gpt4 book ai didi

windows - 已签名的INF驱动程序可以在已签名的计算机上运行,​​而不能在其他计算机上运行

转载 作者:行者123 更新时间:2023-12-01 21:57:03 26 4
gpt4 key购买 nike

我公司从Go Daddy购买了Driver Signing Certificate。我用它来签名一个简单的INF文件,该文件是一些使用Microsoft的usbser.sys的USB设备的驱动程序。一切似乎都在我对其进行签名的Windows 7 64位计算机上正常工作:如果我右键单击INF文件并选择“安装”,那么我看到的第二条警告就是显示正确发布者名称的良好警告:

但是,如果我转到另一台计算机(Windows Vista 64位),请右键单击INF文件,然后选择“安装”,然后我将收到此错误消息:

这使我认为我的驱动程序未正确签名,并且在我的计算机上看起来不错的唯一原因是由于在Go Daddy的安装过程中安装了一些根/中间/交叉证书。我绝对希望我的用户能够看到我们是经过验证的发布者,而不必在他们的计算机上手动安装证书。

INF文件和.cat文件位于同一目录中。

有谁知道为什么会这样以及我如何解决?

我怀疑主要问题是我在运行signtool verify /v pololu.cat时收到此错误(下面有更多详细信息),但我还没有弄清楚原因:

SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.



我的程序细节

驾驶员签名证书是几周前他们推出的Go Daddy的新产品。我不完全确定它与代码签名证书有何不同,但价格相同。我遵循了 instructions on Go Daddy's website to download and install the certificate,尽管说明并不完全符合现实。在步骤1中安装Microsoft交叉证书后,我看到一条红色警告消息,内容为:

Before you can install your certificate, you must use Windows Update to update your root certificates or manually download and install the root certificate from our repository.



我不确定该怎么办。我确实从它们的存储库中安装了一些GoDaddy根证书,但没有明显的区别。

我安装了 Windows Driver Kit (WDK)的最新版本(8.0),然后安装了 Windows Software Development Kit (SDK) for Windows 8的最新版本(8.0)。这使我可以访问 inf2catsigntool实用程序。这两个工具包都是在上个月发布的,因此我们可能会遇到一些新的错误。

在一个新目录中,我放置了三个文件:
  • pololu_usb_to_serial.inf,我要签名的INF文件。它很长但是很简单; you can read it here。这个INF文件是一个独立的驱动程序。在我们的驱动程序包中不需要其他文件。该文件基本上与我们公司多年来成功分发(未签名)的版本相同,但是我必须进行一些更改才能使Inf2Cat接受它。
  • mscvr-cross-gdroot-g2.crt,我从Go Daddy certificate repository下载。我相信这是交叉证书,它证明“Go Daddy根证书颁发机构-G2”受到Microsoft的信任,但是我不完全确定这是否是正确的证书。
  • sign_it.bat,我运行以执行签名的批处理文件。

  • 批处理文件仅包含:
    "C:\Program Files (x86)\Windows Kits\8.0\bin\x86\inf2cat" /v /driver:%~dp0 /os:XP_X86,Vista_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64

    "C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool" sign /v /ac "mscvr-cross-gdroot-g2.crt" /n "Pololu Corporation" /t http://tsa.starfieldtech.com pololu.cat

    第一个命令从Windows驱动程序工具包调用 inf2cat/v选项使其变得冗长。 /driver:%~dp0选项将其指向包含批处理文件的目录。 .由于某种原因无法正常工作,这比必须对完整路径进行硬编码要好。 /os选项指定我希望此驱动程序包支持的所有操作系统。此命令创建 pololu.cat

    第二个命令从Windows软件开发工具包调用 signtool来签名目录文件。 /v选项使其变得冗长。 /ac选项指定使用哪种交叉证书(请参阅上面的#2)。 /n选项指定要使用的证书的名称(该证书根据 certmgr.msc安装在我的计算机上)。 /t选项指定Go Daddy时间戳服务器的URL。

    这是运行批处理文件时命令提示符中的输出:
    C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
    in\x86\inf2cat" /v /driver:C:\Users\david.POLOLU\Desktop\sign_it\ /os:XP_X86,Vis
    ta_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64
    Processing directory (C:\Users\david.POLOLU\Desktop\sign_it\) file (mscvr-cross-
    gdroot-g2.crt)
    Processing directory (C:\Users\david.POLOLU\Desktop\sign_it\) file (pololu_usb_t
    o_serial.inf)
    Processing directory (C:\Users\david.POLOLU\Desktop\sign_it\) file (sign_it.bat)

