logo标签列表

Windows内核模式代码签名问题

windowskerneldrivercode-signingdriver-signing
3

问题概述

我的Windows应用程序包含一个加载相当简单的驱动程序的服务。该驱动程序包含嵌入的SHA1和SHA256签名,并包括交叉签名证书链,符合KMCS要求描述在MS Kernel Signing doc中为没有CAT文件的驱动程序签名。

该驱动程序可以在大多数Windows安装中完美加载,但在一些罕见情况下无法加载,主要是在Windows 7 x64和Windows 10 x64上。错误代码为0x241(577):Windows无法验证此文件的数字签名。最近可能已安装签名不正确或损坏的文件,或者可能是来自未知来源的恶意软件。

更多信息

我已经试图找出这个问题的原因两周了。正如您所预期的那样,这个错误只会在用户的机器上出现。我安装了4个带有Windows 7 x64的VM和另外4个带有Windows 10 x64的VM以及各种配置和不同级别的更新。我甚至在其中一个Windows 10 VM中完全复制了一个用户的设置——我花了整整一天时间安装了精确的Windows版本,正确的语言和他们所有软件的精确版本,试图重现这个问题。但是没有这样的运气:当安装我的应用程序时,驱动程序加载得非常好。

希望有人能够想出可能发生了什么或者至少能够指引我正确的方向,我决定在这里问一下:一个明显正确签名的驱动程序在某些Windows安装中失败验证可能会导致什么问题

更多细节

我正在使用StartCom Class 3代码签名证书。我从Microsoft Cross-Certificates for Kernel Mode Code Signing页面下载了交叉签名的StartCom证书。

我的证书在一个pfx文件中,我将会按照以下方式签署驱动程序:

signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll /p %1 driver.sys
signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /p %1 driver.sys

由于这不是需要安装的硬件驱动程序,因此它不包括.CAT文件或.INF文件。它只是在服务启动时加载的驱动程序,在服务停止时卸载。

可以注意到,在SHA1签名后添加了SHA256签名(使用/as),并且还使用了SHA256时间戳服务器。它是双重签名以兼容旧操作系统,尽管我必须说它无法在Vista x64中加载,可能是因为我的证书使用SHA256作为签名算法。值得注意的是,该驱动程序在Windows XP x64上可以正常加载。值得一提的是,所有未能加载的用户报告称,在检查文件属性的数字签名选项卡时,两个签名都已验证通过。我可以没有Vista x64兼容性,但Windows 7和Windows 10的问题非常令人担忧,并迫使我将应用程序保持在beta测试阶段。

在各种Windows版本中进行了150多次安装,其中:

  • 有3个用户在Windows 7 x64上未通过验证。其中一个用户没有安装所有更新,安装了大约200个更新后,验证通过,问题得到解决。我建议另外两个遇到同样问题的用户进行更新,但是我没有收到任何反馈,因此不知道问题是否已经解决,也不知道他们的Windows系统是否已经更新。
  • 有3个用户在Windows 10 x64上驱动程序无法加载。所有这些用户都比Windows 7的用户更加响应,我能够发现他们都已经安装了所有更新。其中两个用户使用了Windows 10周年纪念版安装包进行安装。
  • 有1个用户在Windows 2003 R2 x86上驱动程序无法加载。我还创建了一个带有该操作系统的虚拟机,但无法复制出该问题。

每次驱动程序无法加载时,安全事件类别中会生成一条审核失败事件,文本如下: *代码完整性确定文件的映像哈希值无效。该文件可能由于未经授权的修改而损坏,或者无效的哈希值可能指示潜在的磁盘设备错误。

文件名:\Device\HarddiskVolumeX\Program Files (x86)\path\to\driver.sys*

我在Vista x64遇到了完全相同的错误,并启用了代码完整性详细日志记录,日志中有很多关于加载所有.CAT文件和没有其他有趣信息的消息。当然,在Vista x64中,代码完整性操作日志包括一个有关文件未得到验证的错误,与上述审计错误非常相似。
运行:
signtool.exe verify /v /kp driver.sys

结果为:

Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66

Signing Certificate Chain:
    Issued to: StartCom Certification Authority
    Issued by: StartCom Certification Authority
    Expires:   Wed Sep 17 22:46:36 2036
    SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F

