Error: Digital signature did not verify

TheMSsForum.com: The Microsoft Software Forum

I have developed an NDIS IM driver. I sign it using Authenticode tools
(signtool) with a Verisign code signing ID. It has installed correctly under
2003 Server and x64 Editions (XP and Server). I recently made some changes to
the driver. I used the same exact .inf's and procedure to sign the .cat file,
yet when I attempt to install on an x64 Server machine I get "The digital
signature of the object did not verify". The code returned from
HrInstallNetComponent is 0x80096010. If I simply replace the new driver
(.sys) file with the previous .sys file it installs correctly. It appears
that during the installation process the digital verification of the .cat
file works incorrectly for the new .sys file. Note that if I use "signtool
verify /pa /v driver.sys" the signature is correct. I suspect that
Authenticode is signing the driver correctly, however the driver installation
is incorrectly verifying the driver. Has anyone seen this or have any ideas?
Thanks.

Dan
Top

RE: Error: Digital signature did not verify by bburgin

bburgin
Wed Sep 07 19:10:08 CDT 2005

------=_NextPart_0001_93913F28
Content-Type: text/plain
Content-Transfer-Encoding: 7bit



I'm working w/ Dan offline. He is using the old SNETCFG DDK sample to
install the driver and there is a known issue of that sample not doing two
SetupCopyOEMInfs, once for each of the two INFs needed for NDIS IM Filter
drivers. I suspect that he has both INFs in his Windows\Inf folder somehow
from a previous installation, but on his second installation only one is
copied and the installation is finding the second INF that it happens to
find left behind -- but its size/date/time etc is part of the signing
process and if it is at all different the signature will be broken.

If it's not that, then we'll move to SETUPAPI logging, etc. Also, it is
interesting that this is being reported against Server 2003 SP1 (all
platforms) and XP x64, which is based on the same code base -- so this may
be a new issue. But we'll try the SNETCFG change first.

Bryan S. Burgin
bburgin@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.
------=_NextPart_0001_93913F28
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\f0\fs20
\par
\par I'm working w/ Dan offline. He is using the old SNETCFG DDK sample to install the driver and there is a known issue of that sample not doing two SetupCopyOEMInfs, once for each of the two INFs needed for NDIS IM Filter drivers. I suspect that he has both INFs in his Windows\\Inf folder somehow from a previous installation, but on his second installation only one is copied and the installation is finding the second INF that it happens to find left behind -- but its size/date/time etc is part of the signing process and if it is at all different the signature will be broken.
\par
\par If it's not that, then we'll move to SETUPAPI logging, etc. Also, it is interesting that this is being reported against Server 2003 SP1 (all platforms) and XP x64, which is based on the same code base -- so this may be a new issue. But we'll try the SNETCFG change first.
\par
\par Bryan S. Burgin
\par bburgin@online.microsoft.com
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par }
------=_NextPart_0001_93913F28--

Top

RE: Error: Digital signature did not verify by usfinecats

usfinecats
Wed Sep 07 19:31:13 CDT 2005

I too had trouble getting drivers properly signed with the signing tools.
I was able to solve this problem by blowing away the .cat file each time I
need to rebuild the installation.

The documentation for this stuff is either ludicrous or just wrong.

Here's what I'm doing, your mileage may vary!

del D:\filearch\signable\GoodiesRelease\MyKat.cat
"C:\Program Files\WLPQS\signability" /os:8 /auto /cat
/driver:D:\filearch\signable\GoodiesRelease\
dir d:\filearch\signable\GoodiesRelease\MyKat.cat

@echo REBUILD MyKat.cat
signcode -a sha1 -$ individual -n MyKat -spc
D:\filearch\signable\MyCrededential.spc -v
D:\filearch\signable\AuthenticodeKey.pvk
D:\filearch\signable\GoodiesRelease\MyKat.cat



--
Gak -
Finecats


""Bryan S. Burgin [MSFT]"" wrote:

>
>
> I'm working w/ Dan offline. He is using the old SNETCFG DDK sample to
> install the driver and there is a known issue of that sample not doing two
> SetupCopyOEMInfs, once for each of the two INFs needed for NDIS IM Filter
> drivers. I suspect that he has both INFs in his Windows\Inf folder somehow
> from a previous installation, but on his second installation only one is
> copied and the installation is finding the second INF that it happens to
> find left behind -- but its size/date/time etc is part of the signing
> process and if it is at all different the signature will be broken.
>
> If it's not that, then we'll move to SETUPAPI logging, etc. Also, it is
> interesting that this is being reported against Server 2003 SP1 (all
> platforms) and XP x64, which is based on the same code base -- so this may
> be a new issue. But we'll try the SNETCFG change first.
>
> Bryan S. Burgin
> bburgin@online.microsoft.com
>
> This posting is provided "AS IS" with no warranties, and confers no rights
Top