    Parsing INF: C:\Users\david.POLOLU\Desktop\sign_it\pololu_usb_to_serial.inf
    Finished parsing INFs
    Processing INF: C:\Users\david.POLOLU\Desktop\sign_it\pololu_usb_to_serial.inf
    Finished processing INFs
    Testing driver package...
    Testing driver package...
    Testing driver package...
    Testing driver package...
    Testing driver package...
    Testing driver package...
    Testing driver package...
    Testing driver package...
    Testing driver package...
    Testing driver package...
    Testing driver package...
    Testing driver package...
    Testing driver package...
    Testing driver package...
    Testing driver package...

    Signability test complete.

    Errors:
    None

    Warnings:
    None

    Catalog generation complete.
    C:\Users\david.POLOLU\Desktop\sign_it\pololu.cat

    C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
    in\x86\signtool" sign /v /ac "mscvr-cross-gdroot-g2.crt" /n "Pololu Corporation"
    /t http://tsa.starfieldtech.com pololu.cat
    The following certificate was selected:
    Issued to: Pololu Corporation
    Issued by: Go Daddy Secure Certificate Authority - G2
    Expires: Sat Aug 31 11:35:25 2013
    SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0

    Cross certificate chain (using machine store):
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires: Sat Nov 01 06:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

    Issued to: Go Daddy Root Certificate Authority - G2
    Issued by: Microsoft Code Verification Root
    Expires: Thu Apr 15 13:07:40 2021
    SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF

    Issued to: Go Daddy Secure Certificate Authority - G2
    Issued by: Go Daddy Root Certificate Authority - G2
    Expires: Sat May 03 00:00:00 2031
    SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8

    Issued to: Pololu Corporation
    Issued by: Go Daddy Secure Certificate Authority - G2
    Expires: Sat Aug 31 11:35:25 2013
    SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0

    Done Adding Additional Store
    Successfully signed: pololu.cat

    Number of files successfully Signed: 1
    Number of warnings: 0
    Number of errors: 0

    就像我说的那样,我将.cat和.inf文件放在同一目录中,但是只有在我对它们签名后,它们才能在计算机上正常工作。

    使用Signtool进行验证

    Microsoft的 signtool实用程序还具有“验证”功能,可让您验证签名是否正确。验证时可以使用三种不同的策略,它们各自给出不同的结果:
  • Windows驱动程序验证策略说,我的签名链不会追溯到Microsoft,并且会输出一条有关我的根不受信任的错误消息。对我来说,这似乎是个问题。
  • 默认身份验证码验证策略(/pa)也说我的签名链没有追溯到Microsoft,但没有给出错误。
  • 内核模式驱动程序签名策略(/kp,可能不适用,因为我没有对内核模式驱动程序进行签名)说,我的签名链确实可以追溯到Microsoft,并且没有错误。

  • 有谁知道Windows对INF文件使用哪种策略?这至少可以帮助我缩小问题的范围。

    这是 signtool verify的完整详细输出:
    C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
    in\x86\signtool" verify /v pololu.cat

    Verifying: pololu.cat
    Signature Index: 0 (Primary Signature)
    Hash of file (sha1): 09A611ECC83E61646DB967D4C23EED725B903C1B

    Signing Certificate Chain:
    Issued to: Go Daddy Root Certificate Authority - G2
    Issued by: Go Daddy Root Certificate Authority - G2
    Expires: Thu Dec 31 16:59:59 2037
    SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B

    Issued to: Go Daddy Secure Certificate Authority - G2
    Issued by: Go Daddy Root Certificate Authority - G2
    Expires: Sat May 03 00:00:00 2031
    SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8

    Issued to: Pololu Corporation
    Issued by: Go Daddy Secure Certificate Authority - G2
    Expires: Sat Aug 31 11:35:25 2013
    SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0

    The signature is timestamped: Wed Sep 05 16:22:34 2012
    Timestamp Verified by:
    Issued to: Starfield Services Root Certificate Authority
    Issued by: Starfield Services Root Certificate Authority
    Expires: Mon Dec 31 16:59:59 2029
    SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F

    Issued to: Starfield Services Timestamp Authority
    Issued by: Starfield Services Root Certificate Authority
    Expires: Wed Apr 26 00:00:00 2017
    SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26

    SignTool Error: A certificate chain processed, but terminated in a root
    certificate which is not trusted by the trust provider.