        Issued to: StartCom Class 3 Object CA
        Issued by: StartCom Certification Authority
        Expires:   Mon Dec 16 04:00:05 2030
        SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46

            Issued to: My company
            Issued by: StartCom Class 3 Object CA
            Expires:   Sun Aug 04 16:18:18 2019
            SHA1 hash: 62...E9

The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   Fri Jan 01 02:59:59 2021
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   Thu Dec 31 02:59:59 2020
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   Wed Dec 30 02:59:59 2020
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires:   Sat Nov 01 16:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: StartCom Certification Authority
        Issued by: Microsoft Code Verification Root
        Expires:   Thu Apr 15 23:23:19 2021
        SHA1 hash: E6069E048DEA8D817AFC4188B1BEF1D888D0AF17

            Issued to: StartCom Class 3 Object CA
            Issued by: StartCom Certification Authority
            Expires:   Mon Dec 16 04:00:05 2030
            SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46

                Issued to: My company
                Issued by: StartCom Class 3 Object CA
                Expires:   Sun Aug 04 16:18:18 2019
                SHA1 hash: 62...E9


Successfully verified: driver.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

运行中

signtool.exe verify /v /pa /all driver.sys

结果为:

Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66

Signing Certificate Chain:
    Issued to: StartCom Certification Authority
    Issued by: StartCom Certification Authority
    Expires:   Wed Sep 17 22:46:36 2036
    SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F

        Issued to: StartCom Class 3 Object CA
        Issued by: StartCom Certification Authority
        Expires:   Mon Dec 16 04:00:05 2030
        SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46

            Issued to: My company
            Issued by: StartCom Class 3 Object CA
            Expires:   Sun Aug 04 16:18:18 2019
            SHA1 hash: 62...E9

The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   Fri Jan 01 02:59:59 2021
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   Thu Dec 31 02:59:59 2020
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   Wed Dec 30 02:59:59 2020
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

Signature Index: 1
Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B

Signing Certificate Chain:
    Issued to: StartCom Certification Authority
    Issued by: StartCom Certification Authority
    Expires:   Wed Sep 17 22:46:36 2036
    SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F

        Issued to: StartCom Class 3 Object CA
        Issued by: StartCom Certification Authority
        Expires:   Mon Dec 16 04:00:05 2030
        SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46

            Issued to: My company
            Issued by: StartCom Class 3 Object CA
            Expires:   Sun Aug 04 16:18:18 2019
            SHA1 hash: 62...E9

The signature is timestamped: Sun Sep 25 12:49:53 2016
Timestamp Verified by:
    Issued to: UTN-USERFirst-Object
    Issued by: UTN-USERFirst-Object
    Expires:   Tue Jul 09 21:40:36 2019
    SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46

        Issued to: COMODO SHA-256 Time Stamping Signer
        Issued by: UTN-USERFirst-Object
        Expires:   Tue Jul 09 21:40:36 2019
        SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA


Successfully verified: driver.sys

Number of signatures successfully Verified: 2
Number of warnings: 0
Number of errors: 0

有点奇怪的是,没有使用特殊开关进行验证会导致证书链错误。不过,当检查VMWare驱动程序时,我也会收到相同的错误,所以我想这不是什么需要担心的事情。无论如何,运行以下命令:

signtool.exe verify /v /all driver.sys

结果为:

Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66

Signing Certificate Chain:
    Issued to: StartCom Certification Authority
    Issued by: StartCom Certification Authority
    Expires:   Wed Sep 17 22:46:36 2036
    SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F

        Issued to: StartCom Class 3 Object CA
        Issued by: StartCom Certification Authority
        Expires:   Mon Dec 16 04:00:05 2030
        SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46

            Issued to: My company
            Issued by: StartCom Class 3 Object CA
            Expires:   Sun Aug 04 16:18:18 2019
            SHA1 hash: 62...E9

The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   Fri Jan 01 02:59:59 2021
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   Thu Dec 31 02:59:59 2020
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   Wed Dec 30 02:59:59 2020
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

SignTool Error: A certificate chain processed, but terminated in a root
        certificate which is not trusted by the trust provider.
Signature Index: 1
Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B

Signing Certificate Chain:
    Issued to: StartCom Certification Authority
    Issued by: StartCom Certification Authority
    Expires:   Wed Sep 17 22:46:36 2036
    SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F

