Sign a driver.

[utoni]

I'm curious about signing windows drivers.

On windows I'm using signtool.exe /a /ac [CA-file] /f [pfx-file] [driver-path]

I played a bit around with osslsigncode but I it seems that it just does not sign a *.sys file in a way the windows driver loader expects it to be signed. Does anyone have similar troubles?

[olszomal]

I'd like to replicate this bug. Could you please tell me the exact steps to reproduce this windows driver loader issue ? Does signtool verify *.sys file signed with osslsigncode?

[utoni]

Nevermind, I've just used osslsigncode wrong. Thanks for your help.

For any1 who's interested; To sign a *.sys file: osslsigncode sign -pkcs12 [pfx-file] -ac [CA-file] -in [driver-path-in] -out [driver-path-out] -askpass

[utoni]

My problem persists at least with test signing enabled. Did anybody used this tool to self-sign a driver?

[utoni]

The error I get:

[SC] StartService FAILED 577:

Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

[dartraiden]

Same problem. signtool sign /f certificate.pfx /ac ca.crt /p "" driver.sys - driver is loaded osslsigncode sign -pkcs12 certificate.pfx -ac ca.crt -pass "" -in driver_nosign.sys -out driver.sys - driver is not loaded

[utoni]

Same problem. signtool sign /f certificate.pfx /ac ca.crt /p "" driver.sys - driver is loaded osslsigncode sign -pkcs12 certificate.pfx -ac ca.crt -pass "" -in driver_nosign.sys -out driver.sys - driver is not loaded

The issue still persists, so I switched back to sign drivers on a native Windows with signtool.exe. :-1:

[dartraiden]

Looks like the problem is that my pfx contains the following certificates: endpointCA (my certificate) + rootCA + IntermediateCA. Exactly in that order.

signtool uses endpointCA + IntermediateCA osslsigncode uses endpointCA + rootCA

It looks like signtool parses the file and selects the required certificates, while osslsigncode just takes the first 2?

So to use osslsigncode we need:

1. "unpack" .pfx: obtain (and decode) .key, endpointCA, and IntermediateCA.
2. merge endpointCA and IntermediateCA into single file combined.crt
3. osslsigncode sign -spc "combined.crt" -key "my.key" -ac "ca.crt" -nolegacy -h sha1 -t "timestamp_server_url" -verbose -in driver_nosign.sys -out driver.sys

[mtrojnar]

So to use osslsigncode we need:

1. "unpack" .pfx: obtain (and decode) .key, endpointCA, and IntermediateCA.
2. merge endpointCA and IntermediateCA into single file combined.crt
3. osslsigncode sign -spc "combined.crt" -key "my.key" -ac "ca.crt" -nolegacy -h sha1 -t "timestamp_server_url" -verbose -in driver_nosign.sys -out driver.sys

@dartraiden Thank you for the analysis.

@olszomal I guess we can sort the certificates in our signature the same way signtool does. Am I right?

[mtrojnar]

I think https://github.com/mtrojnar/osslsigncode/commit/898a53b2a745e86e5e0ad34ed23d1a77072b79bb may have fixed this issue. Can you please test if it's still reproducible on the current master branch?

[mtrojnar]

@utoni Can you please check if this issue is still reproducible on the current master branch?

[utoni]

Yea, I I'll try this ASAP. Thank you for your effort! :)

[mtrojnar]

@utoni Do you have any results for us?

[utoni]

Sorry for my late answer, time restrictions...

I've just tested it with /home/toni/git/osslsigncode/build/osslsigncode sign -pkcs12 '/home/toni/git/mingw-w64-dpp/codesign-code.p12' -in "$target" -out "/media/win10-data/Users/segfault/mingw64-ddk/$target", but Windoze still complains with error code 577. Do I need to change the arguments of osslsigncode to make this work?

// EDIT: signtool.exe sign /v /f "%MYDIR%/%FILENAME_PREFIX%.pfx" "%MYDIR%/%DRIVER%" still works.

[mtrojnar]

I really hoped this issue was caused by the order of certificates. I searched for error code 577, and I indeed found some references to an invalid certificate chain, e.g., https://stackoverflow.com/questions/31625479/godaddy-kernel-mode-driver-signing-system-error-577

If you submit the same file signed with osslsigncode and signtool then we will investigate the differences between those files. What do you think?

[utoni]

Sure. Will do ASAP. Thanks for your support! :+1:

[mtrojnar]

Sure. Will do ASAP. Thanks for your support! 👍

Any progress?

[utoni]

Sorry for being late again: Google Drive Example Drivers

[olszomal]

@utoni, you submitted the same file signed with osslsigncode and signtool, but with the different certificate chains. Therefore, I can’t investigate the differences between these files.

Signing certificate chain retrieved from the dpp-example-cplusplus-EASTL-signtool.sys file signature:

	------------------
	Signer #0:
		Subject: /CN=mingw-w64-dpp
		Issuer : /CN=mingw-w64-dpp
		Serial : 244F09A9992DFB9F4D777F83E17D23E1
		Certificate expiration date:
			notBefore : Dec 31 22:00:00 2022 GMT
			notAfter : Dec 31 23:59:59 2039 GMT

Signing certificate chain retrieved from the dpp-example-cplusplus-EASTL-osslsign.sys file signature:

	------------------
	Signer #0:
		Subject: /CN=Code Signing Authority
		Issuer : /CN=codesign Root CA 1
		Serial : 1D561BD1E8E49726CBAC36646C5F4FABB07073FA
		Certificate expiration date:
			notBefore : Jul  2 12:42:18 2023 GMT
			notAfter : Jul  1 12:42:18 2026 GMT

	------------------
	Signer #1:
		Subject: /CN=codesign Root CA 1
		Issuer : /CN=codesign Root CA 1
		Serial : 50421EFC83C234FA6D91133A81297948A87189
		Certificate expiration date:
			notBefore : Jul  2 12:42:18 2023 GMT
			notAfter : Jul  1 12:42:18 2028 GMT

Please ensure that you are using the same certificate chain in both cases. If you are still experiencing an error in loading the signed drivers, please test whether adding the -ph option to generate page hashes makes any difference. I am waiting for your feedback.

[mtrojnar]

@utoni Are you still interested in further investigation of this issue?