    Number of files successfully Verified: 0
    Number of warnings: 0
    Number of errors: 1

    C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
    in\x86\signtool" verify /v /pa pololu.cat

    Verifying: pololu.cat
    Signature Index: 0 (Primary Signature)
    Hash of file (sha1): 09A611ECC83E61646DB967D4C23EED725B903C1B

    Signing Certificate Chain:
    Issued to: Go Daddy Root Certificate Authority - G2
    Issued by: Go Daddy Root Certificate Authority - G2
    Expires: Thu Dec 31 16:59:59 2037
    SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B

    Issued to: Go Daddy Secure Certificate Authority - G2
    Issued by: Go Daddy Root Certificate Authority - G2
    Expires: Sat May 03 00:00:00 2031
    SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8

    Issued to: Pololu Corporation
    Issued by: Go Daddy Secure Certificate Authority - G2
    Expires: Sat Aug 31 11:35:25 2013
    SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0

    The signature is timestamped: Wed Sep 05 16:22:34 2012
    Timestamp Verified by:
    Issued to: Starfield Services Root Certificate Authority
    Issued by: Starfield Services Root Certificate Authority
    Expires: Mon Dec 31 16:59:59 2029
    SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F

    Issued to: Starfield Services Timestamp Authority
    Issued by: Starfield Services Root Certificate Authority
    Expires: Wed Apr 26 00:00:00 2017
    SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26


    Successfully verified: pololu.cat

    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0

    C:\Users\david.POLOLU\Desktop\sign_it>"C:\Program Files (x86)\Windows Kits\8.0\b
    in\x86\signtool" verify /v /kp pololu.cat

    Verifying: pololu.cat
    Signature Index: 0 (Primary Signature)
    Hash of file (sha1): 09A611ECC83E61646DB967D4C23EED725B903C1B

    Signing Certificate Chain:
    Issued to: Go Daddy Root Certificate Authority - G2
    Issued by: Go Daddy Root Certificate Authority - G2
    Expires: Thu Dec 31 16:59:59 2037
    SHA1 hash: 47BEABC922EAE80E78783462A79F45C254FDE68B

    Issued to: Go Daddy Secure Certificate Authority - G2
    Issued by: Go Daddy Root Certificate Authority - G2
    Expires: Sat May 03 00:00:00 2031
    SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8

    Issued to: Pololu Corporation
    Issued by: Go Daddy Secure Certificate Authority - G2
    Expires: Sat Aug 31 11:35:25 2013
    SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0

    The signature is timestamped: Wed Sep 05 16:22:34 2012
    Timestamp Verified by:
    Issued to: Starfield Services Root Certificate Authority
    Issued by: Starfield Services Root Certificate Authority
    Expires: Mon Dec 31 16:59:59 2029
    SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F

    Issued to: Starfield Services Timestamp Authority
    Issued by: Starfield Services Root Certificate Authority
    Expires: Wed Apr 26 00:00:00 2017
    SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26

    Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires: Sat Nov 01 06:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

    Issued to: Go Daddy Root Certificate Authority - G2
    Issued by: Microsoft Code Verification Root
    Expires: Thu Apr 15 13:07:40 2021
    SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF

    Issued to: Go Daddy Secure Certificate Authority - G2
    Issued by: Go Daddy Root Certificate Authority - G2
    Expires: Sat May 03 00:00:00 2031
    SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8

    Issued to: Pololu Corporation
    Issued by: Go Daddy Secure Certificate Authority - G2
    Expires: Sat Aug 31 11:35:25 2013
    SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0


    Successfully verified: pololu.cat

    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0

    在我对驱动程序签名的计算机(正在运行的计算机)和另一台计算机(不在工作的计算机)上运行时,输出看起来相同。

    关于StackOverflow的类似问题

    Thawte driver signing for 64-bit Windows-解决这个问题的方法是在INF文件中添加CatalogFile指令,但是我已经有了。 ( CatalogFile=pololu.cat)。

    编辑1:对可执行文件进行签名

    我使用具有相同选项的signtool对可执行文件(NSIS安装程序)进行签名,并且在两台计算机上的首次尝试中均能正常工作。因此,我认为INF驱动程序文件的签名策略有一些不同之处,这使我感到困惑。

    编辑2:GoDaddy的证书警告

    如果我双击 mscvr-cross-gdroot-g2.crt,则在“常规”选项卡中显示“Windows没有足够的信息来验证此证书”。在“证书路径”选项卡的“证书状态:”下,显示“找不到此证书的颁发者。”。如果我双击 gd_ms_drv_sign_bundle.p7b(来自GoDaddy的证书 bundle 包)并打开第一个证书,我也会看到相同的警告。

    这两个证书的颁发者都应该是Microsoft代码验证根。我应该担心该警告消息吗?