        Issued to: StartCom Class 3 Object CA
        Issued by: StartCom Certification Authority
        Expires:   Mon Dec 16 04:00:05 2030
        SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46

            Issued to: My company
            Issued by: StartCom Class 3 Object CA
            Expires:   Sun Aug 04 16:18:18 2019
            SHA1 hash: 62...E9

The signature is timestamped: Sun Sep 25 12:49:53 2016
Timestamp Verified by:
    Issued to: UTN-USERFirst-Object
    Issued by: UTN-USERFirst-Object
    Expires:   Tue Jul 09 21:40:36 2019
    SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46

        Issued to: COMODO SHA-256 Time Stamping Signer
        Issued by: UTN-USERFirst-Object
        Expires:   Tue Jul 09 21:40:36 2019
        SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA

SignTool Error: A certificate chain processed, but terminated in a root
        certificate which is not trusted by the trust provider.

Number of signatures successfully Verified: 0
Number of warnings: 0
Number of errors: 2

我正在使用随附于VS 2015的8.1 Windows kit中的signtool.exe,其版本号为6.3.9600.17298。值得一提的是,该驱动程序是使用WDK 7.1.0(7600.13685.1)编译的。

2
当启用安全启动时,Windows 10 x64周年更新后,您的驱动程序可能无法加载,因为Microsoft对KMCS(EV证书)施加了额外的限制,需要从MS获得签名。但我想您已经知道这一点了。当我尝试在旧版Windows(Vista、7)上加载未更新的驱动程序时,我实际上遇到了与您类似的问题。我怀疑问题是由于Windows不信任交叉签名证书,因为它们是在最后更新日期之后发布的。 - Martin Drab
1个回答
4

正如Martin Drab上面发布的那样,问题是双重的。顺便感谢Martin,你的评论帮助我解决了问题,我通过设置启用了安全引导的虚拟机能够复制Windows 10的问题。

对于早于Windows 10的操作系统,安装所有最新更新似乎可以解决问题。如果自2015年11月1日之前(新Microsoft代码验证根证书发行时)未更新PC,则无法进行验证,因为内核不识别根证书。

对于Windows 10,有一个新的Kernel Mode Code Signining Policy,指定所有新安装的Windows 10周年纪念版将不会验证任何未由Microsoft Dev Portal签名(需要EV证书)的内核代码,除非它是由2015年7月29日或之前颁发的交叉签名证书或禁用了安全引导。

问题之所以很少发生,是因为大多数人没有已经过时的Windows 7机器,并且在此次撰写时具有Windows 10的大多数人并未使用全新的周年纪念版。

Windows 10唯一真正的解决方案是获取EV证书。

1
获取EV证书后,您必须使用Windows硬件开发者中心仪表板门户(由Microsoft运行的Web应用程序)对驱动程序进行签名,是吗?我写了一篇关于这个问题的大文章,如果您有任何意见,请告诉我:http://www.davidegrayson.com/signing。您的StartCom交叉证书是什么时候发布的?您尝试过使用GlobalSign证书吗? - David Grayson
1
你说得对,一旦你拥有了EV证书,你必须通过MS Dev Portal签署驱动程序。在发布这篇文章之前,我已经阅读了你的文章,但由于我的驱动程序在大多数安装中都能正常工作,所以我忽略了Windows 10部分的信息,当时我只在Windows 7上遇到了问题。很好的写作,感谢你花时间帮助他人。 - Birt
我的证书是在2016年4月8日颁发的,StartCom交叉证书链也是在2016年颁发的。他们没有旧的交叉签名证书,我向支持部门询问过。此外,我没有GlobalSign证书,但如果您确认它仍然可以在启用安全启动的Windows 10周年版上进行新安装,请在此处发布,因为这可能值得一试,因为我无法获得EV证书(由于缺乏公共注册表,他们不向离岸公司颁发EV证书,而且为此目的创建常规公司太麻烦了)。 - Birt
1
仅供参考,如果您想尝试一下,Windows 2012 R2中的Hyper-V包括第二代虚拟机,也支持安全启动,这就是我复制问题的方式。我非常确定Windows 10中包含此功能。 - Birt
由于您无法获得EV证书,而且您的客户遇到了问题,因此尝试使用GlobalSign的普通证书可能是值得的。我大多数情况下不需要签署内核模块,所以我不太可能很快尝试它。 - David Grayson
显示剩余2条评论
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接