Short description: I have a signed driver that passes SignTool verification but Windows refuses to load it with error: CodeIntegrity 3004 - file hash not found on system. How do I fix this?
Long description:
I'm using the Cypress Suite USB 3.4.7 development kit to create a USB driver for our instrument to run under Windows 7 64-bit. I've configured the INF with the proper IDs and the unsigned driver works fine as long as I by bypass driver signature enforcement. I want to create a signed driver and have been following the steps described in http://www.davidegrayson.com/signing/
I've created a catalog file using Inf2Cat v3.2 with the /os:7_X64 flag among others. I'm using SignTool /sha1 to sign and can verify signatures on the .cat and cyusb.sys files. File explorer shows that both files have digital signatures and the advanced tab shows "This digital signature is OK."
I plug in my USB device and it shows up as an Unknown device in device manager. I select Update Driver and I see a screen stating that the driver is signed by me. I continue and after a few moments the installation fails stating that the driver is not properly signed. The eventviewer shows a CodeIntegrity error 3004, "Windows is unable to verify the image integrity of CYUSB.sys because the file hash could not be found on the system"
I haven't been able to find an explanation for this "file hash" that could not be found. Any help with how to further troubleshoot and resolve this issue would be GREATLY appreciated!
The error message in the event log is misleading. The missing "file hash" is really a Microsoft Root level certificate. I had my driver signed by GlobalSign ObjectSign CA which was a valid signature but I did not specify the cross-certificate which links GlobalSign to the Microsoft root certificate.
To clearly detect the original error I needed to use SignTool Verify with the /kp switch which tests for kernel level permissions needed by this USB driver. Using that switch I got an error clearly stating it couldn't find the Microsoft root certificate.
I downloaded the cross certificate for GlobalSign here: http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454(v=vs.85).aspx
Using /ac switch with SignTool Sign I was able to sign the .cat file with a chain that went down to the Microsoft root certificate. This driver successfully installed on a Win 7 64-bit system. Victory!
Related
I developed an Apple app that I am testing on a Mac Mini. When I set the Delphi configuration to "Normal" then build and run the app on the Mac, the program starts up and connects to the internet without problems. Once the program has been built and run on the Mac, I can go into the scratch-dir folder on the Mac (created by Delphi's PSServer) and run the "app" file without problems also.
However, when I change the configuration to "Application Store", rebuild, then use the Deploy button to create the "app" and "pkg" files on the Mac, the app will no longer work when trying to access the internet. Any internet access attempt fails. This happens with both the rebuilt "app" file in the scratch-dir folder, and when I install the "pkg" file and try to run the program.
Note: this app uses the Indy components TIdFTP and TIdSMTP to access an FTP server and to send emails. Both of these work with the "Normal" app, and both fail with the "Application Store" app. The fact that both components fail with the "Application Store" build probably indicates that this is not an Indy problem. But just in case, for the FTP connection, I just get an "Unable to connect to FTP" message that is from my program, I have not added additional error handling to see what fails with the FTP. For the email failure, Indy raises an "Error resolving Address smtp.office365.com: nodename nor servname provided, or not known (8)" exception.
Any suggestions on how to determine why my "Application Store" build isn't working?
Additional info on 2023-01-03. Just simply changing from Normal configuration to Store Application and doing a deploy causes the problem. I checked the messages given out by Delphi during the builds and the Normal and Store build messages match. For the deploy, only difference in messages is the Normal configuration does a quick compile (not build) and the Store configuration adds the "Apple Distribution" and "3rd Party Mac Developer Installer" info to the deployment.
As mentioned by both Remy Lebeau and Dave Nottage, the problem with the Application Store compile was not having Outgoing network socket for connecting checked in the Entitlement List for the Mac. Checking that option allows the Application Store compile to access the internet.
Note: not sure why compiling the project when set to Normal configuration does not require Outgoing network socket for connecting but the Application Store compile does. Makes things confusing and causes a lot of head scratching.
I want to build and code-sign a WPF application and deploy it using ClickOnce using Jenkins.
My setup is:
Jenkins (newest version, running Admin)
certificate on a USB token, activated single logon in SafeNet Client since the USB token shows a pop-up to enter the token password
running signtool.exe sign /a /v "<path>\Shared.dll" in the admin console works well
running the same command as an AfterCompile/AfterPublish build command results in the following error: SignTool error : No certificates were found that met all the given criteria.
Found a few related issues here and here, but no solutions yet.
How can I make sure the Jenkins service finds the USB token when running the signtool command?