    编辑#3:删除GoDaddy的证书

    GoDaddy的高级支持团队的Lindsay回来了。她链接到 this page from globalsign,该文件解释了如何在签署驱动程序的计算机上从CA卸载根证书和中间证书。 Lindsay说,如果您不执行此步骤,则签名工具将假定这些证书存在于其他计算机上,因此不将其包括在签名中。

    有谁知道如何检查将哪些证书“导入”到签名中?我可以使用哪些工具查看Lindsay和GlobalSign是否正确?

    顺便说一下,我们有Windows XP计算机,但是Microsoft很快将停止支持该操作系统。尽管GlobalSign说了什么,但必须有一种方法可以在Windows 7上完成这项工作。

    根据Lindsay的建议,我按照Microsoft的指示对 Turn off Automatic Root Certificates Update进行了操作,然后使用 certmgr.msc的UI从“受信任的根证书颁发机构”和“中间证书颁发机构”中删除了所有GoDaddy证书。然后,我重新签署了我的inf文件。

    不幸的是,那没有用!签名后,我再次检查所有GoDaddy证书是否仍被删除。

    我没有收到GoDaddy对 signtool verify的输出或在进行验证时应检查的驱动程序签名策略的任何输入的反馈。我希望他们可以看看验证输出,然后告诉我我做错了什么,或者告诉我正确的输出是什么样子。

    为了完整起见,这是删除这些证书并重新签署驱动程序后 signtool verify的三个输出:
    C:\Users\david.POLOLU\Desktop\sign_inf>"C:\Program Files (x86)\Windows Kits\8.0\
    bin\x86\signtool.exe" verify /v pololu.cat

    Verifying: pololu.cat
    Signature Index: 0 (Primary Signature)
    Hash of file (sha1): 5AE4F370471009C8B0ED936C9AE19ED14ABD67D7

    Signing Certificate Chain:
    Issued to: Go Daddy Root Certificate Authority - G2
    Issued by: Microsoft Code Verification Root
    Expires: Thu Apr 15 13:07:40 2021
    SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF

    Issued to: Go Daddy Secure Certificate Authority - G2
    Issued by: Go Daddy Root Certificate Authority - G2
    Expires: Sat May 03 00:00:00 2031
    SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8

    Issued to: Pololu Corporation
    Issued by: Go Daddy Secure Certificate Authority - G2
    Expires: Sat Aug 31 11:35:25 2013
    SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0

    The signature is timestamped: Wed Sep 12 14:52:19 2012
    Timestamp Verified by:
    Issued to: Starfield Services Root Certificate Authority
    Issued by: Starfield Services Root Certificate Authority
    Expires: Mon Dec 31 16:59:59 2029
    SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F

    Issued to: Starfield Services Timestamp Authority
    Issued by: Starfield Services Root Certificate Authority
    Expires: Wed Apr 26 00:00:00 2017
    SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26

    SignTool Error: A certificate chain processed, but terminated in a root
    certificate which is not trusted by the trust provider.

    Number of files successfully Verified: 0
    Number of warnings: 0
    Number of errors: 1

    C:\Users\david.POLOLU\Desktop\sign_inf>"C:\Program Files (x86)\Windows Kits\8.0\
    bin\x86\signtool.exe" verify /v /pa pololu.cat

    Verifying: pololu.cat
    Signature Index: 0 (Primary Signature)
    Hash of file (sha1): 5AE4F370471009C8B0ED936C9AE19ED14ABD67D7

    Signing Certificate Chain:
    Issued to: Go Daddy Root Certificate Authority - G2
    Issued by: Microsoft Code Verification Root
    Expires: Thu Apr 15 13:07:40 2021
    SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF

    Issued to: Go Daddy Secure Certificate Authority - G2
    Issued by: Go Daddy Root Certificate Authority - G2
    Expires: Sat May 03 00:00:00 2031
    SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8

    Issued to: Pololu Corporation
    Issued by: Go Daddy Secure Certificate Authority - G2
    Expires: Sat Aug 31 11:35:25 2013
    SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0

    The signature is timestamped: Wed Sep 12 14:52:19 2012
    Timestamp Verified by:
    Issued to: Starfield Services Root Certificate Authority
    Issued by: Starfield Services Root Certificate Authority
    Expires: Mon Dec 31 16:59:59 2029
    SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F

    Issued to: Starfield Services Timestamp Authority
    Issued by: Starfield Services Root Certificate Authority
    Expires: Wed Apr 26 00:00:00 2017
    SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26

    SignTool Error: WinVerifyTrust returned error: 0x800B010A
    A certificate chain could not be built to a trusted root authority.

