signed driver installation failed- error (0x800b0109)

Discussion:

(too old to reply)

anath

2008-02-28 12:28:01 UTC

Hi all,
I have a driver package that I thknk I've followied its signing steps
according to the step-by-step document. The thing is that the installation of
the driver ends with no warnings or errors, but the driver is not installed (
error code 39 in teh device manager), and in the setupapi log I see teh
following errors:

Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but
terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 02:22:55.287
sig: {_VERIFY_FILE_SIGNATURE} 02:22:55.287
sig: Key = myFile.inf
sig: FilePath = c:\myPackage\myFile.inf
sig: Catalog = c:\myPackage\myFile.cat
sig: Success: File is signed in Authenticode(tm) catalog.
sig: Error 0xe0000241: The INF was signed with an
Authenticode(tm) catalog from a trusted publisher.

but when I look at the cat file, certificate and the digital signature of
the sys file, they all look ok, and also when i check them using signtool
verify - I recieve no errors.

What am I doing wrong?

rtshiva

2008-03-03 00:09:37 UTC

Permalink

Error 0x800b0109 seems to mean that the certificate is not a trusted
provider. did you add the certificate u created to the root and
trustedpublisher of the local system?

Post by anath
Hi all,
I have a driver package that I thknk I've followied its signing steps
according to the step-by-step document. The thing is that the installation of
the driver ends with no warnings or errors, but the driver is not installed (
error code 39 in teh device manager), and in the setupapi log I see teh
Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but
terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 02:22:55.287
sig: {_VERIFY_FILE_SIGNATURE} 02:22:55.287
sig: Key = myFile.inf
sig: FilePath = c:\myPackage\myFile.inf
sig: Catalog = c:\myPackage\myFile.cat
sig: Success: File is signed in Authenticode(tm) catalog.
sig: Error 0xe0000241: The INF was signed with an
Authenticode(tm) catalog from a trusted publisher.
but when I look at the cat file, certificate and the digital signature of
the sys file, they all look ok, and also when i check them using signtool
verify - I recieve no errors.
What am I doing wrong?

anath

2008-03-03 06:06:00 UTC

Permalink

Hi,
I've added to the certificate store using teh following commands:
certmgr.exe -add -all"C:\myCer.cer" -s -r localMachine root
certmgr.exe -add -all "C:\myCer.cer" -s -r localMachine trustedpublisher

I also succeed in verification:
Signtool verify /pa /v /c C:\myCat.cat C:\myDriver.sys

Verifying: C:\myDriver.sys
File is signed in catalog: C:\myCat.cat
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: 8/1/2028 3:59:59 PM
SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2

Issued to: VeriSign Class 3 Code Signing 2004 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 7/15/2014 3:59:59 PM
SHA1 hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXx

Issued to: myCompany, Inc.
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 7/8/2009 3:59:59 PM
SHA1 hash: XXXXXXXXXXXXXXXXXXXXXXXXXX

The signature is timestamped: 2/28/2008 1:38:29 AM
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: 12/31/2020 3:59:59 PM
SHA1 hash: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY

Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: 12/3/2013 3:59:59 PM
SHA1 hash: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY

Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: 6/14/2012 3:59:59 PM
SHA1 hash: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

Successfully verified: C:\myDriver.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

But I think I know what the problem ( just don't know how to solve it)
I've dont the signing according to teh walkthrough document, and the signing
part with MSCV-VSClass3.cer I fail to do. I couldn't find this certificate on
the target machine. how can I find it?

I fail the following commands:
Signtool sign /v /ac MSCV-VSClass3.cer /s my /n repx /t
http://timestamp.verisign.com/scripts/timestamp.dll C:\myCat.cat

SignTool Error: No certificates were found that met all the given criteria.