If you are running jenkins as a windows service you need to change properties of Jenkins from services.
Right-click and select properties. On the "Log On" tab, select "this account" and enter your credentials.
Do not forget to check "enable single sign on" from the SafeNet Authentication Client as described here
To sign with USB token;
"signtool.exe" sign /a /tr http://timestamp.globalsign.com/?signature=sha2 /td SHA256 "your_file"
It worked for me. I hope it helps you, too.
I have custom Windows driver which is used until now without signature. I want to sign it to avoid warning messages while installing on Windows 7 and allow installation on Windows 10 without need to disable some options. Currently I test with self signed certificate and the plan is to buy real certificate when tests are finished. There are 3 questions:
1) My first test is on Windows XP (VM). XP said that driver is signed at the beginning of installation but later was displayed a message "The software... has not passed Windows Logo testing to verify its compatibility...". The same message was displayed before with unsigned driver. Is it necessary to do something else for "Windows Logo testing" or it depends on type of certificate? Can it be installed on Windows 10 without such Windows logo testing?
2) The driver signature is made on .CAT file and by this way all files are identified. Is it necessary to sign the .DLL-s separately?
3) My current WDK is old version and Inf2cat tool does not have /os option for Windows 10 (10_X64). If the signature is for Windows 7 (/os:7_X64), can it be installed on Windows 10?
Which is your driver, kernel mode or user mode?
I don't know about user mode drivers well, so I answer about kernel mode drivers.
1)
If you want to install kernel mode driver on Windows10, it should be signed by Microsoft.
See also:
https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/
2)
No. You only need to sign .CAT file.
3)
You can install driver which have signature for Windows 7, if it has Attestation Signing.
https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release
I have a Mac mini configured as the remotebuild server. Remote building my cordova app to the Mac was working ok in secure mode for a while but I was suddenly greeted with a Error: self signed certificate in certificate chain.
I've followed several suggestions of running the commands,
remotebuild certificates reset
remotebuild certificates generate
then updating the pin accordingly in Visual Studio to no avail. I can build successfully when running in non-secure mode.
remotebuild --secure-mode false
I've also tried cleaning my solution in VS2015, nuking the certs folder on the Mac and re-installing remotebuild. It may be worth noting that something in the build process was constantly corrupting the remote_ios.json file so I was having to keep removing that file to build every other time as explained here.
Any ideas on how to get around this error or why it would suddenly be a point of failure?
This "self signed certificate in certificate chain" error can happen if remotebuild generates a certificate under one identity (hostname / ip address) and is accessed via another one. The client will look at the certificate and find that it doesn't match what it expected, and so it does not trust the server. My guess is that it began failing for you due to a change in your network architecture.
If you know the identity that other machines will attempt to use, for example if they will use some.buildserver.local, then you can instruct remotebuild to generate a certificate using that identity via remotebuild --hostname="some.buildserver.local" --secure=true saveconfig && remotebuild certificates reset && remotebuild certificates generate.
Once you have created new certificates that should match client expectations, if you reconfigure them then they should accept the server's certificate.
Also apart from those I did restart my client computer as well.
I have a driver which is signed using the steps in this link:
http://technet.microsoft.com/en-us/library/dd919238(v=ws.10).aspx
When i try to install this driver on Windows 8.1 it fails. The driver can install on all other Operating Systems.
When i restart the computer and disables driver signature enforcement and start the driver install then a message appears saying that the publisher of the driver is unkown and asks me if i want continue the install or not. If u choose to install then the driver is installed on Windows 8.1. So the problem must be something with the driver signature i guess.
Taken from the link: "The driver is marked as "Not Trusted" because Windows cannot validate the certificate against any of the trusted certificates in the per computer Trusted Root Certification Authorities store".
As this driver is meant to run on customer machines this problem is really annoying.
So:
Will this problem be solved if i make the driver marked as "Trusted" - and how do I do that?
Or does someone know an easier workaround for this problem?
You should try using /tr instead of /t because I have experienced trouble with the /tr option as described in my article, Practical Windows Code and Driver Signing.
What exactly do you mean by "it fails"? What error message do you get, or what unexpected behavior? Could you post the .CAT file here so we can look at your signature? Does your certificate your SHA1 or SHA2? What about the CAT file and the signature of the CAT file?
You could consider buying a certificate instead of making one yourself. Then you wouldn't have to worry about putting your certificate in the Trusted Root Certification Authorities list and the Trusted Publishers list on all of your customers' computers.