    Number of files successfully Verified: 0
    Number of warnings: 0
    Number of errors: 1

    C:\Users\david.POLOLU\Desktop\sign_inf>"C:\Program Files (x86)\Windows Kits\8.0\
    bin\x86\signtool.exe" verify /v /kp pololu.cat

    Verifying: pololu.cat
    Signature Index: 0 (Primary Signature)
    Hash of file (sha1): 5AE4F370471009C8B0ED936C9AE19ED14ABD67D7

    Signing Certificate Chain:
    Issued to: Go Daddy Root Certificate Authority - G2
    Issued by: Microsoft Code Verification Root
    Expires: Thu Apr 15 13:07:40 2021
    SHA1 hash: 842C5CB34B73BBC5ED8564BDEDA786967D7B42EF

    Issued to: Go Daddy Secure Certificate Authority - G2
    Issued by: Go Daddy Root Certificate Authority - G2
    Expires: Sat May 03 00:00:00 2031
    SHA1 hash: 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8

    Issued to: Pololu Corporation
    Issued by: Go Daddy Secure Certificate Authority - G2
    Expires: Sat Aug 31 11:35:25 2013
    SHA1 hash: E2FE1275AD8DA85DEABA67ADE26BE42E0834B4C0

    The signature is timestamped: Wed Sep 12 14:52:19 2012
    Timestamp Verified by:
    Issued to: Starfield Services Root Certificate Authority
    Issued by: Starfield Services Root Certificate Authority
    Expires: Mon Dec 31 16:59:59 2029
    SHA1 hash: 5D003860F002ED829DEAA41868F788186D62127F

    Issued to: Starfield Services Timestamp Authority
    Issued by: Starfield Services Root Certificate Authority
    Expires: Wed Apr 26 00:00:00 2017
    SHA1 hash: AEAC793CDD107ACFB314A2FE384A8F16840B7C26

    SignTool Error: WinVerifyTrust returned error: 0x800B010A
    A certificate chain could not be built to a trusted root authority.

    Number of files successfully Verified: 0
    Number of warnings: 0
    Number of errors: 1

    编辑#4:DefaultInstall部分为否

    在Microsoft的 documentation of the DefaultInstall section中,我发现了这一点:

    Note The INF file of a driver package must not contain an INF DefaultInstall section if the driver package is to be digitally signed.



    有谁知道这是真的吗?我找不到解释。

    无论如何,我取出了INF文件的DefaultInstall部分,所以从现在开始,我必须通过运行我编写的一个名为 SetupCopyOemInf的DLL进行测试。

    仍然没有运气;我一直在Windows Vista计算机上收到未经验证的发布者警告。

    编辑#5:JLink驱动程序已正确签名

    我在C:\Windows\System32\DriverStore\FileRepository中闲逛,试图找到一些经过正确签名的驱动程序包。我发现的第一个有趣的是JLinkCDC.cat/JLinkCDC.inf。 Inf文件的版本为 DriverVer=01/25/2012,6.0.2600.4。在Windows Vista计算机上,如果我在inf文件上调用SetupCopyOemInf(使用我的DLL),则会收到一条正确的消息,告诉我发布者是谁(Segger GMBH或类似的东西)。因此,可以像我的这样正确地签署驱动程序包,但是以某种方式GoDaddy或我做错了什么。

    JLinkCDC.inf驱动程序与我的驱动程序非常相似,因为它只是一个文件,并且使用usbser.sys。他们签名的信任链可以追溯到VeriSign 3类公共(public)主要证书颁发机构-G5。

    基本上,此JLinkCDC驱动程序与我的驱动程序相似,并且可以工作,因此我打算仔细研究一下以了解它们之间的区别。

    output of signtool verify for JLinkCDC.cat看起来与我的非常相似,只不过其追溯到Verisign而不是GoDaddy。

    编辑6:较小的更改

    为了使驱动程序更像JLinkCDC.inf,我在INF文件中添加了 DriverPackageType=PlugAndPlay,并缩短了文件名:这些文件现在分别称为polser.cat和polser.inf。还是没有运气!

