E
Eugene Muzychenko
Guest
GlobalSign offers different Microsoft cross certificates on their site: R1 (CC1DEEBF6D55C2C9061BA16F10A0BFA6979A4A32) and R3 (814A5BB5E9093011E121E75169008F6F4667363D). For EV code signing for Win7/8, R1 is recommended, together with GS-GS "R1-R3" cross certificate (0BBFAB97059595E8D1EC48E89EB8657C0E5AAE71).
I noticed that signing a kernel-mode driver module both ways (with R1 and R1-R3 installed as Intermediate, or with R3 only) produce signatures that are successfully verified by signtool/kp, both in the developer and target Win7/8 systems, with all signtool versions, from 6.1.7600 to 10.0.18362. But only the second signature (R1 and R1-R3) is accepted by Win7/8 kernel module loader.
Signatures made with only R3 certificate make the driver non-loadable, but only if there is no Internet connection. If there is a connection, Application Compatibility Verifier produces standard "unsigned driver" message, but the driver is actually loaded. If I disconnect the system from the Internet, the driver is loaded after uninstallation and next installation, until the system is rebooted.
Such situation is quite strange. There must be a reproductible signature verification algorithm that completes successfully on a valid signature, and fails on an invalid one. If two signatures are reported as valid but only one of them
really works, driver signing becomes a kind of magic.
Is there a reliable way to detect a wrong signature other than trying to install the driver on a target system? Where the problem could be located, in Win7/8 kernel module loader, or in the signtool utility?
Cross certificate chain with R1 and R1-R3 (driver is fully loadable):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 14:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: GlobalSign Root CA
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 21:05:08 2021
SHA1 hash: CC1DEEBF6D55C2C9061BA16F10A0BFA6979A4A32
Issued to: GlobalSign
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 13:00:00 2028
SHA1 hash: 0BBFAB97059595E8D1EC48E89EB8657C0E5AAE71
Issued to: GlobalSign Extended Validation CodeSigning CA - SHA256 - G3
Issued by: GlobalSign
Expires: Sat Jun 15 01:00:00 2024
SHA1 hash: 87A63D9ADB627D777836153C680A3DFCF27DE90C
Issued to: Muzychenko Evgenii Viktorovich, IP
Issued by: GlobalSign Extended Validation CodeSigning CA - SHA256 - G3
Expires: Tue Aug 18 12:57:24 2020
SHA1 hash: D25CEAE07AE5BA4193D69126003095E85A33BBE1
Cross certificate chain with only R3 (driver is partially loadable):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 14:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: GlobalSign
Issued by: Microsoft Code Verification Root
Expires: Wed Jun 04 18:47:53 2025
SHA1 hash: 814A5BB5E9093011E121E75169008F6F4667363D
Issued to: GlobalSign Extended Validation CodeSigning CA - SHA256 - G3
Issued by: GlobalSign
Expires: Sat Jun 15 01:00:00 2024
SHA1 hash: 87A63D9ADB627D777836153C680A3DFCF27DE90C
Issued to: Muzychenko Evgenii Viktorovich, IP
Issued by: GlobalSign Extended Validation CodeSigning CA - SHA256 - G3
Expires: Tue Aug 18 12:57:24 2020
SHA1 hash: D25CEAE07AE5BA4193D69126003095E85A33BBE
Continue reading...
I noticed that signing a kernel-mode driver module both ways (with R1 and R1-R3 installed as Intermediate, or with R3 only) produce signatures that are successfully verified by signtool/kp, both in the developer and target Win7/8 systems, with all signtool versions, from 6.1.7600 to 10.0.18362. But only the second signature (R1 and R1-R3) is accepted by Win7/8 kernel module loader.
Signatures made with only R3 certificate make the driver non-loadable, but only if there is no Internet connection. If there is a connection, Application Compatibility Verifier produces standard "unsigned driver" message, but the driver is actually loaded. If I disconnect the system from the Internet, the driver is loaded after uninstallation and next installation, until the system is rebooted.
Such situation is quite strange. There must be a reproductible signature verification algorithm that completes successfully on a valid signature, and fails on an invalid one. If two signatures are reported as valid but only one of them
really works, driver signing becomes a kind of magic.
Is there a reliable way to detect a wrong signature other than trying to install the driver on a target system? Where the problem could be located, in Win7/8 kernel module loader, or in the signtool utility?
Cross certificate chain with R1 and R1-R3 (driver is fully loadable):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 14:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: GlobalSign Root CA
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 21:05:08 2021
SHA1 hash: CC1DEEBF6D55C2C9061BA16F10A0BFA6979A4A32
Issued to: GlobalSign
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 13:00:00 2028
SHA1 hash: 0BBFAB97059595E8D1EC48E89EB8657C0E5AAE71
Issued to: GlobalSign Extended Validation CodeSigning CA - SHA256 - G3
Issued by: GlobalSign
Expires: Sat Jun 15 01:00:00 2024
SHA1 hash: 87A63D9ADB627D777836153C680A3DFCF27DE90C
Issued to: Muzychenko Evgenii Viktorovich, IP
Issued by: GlobalSign Extended Validation CodeSigning CA - SHA256 - G3
Expires: Tue Aug 18 12:57:24 2020
SHA1 hash: D25CEAE07AE5BA4193D69126003095E85A33BBE1
Cross certificate chain with only R3 (driver is partially loadable):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 14:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: GlobalSign
Issued by: Microsoft Code Verification Root
Expires: Wed Jun 04 18:47:53 2025
SHA1 hash: 814A5BB5E9093011E121E75169008F6F4667363D
Issued to: GlobalSign Extended Validation CodeSigning CA - SHA256 - G3
Issued by: GlobalSign
Expires: Sat Jun 15 01:00:00 2024
SHA1 hash: 87A63D9ADB627D777836153C680A3DFCF27DE90C
Issued to: Muzychenko Evgenii Viktorovich, IP
Issued by: GlobalSign Extended Validation CodeSigning CA - SHA256 - G3
Expires: Tue Aug 18 12:57:24 2020
SHA1 hash: D25CEAE07AE5BA4193D69126003095E85A33BBE
Continue reading...