,或者可能是来自未知来源的恶意软件。
我一直在试图弄清楚在两个星期的大部分时间里,这个问题的原因是什么。 正如你所期望的,这个错误只出现在用户的机器上。 我已经在Windows 7 x64上安装了4个虚拟机,并在各种configuration和不同级别的更新下安装了另外4个具有Windows 10 x64的虚拟机。 我甚至完全复制了Windows 10虚拟机中的一个用户的设置 – 我花了一整天的时间用正确的语言安装了精确的Windows版本,并将所有的软件安装到了精确的版本中,以便重现问题。 没有这样的运气,但是:安装我的应用程序时,驱动程序加载得很好。
希望有人可能对可能发生的事情有所了解,或者至less可以将我指向正确的方向,于是我决定在这里问一下: 可能会导致明显正确签名的驱动程序在某些Windows上无法validation的原因装置 ?
我正在使用StartCom Class 3代码签名证书。 我从“ 微软内核模式代码签名交叉证书”页面下载了交叉签名的StartCom证书。
我的证书是在一个pfx文件中,我正在签署驱动程序如下:
signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll /p %1 driver.sys signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /p %1 driver.sys 由于这不是需要安装的硬件驱动程序,因此不包含.CAT文件或.INF文件。 这只是一个驱动程序,在服务启动时加载,在服务停止时卸载。
可以注意到,SHA256签名是在SHA1签名之后添加的(使用/ as),并且使用SHA256时间戳服务器。 它是双重签名的兼容性较旧的操作系统,但我必须说,它无法加载在Vista 64位,大概是因为我的证书使用SHA256作为签名algorithm。 值得注意的是,驱动程序在Windows XP x64上正常加载。 另外值得一提的是,所有无法加载的用户报告,在检查文件属性的“数字签名”选项卡时,两个签名均可以正确validation。 我可以没有Vista x64的兼容性生活,但Windows 7和Windows 10的问题是非常令人担忧的,迫使我保持在betatesting中的应用程序。
在各种Windows版本中安装了150多种,我已经:
每次驱动程序加载失败时,将在安全事件类别中使用以下文本生成审核失败事件:*代码完整性确定文件的图像散列无效。 该文件可能由于未经授权的修改而损坏,或者无效的散列可能表示潜在的磁盘设备错误。
文件名称:\ Device \ HarddiskVolumeX \ Program Files(x86)\ path \ to \ driver.sys *
在Vista x64中,我得到了完全相同的错误,并启用代码完整性详细日志导致了大量关于加载所有.CAT文件的消息,而没有其他任何有趣的东西。 当然,在Vista x64中,代码完整性操作日志包含一个关于文件未得到validation的错误,与上面的审计错误非常相似。
运行
signtool.exe verify /v /kp driver.sys
结果是:
Verifying: driver.sys Signature Index: 0 (Primary Signature) Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66 Signing Certificate Chain: Issued to: StartCom Certification Authority Issued by: StartCom Certification Authority Expires: Wed Sep 17 22:46:36 2036 SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F Issued to: StartCom Class 3 Object CA Issued by: StartCom Certification Authority Expires: Mon Dec 16 04:00:05 2030 SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46 Issued to: My company Issued by: StartCom Class 3 Object CA Expires: Sun Aug 04 16:18:18 2019 SHA1 hash: 62...E9 The signature is timestamped: Sun Sep 25 12:49:52 2016 Timestamp Verified by: Issued to: Thawte Timestamping CA Issued by: Thawte Timestamping CA Expires: Fri Jan 01 02:59:59 2021 SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656 Issued to: Symantec Time Stamping Services CA - G2 Issued by: Thawte Timestamping CA Expires: Thu Dec 31 02:59:59 2020 SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1 Issued to: Symantec Time Stamping Services Signer - G4 Issued by: Symantec Time Stamping Services CA - G2 Expires: Wed Dec 30 02:59:59 2020 SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4 Cross Certificate Chain: Issued to: Microsoft Code Verification Root Issued by: Microsoft Code Verification Root Expires: Sat Nov 01 16:54:03 2025 SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3 Issued to: StartCom Certification Authority Issued by: Microsoft Code Verification Root Expires: Thu Apr 15 23:23:19 2021 SHA1 hash: E6069E048DEA8D817AFC4188B1BEF1D888D0AF17 Issued to: StartCom Class 3 Object CA Issued by: StartCom Certification Authority Expires: Mon Dec 16 04:00:05 2030 SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46 Issued to: My company Issued by: StartCom Class 3 Object CA Expires: Sun Aug 04 16:18:18 2019 SHA1 hash: 62...E9 Successfully verified: driver.sys Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 0
运行
signtool.exe verify /v /pa /all driver.sys
结果是:
Verifying: driver.sys Signature Index: 0 (Primary Signature) Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66 Signing Certificate Chain: Issued to: StartCom Certification Authority Issued by: StartCom Certification Authority Expires: Wed Sep 17 22:46:36 2036 SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F Issued to: StartCom Class 3 Object CA Issued by: StartCom Certification Authority Expires: Mon Dec 16 04:00:05 2030 SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46 Issued to: My company Issued by: StartCom Class 3 Object CA Expires: Sun Aug 04 16:18:18 2019 SHA1 hash: 62...E9 The signature is timestamped: Sun Sep 25 12:49:52 2016 Timestamp Verified by: Issued to: Thawte Timestamping CA Issued by: Thawte Timestamping CA Expires: Fri Jan 01 02:59:59 2021 SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656 Issued to: Symantec Time Stamping Services CA - G2 Issued by: Thawte Timestamping CA Expires: Thu Dec 31 02:59:59 