使用 SHA-2 交叉签名证书使用 signtool 签名和验证后 Windows 驱动程序安装失败

Question

我有两个似乎已正确签名的驱动程序文件:

bobbarker@bobbarker-PC /cygdrive/c/Users/bobbarker/Desktop
$ ./SignTool.exe verify /kp /v /ph /d truecrypt.sys

Verifying: truecrypt.sys
Hash of file (sha1): 8562AC6F95298C1904DFC0B579C51CBB414D13C9

Signing Certificate Chain:
    Issued to: AddTrust External CA Root
    Issued by: AddTrust External CA Root
    Expires:   Sat May 30 05:48:38 2020
    SHA1 hash: 02FAF3E291435468607857694DF5E45B68851868

        Issued to: COMODO RSA Certification Authority
        Issued by: AddTrust External CA Root
        Expires:   Sat May 30 05:48:38 2020
        SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0

            Issued to: COMODO RSA Code Signing CA
            Issued by: COMODO RSA Certification Authority
            Expires:   Mon May 08 18:59:59 2028
            SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47

                Issued to: Jason Pyeron
                Issued by: COMODO RSA Code Signing CA
                Expires:   Wed Sep 16 18:59:59 2015
                SHA1 hash: 535A507A767922BE8C9BF959BCD2179DE626AAA4

The signature is timestamped: Tue Dec 30 00:29:01 2014
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   Thu Dec 31 18:59:59 2020
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   Wed Dec 30 18:59:59 2020
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   Tue Dec 29 18:59:59 2020
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires:   Sat Nov 01 08:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: AddTrust External CA Root
        Issued by: Microsoft Code Verification Root
        Expires:   Tue Aug 15 15:36:30 2023
        SHA1 hash: A75AC657AA7A4CDFE5F9DE393E69EFCAB659D250

            Issued to: COMODO RSA Certification Authority
            Issued by: AddTrust External CA Root
            Expires:   Sat May 30 05:48:38 2020
            SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0

                Issued to: COMODO RSA Code Signing CA
                Issued by: COMODO RSA Certification Authority
                Expires:   Mon May 08 18:59:59 2028
                SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47

                    Issued to: Jason Pyeron
                    Issued by: COMODO RSA Code Signing CA
                    Expires:   Wed Sep 16 18:59:59 2015
                    SHA1 hash: 535A507A767922BE8C9BF959BCD2179DE626AAA4

Successfully verified: truecrypt.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

bobbarker@bobbarker-PC /cygdrive/c/Users/bobbarker/Desktop
$ ./SignTool.exe verify /kp /v /ph /d truecrypt-x64.sys

Verifying: truecrypt-x64.sys
Hash of file (sha1): 5B9B534E682A8768F404B1A1CBFD9ACC98B8E195

Signing Certificate Chain:
    Issued to: AddTrust External CA Root
    Issued by: AddTrust External CA Root
    Expires:   Sat May 30 05:48:38 2020
    SHA1 hash: 02FAF3E291435468607857694DF5E45B68851868

        Issued to: COMODO RSA Certification Authority
        Issued by: AddTrust External CA Root
        Expires:   Sat May 30 05:48:38 2020
        SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0

            Issued to: COMODO RSA Code Signing CA
            Issued by: COMODO RSA Certification Authority
            Expires:   Mon May 08 18:59:59 2028
            SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47

                Issued to: Jason Pyeron
                Issued by: COMODO RSA Code Signing CA
                Expires:   Wed Sep 16 18:59:59 2015
                SHA1 hash: 535A507A767922BE8C9BF959BCD2179DE626AAA4

The signature is timestamped: Tue Dec 30 00:28:52 2014
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   Thu Dec 31 18:59:59 2020
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   Wed Dec 30 18:59:59 2020
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   Tue Dec 29 18:59:59 2020
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires:   Sat Nov 01 08:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: AddTrust External CA Root
        Issued by: Microsoft Code Verification Root
        Expires:   Tue Aug 15 15:36:30 2023
        SHA1 hash: A75AC657AA7A4CDFE5F9DE393E69EFCAB659D250

            Issued to: COMODO RSA Certification Authority
            Issued by: AddTrust External CA Root
            Expires:   Sat May 30 05:48:38 2020
            SHA1 hash: F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0

                Issued to: COMODO RSA Code Signing CA
                Issued by: COMODO RSA Certification Authority
                Expires:   Mon May 08 18:59:59 2028
                SHA1 hash: B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47

                    Issued to: Jason Pyeron
                    Issued by: COMODO RSA Code Signing CA
                    Expires:   Wed Sep 16 18:59:59 2015
                    SHA1 hash: 535A507A767922BE8C9BF959BCD2179DE626AAA4

Successfully verified: truecrypt-x64.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

bobbarker@bobbarker-PC /cygdrive/c/Users/bobbarker/Desktop
$

但是当我尝试安装它们时，我得到了 dredded 错误:

Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

我有 posted the files in question, along with the relevant certs 。我使用以下命令创建文件:

for i in *.sys; do 
 cp "$i" "$i".presignbak && \
 /cygdrive/c/WinDDK/7600.16385.1/bin/amd64/SignTool.exe sign /v /ac AddTrust_External_CA_Root-srosssigned-by-Microsoft.crt /f signkey.pfx /p password /t http://timestamp.verisign.com/scripts/timstamp.dll "$i" ; 
done

我的 cert 使用签名算法:sha256WithRSAEncryption

接下来我应该尝试什么？

Answer 1

事实证明Microsoft does not support SHA-2 for driver signing on Windows 7 .

In some cases, you might want to sign a driver package with two different signatures. For example, suppose you want your driver to run on Windows 7 and Windows 8. Windows 8 supports signatures created with the SHA256 hashing algorithm, but Windows 7 does not. For Windows 7, you need a signature created with the SHA1 hashing algorithm.

Suppose you want to build and sign a driver package that will run on Windows 7 and Windows 8 on x64 hardware platforms. You can sign your driver package with a primary signature that uses SHA1. Then you can append a secondary signature that uses SHA256. You can use the same certificate for both signatures, or you can use separate certificates. Here are the steps to create the two signatures using Visual Studio.