问题概述
我的Windows应用程序包含一个加载相当简单的驱动程序的服务。该驱动程序包含嵌入的SHA1和SHA256签名,并包括交叉签名证书链,符合KMCS要求描述在MS Kernel Signing doc中为没有CAT文件的驱动程序签名。
该驱动程序可以在大多数Windows安装中完美加载,但在一些罕见情况下无法加载,主要是在Windows 7 x64和Windows 10 x64上。错误代码为0x241(577):Windows无法验证此文件的数字签名。最近可能已安装签名不正确或损坏的文件,或者可能是来自未知来源的恶意软件。
更多信息
我已经试图找出这个问题的原因两周了。正如您所预期的那样,这个错误只会在用户的机器上出现。我安装了4个带有Windows 7 x64的VM和另外4个带有Windows 10 x64的VM以及各种配置和不同级别的更新。我甚至在其中一个Windows 10 VM中完全复制了一个用户的设置——我花了整整一天时间安装了精确的Windows版本,正确的语言和他们所有软件的精确版本,试图重现这个问题。但是没有这样的运气:当安装我的应用程序时,驱动程序加载得非常好。希望有人能够想出可能发生了什么或者至少能够指引我正确的方向,我决定在这里问一下:一个明显正确签名的驱动程序在某些Windows安装中失败验证可能会导致什么问题?
更多细节
我正在使用StartCom Class 3代码签名证书。我从Microsoft Cross-Certificates for Kernel Mode Code Signing页面下载了交叉签名的StartCom证书。
我的证书在一个pfx文件中,我将会按照以下方式签署驱动程序:
signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll /p %1 driver.sys
signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /p %1 driver.sys
由于这不是需要安装的硬件驱动程序,因此它不包括.CAT文件或.INF文件。它只是在服务启动时加载的驱动程序,在服务停止时卸载。
可以注意到,在SHA1签名后添加了SHA256签名(使用/as),并且还使用了SHA256时间戳服务器。它是双重签名以兼容旧操作系统,尽管我必须说它无法在Vista x64中加载,可能是因为我的证书使用SHA256作为签名算法。值得注意的是,该驱动程序在Windows XP x64上可以正常加载。值得一提的是,所有未能加载的用户报告称,在检查文件属性的数字签名选项卡时,两个签名都已验证通过。我可以没有Vista x64兼容性,但Windows 7和Windows 10的问题非常令人担忧,并迫使我将应用程序保持在beta测试阶段。
在各种Windows版本中进行了150多次安装,其中:
- 有3个用户在Windows 7 x64上未通过验证。其中一个用户没有安装所有更新,安装了大约200个更新后,验证通过,问题得到解决。我建议另外两个遇到同样问题的用户进行更新,但是我没有收到任何反馈,因此不知道问题是否已经解决,也不知道他们的Windows系统是否已经更新。
- 有3个用户在Windows 10 x64上驱动程序无法加载。所有这些用户都比Windows 7的用户更加响应,我能够发现他们都已经安装了所有更新。其中两个用户使用了Windows 10周年纪念版安装包进行安装。
- 有1个用户在Windows 2003 R2 x86上驱动程序无法加载。我还创建了一个带有该操作系统的虚拟机,但无法复制出该问题。
每次驱动程序无法加载时,安全事件类别中会生成一条审核失败事件,文本如下: *代码完整性确定文件的映像哈希值无效。该文件可能由于未经授权的修改而损坏,或者无效的哈希值可能指示潜在的磁盘设备错误。
文件名:\Device\HarddiskVolumeX\Program Files (x86)\path\to\driver.sys*
我在Vista x64遇到了完全相同的错误,并启用了代码完整性详细日志记录,日志中有很多关于加载所有.CAT文件和没有其他有趣信息的消息。当然,在Vista x64中,代码完整性操作日志包括一个有关文件未得到验证的错误,与上述审计错误非常相似。运行:
signtool.exe verify /v /kp driver.sys
结果为:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 16:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: StartCom Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 23:23:19 2021
SHA1 hash: E6069E048DEA8D817AFC4188B1BEF1D888D0AF17
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
Successfully verified: driver.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
运行中
signtool.exe verify /v /pa /all driver.sys
结果为:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Signature Index: 1
Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:53 2016
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-256 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA
Successfully verified: driver.sys
Number of signatures successfully Verified: 2
Number of warnings: 0
Number of errors: 0
有点奇怪的是,没有使用特殊开关进行验证会导致证书链错误。不过,当检查VMWare驱动程序时,我也会收到相同的错误,所以我想这不是什么需要担心的事情。无论如何,运行以下命令:
signtool.exe verify /v /all driver.sys
结果为:
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Signature Index: 1
Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:53 2016
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-256 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of signatures successfully Verified: 0
Number of warnings: 0
Number of errors: 2
我正在使用随附于VS 2015的8.1 Windows kit中的signtool.exe,其版本号为6.3.9600.17298。值得一提的是,该驱动程序是使用WDK 7.1.0(7600.13685.1)编译的。