2020 SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1 Issued to: Symantec Time Stamping Services Signer - G4 Issued by: Symantec Time Stamping Services CA - G2 Expires: Wed Dec 30 02:59:59 2020 SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4 Signature Index: 1 Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B Signing Certificate Chain: Issued to: StartCom Certification Authority Issued by: StartCom Certification Authority Expires: Wed Sep 17 22:46:36 2036 SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F Issued to: StartCom Class 3 Object CA Issued by: StartCom Certification Authority Expires: Mon Dec 16 04:00:05 2030 SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46 Issued to: My company Issued by: StartCom Class 3 Object CA Expires: Sun Aug 04 16:18:18 2019 SHA1 hash: 62...E9 The signature is timestamped: Sun Sep 25 12:49:53 2016 Timestamp Verified by: Issued to: UTN-USERFirst-Object Issued by: UTN-USERFirst-Object Expires: Tue Jul 09 21:40:36 2019 SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 Issued to: COMODO SHA-256 Time Stamping Signer Issued by: UTN-USERFirst-Object Expires: Tue Jul 09 21:40:36 2019 SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA Successfully verified: driver.sys Number of signatures successfully Verified: 2 Number of warnings: 0 Number of errors: 0
有点奇怪的是,没有特殊开关的validation会导致证书链错误。 然后再次检查一个VMWare驱动程序时,我得到了同样的错误,所以我想这不是什么可担心的事情。 无论如何,运行:
signtool.exe verify /v /all driver.sys
结果是:
Verifying: driver.sys Signature Index: 0 (Primary Signature) Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66 Signing Certificate Chain: Issued to: StartCom Certification Authority Issued by: StartCom Certification Authority Expires: Wed Sep 17 22:46:36 2036 SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F Issued to: StartCom Class 3 Object CA Issued by: StartCom Certification Authority Expires: Mon Dec 16 04:00:05 2030 SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46 Issued to: My company Issued by: StartCom Class 3 Object CA Expires: Sun Aug 04 16:18:18 2019 SHA1 hash: 62...E9 The signature is timestamped: Sun Sep 25 12:49:52 2016 Timestamp Verified by: Issued to: Thawte Timestamping CA Issued by: Thawte Timestamping CA Expires: Fri Jan 01 02:59:59 2021 SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656 Issued to: Symantec Time Stamping Services CA - G2 Issued by: Thawte Timestamping CA Expires: Thu Dec 31 02:59:59 2020 SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1 Issued to: Symantec Time Stamping Services Signer - G4 Issued by: Symantec Time Stamping Services CA - G2 Expires: Wed Dec 30 02:59:59 2020 SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4 SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Signature Index: 1 Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B Signing Certificate Chain: Issued to: StartCom Certification Authority Issued by: StartCom Certification Authority Expires: Wed Sep 17 22:46:36 2036 SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F Issued to: StartCom Class 3 Object CA Issued by: StartCom Certification Authority Expires: Mon Dec 16 04:00:05 2030 SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46 Issued to: My company Issued by: StartCom Class 3 Object CA Expires: Sun Aug 04 16:18:18 2019 SHA1 hash: 62...E9 The signature is timestamped: Sun Sep 25 12:49:53 2016 Timestamp Verified by: Issued to: UTN-USERFirst-Object Issued by: UTN-USERFirst-Object Expires: Tue Jul 09 21:40:36 2019 SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 Issued to: COMODO SHA-256 Time Stamping Signer Issued by: UTN-USERFirst-Object Expires: Tue Jul 09 21:40:36 2019 SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Number of signatures successfully Verified: 0 Number of warnings: 0 Number of errors: 2
我使用的是VS 2015随附的8.1 Windows套件中的signtool.exe,版本是6.3.9600.17298。 对于它的价值,驱动程序是用WDK 7.1.0(7600.13685.1)编译的。
正如马丁·德拉布(Martin Drab)在上面所提到的那样,问题是双重 顺便说一下,感谢Martin,您的评论帮助我解决了问题,通过设置启用了安全引导的虚拟机,我能够重现Windows 10的问题。
对于比Windows 10更早的操作系统,通过安装所有最新更新,问题似乎得到解决。 如果自2015年11月1日以前(当发布新的Microsoft代码验证根证书时)PC未更新,将无法验证,因为内核不能识别根证书。
对于Windows 10,有一个新的内核模式代码签名策略 ,它指定所有全新安装的Windows 10周年纪念版都不会验证未经Microsoft Dev Portal签名的任何内核代码(需要EV证书),除非已经签署2015年7月29日之前签发的交叉签名证书或安全启动功能将被禁用。
问题的原因很少发生的原因是,大多数人没有Windows 7的机器,没有被更新的年龄,并在写本文时,大多数有Windows 10的那些不使用周年纪念的新鲜安装版。
Windows 10唯一真正的解决方案是获得EV证书。