Ian Blake

2008-03-03 10:50:03 UTC

Permalink

On Sun, 2 Mar 2008 22:06:00 -0800, anath

Post by anath
But I think I know what the problem ( just don't know how to solve it)
I've dont the signing according to teh walkthrough document, and the signing
part with MSCV-VSClass3.cer I fail to do. I couldn't find this certificate on
the target machine. how can I find it?
Signtool sign /v /ac MSCV-VSClass3.cer /s my /n repx /t
http://timestamp.verisign.com/scripts/timestamp.dll C:\myCat.cat
SignTool Error: No certificates were found that met all the given criteria.

I assume you have downloaded this file from
http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx

MSCV-VSClass3.cer is the cross certificate for Verisign. You DO NOT
add it to the certificate store. It is just a file so you need to
specify where you have put it

Signtool sign /v /ac C:\MyImportantFiles\MSCV-VSClass3.cer /s my /n
repx /t http://timestamp.verisign.com/scripts/timestamp.dll
C:\myCat.cat

anath

2008-03-10 15:13:01 UTC

Permalink

Hi,
Thanks yo ufor your help.
I downloaded the cross certificate for verisign ( my ca )
and signed my cat file and my sys file with them.
here is my process if digital signing:

:: generate from it a catlog file using:
MakeCat.Exe -v myCdf.cdf

::release sign the catalog file
Signtool sign /v /ac MSCV-VSClass3.cer /s my /n net myCat.cat

::verify the signature of the sys file in teh catalog file:
Signtool.exe verify /kp /v /c mycat.cat myDriver.sys

Signtool.exe verify /pa /v /c myCat.cat myDriver.sys

::Release Sign a Driver Image File by Using an Embedded Signature
Signtool.exe sign /v /ac MSCV-VSClass3.cer /s my /n net myDriver.sys

::verify teh embedded signature
Signtool.exe verify /kp /v myDriver.sys

I copy the driver package to the target windows server machine and install
the driver.
the installation passes ( and also I don't encounter problems on reboot) and
the device state is functioning properly.
However, when I look at the setupapi.log, I still see errors:

! sig: Verifying file against specific (valid) catalog failed!
(0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but
terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 07:57:09.156
sig: {_VERIFY_FILE_SIGNATURE} 07:57:09.156
sig: Key = myInf.inf
sig: FilePath = c:\users\administrator\desktop\myInf.inf
sig: Catalog = c:\users\administrator\desktop\myCat.cat
sig: Success: File is signed in Authenticode(tm) catalog.
sig: Error 0xe0000242: The publisher of an Authenticode(tm)
signed catalog has not yet been established as trusted.

do I need to install the my certificate on the target machine? ( on the
trusted publisheres store, as in test signing?)
I tried to do that, but when I do, the second error (0xe0000242) is gone,
but I still remain with the first error - 0x800b0109.
WHat does this mean?

Ian Blake

2008-03-17 10:19:36 UTC

Permalink

Post by anath
I copy the driver package to the target windows server machine and install
the driver.
the installation passes ( and also I don't encounter problems on reboot) and
the device state is functioning properly.
! sig: Verifying file against specific (valid) catalog failed!
(0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but
terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 07:57:09.156
sig: {_VERIFY_FILE_SIGNATURE} 07:57:09.156
sig: Key = myInf.inf
sig: FilePath = c:\users\administrator\desktop\myInf.inf
sig: Catalog = c:\users\administrator\desktop\myCat.cat
sig: Success: File is signed in Authenticode(tm) catalog.
sig: Error 0xe0000242: The publisher of an Authenticode(tm)
signed catalog has not yet been established as trusted.
do I need to install the my certificate on the target machine? ( on the
trusted publisheres store, as in test signing?)
I tried to do that, but when I do, the second error (0xe0000242) is gone,
but I still remain with the first error - 0x800b0109.
WHat does this mean?

Sorry for the late response. (skiing last week :-))

AFAIK you can not get rid of all the errors in the log with self
signing. The setup process first checks for a WHQL signature which
generates a failure code for self signing. It then looks for self
signing and continues. If both WHQL and Self Signing are faulty then
the driver will not load. In your case the Self Signing is good and
loading continues despite the error caused by the absence of a WHQL
signature.