    编辑#7:成功!

    我认为以下事实是对的;如果我错了,请纠正我:
  • 对于驱动程序包(.cat文件),signtool verify的正确选项是/pa。我从KMCS_Walkthrough.doc推断出这一点。
  • 对于驱动程序包,如果信任链返回到certmgr.msc中“受信任的根证书颁发机构”文件夹中的证书,则Windows仅认为发布者受到验证。
  • 对于驱动程序包,您可以使用交叉证书对其进行签名(将信任链从gdroot-g2.crt扩展到Microsoft代码验证根),但Windows似乎忽略了它。这是因为Microsoft代码验证根不是“受信任的根证书颁发机构”。
  • 当前用户有证书存储,本地计算机有证书。两者都很重要,因此您应该使用MMC Certificates Snap-In查看两者。 Certmgr.msc仅显示当前用户的证书。
  • Windows should seamlessly add在需要时将“Go Daddy根证书颁发机构-G2”(gdroot-g2.crt)复制到“受信任的根证书颁发机构”文件夹,但从Windows Update下载它。 More info here.

  • 我在测试机上使用了Windows事件查看器来查看发生了什么。看起来Windows会自动获取“Go Daddy根证书颁发机构-G2”,但前提是它显示了不良的未验证发布者警告对话框。用户关闭该对话框后,便会从Windows Update中获取证书,因此下一次安装尝试应该会成功。有趣的是,它确实会及时自动下载Starfield证书(这是我的时间戳信任链的根)。

    在尝试安装驱动程序之前,双击gdroot-g2.crt并将其导入,就可以在Windows 7和Windows Vista计算机上使用我的签名。我将查看该过程是否可以自动化并添加到安装程序中。

    我找到了另一个公司(JLinkCDC.cat)的驱动程序包,该驱动程序包已用VeriSign证书签名,该证书 Root 于“VeriSign 3类公共(public)主要证书颁发机构-G5”。该证书在我查看过的所有计算机上,因此,如果您使用VeriSign而不是Go Daddy,我想您可以通过Windows Update避免此问题。

    我确实注意到,VeriSign证书使用SHA1,而我的Go Daddy证书使用SHA256进行签名算法和签名哈希算法。不确定是否重要。

    编辑#8:向Microsoft寻求帮助

    请参阅MSDN论坛上的讨论和我的结论: http://social.msdn.microsoft.com/Forums/en-US/wdk/thread/1fede768-7925-4f30-8eef-ce5bd08b0b60

    最佳答案

    从2012年9月27日开始,GoDaddy驱动程序签名证书将不适用于Windows Vista或Windows7。它仅适用于Windows8。GoDaddy证书仅可用于SHA256。

    我们最终从GlobalSign(MS Authenticode)获得了一个。

    http://msdn.microsoft.com/en-us/library/windows/hardware/hh967734%28v=vs.85%29.aspx:

    Signing a driver package with two signatures

    In some cases, you might want to sign a driver package with two different signatures. For example, suppose you want your driver to run on Windows 7 and Windows 8. Windows 8 supports signatures created with the SHA256 hashing algorithm, but Windows 7 does not. For Windows 7, you need a signature created with the SHA1 hashing algorithm.



    2012-09-28更新:GlobalSign正常运行。我让Firefox 15下载GlobalSign提供的链接(受Pickup Password保护)。最终,Firefox拥有了签名证书,并下载了其他3个GlobalSign证书。签名证书已从Firefox导出到.p12文件。然后双击所有四个文件,以使用自动默认值将它们导入MS证书存储。驱动程序和程序包已在Windows 7 Ultimate x64中签名和测试,没有任何驱动程序签名错误。 BSoD的驱动程序,但这是一个不同的问题。 ;)

    GoDaddy仅会在您购买后30天内撤消您的网站信用额度并减去$ 15。

    2016-01-13更新:
    https://technet.microsoft.com/en-us/library/security/3033929
    Microsoft安全通报3033929
    Windows 7和Windows Server 2008 R2的SHA-2代码签名支持的可用性
    发布时间:2015年3月10日
    ...
    基本上,您需要在Microsoft提供的链接中安装安全更新,通常由Windows Update自动完成。

    我们现在正在使用GlobalSign的EV代码签名证书。警告:SafeSign不适用于Windows服务(例如,buildbot从属)。

    关于windows - 已签名的INF驱动程序可以在已签名的计算机上运行,​​而不能在其他计算机上运行,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/12291461/

    26 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com