Can't sign my file properlly
in [Device Drivers]
|
Prev: WinUsb and WHQL signing
Next: USB device emulation
From: DenisCo on 7 Nov 2009 17:49 OOpsi! Okay now it is different it says: SignTool Error: No certificates were found that met all the given criteria. What is wrong again? Comment: There should be a better way to do this... Denis "Gianluca Varenni" <gianluca.varenni(a)community.nospam> wrote in message news:%23QgmudqXKHA.4688(a)TK2MSFTNGP06.phx.gbl... >I would probably try removing the cross-signing (/ac >c:\verisign\mscv-vsclass3.cer) and the timestamping (/t http....) and see >if still fails. And then add those two parameters one by one. > > Just my two cents > GV > > "Denis @ TheOffice" <denisco(a)ica.net> wrote in message > news:%23X9r$ajXKHA.408(a)TK2MSFTNGP04.phx.gbl... >> This is my understanding so far, feel free to correct me if I am wrong. >> Looking at my issue and others similar to mine as well as all the >> documentation I read so far. >> That is in the context of 64 Bit Vista/7 >> >> The Logo certification is not mandatory in order to load a USB driver. >> In order to load the package must be signed with a KMCS signature. >> >> The KMCS signature is made based on a certification purchased from an >> authorized CA vendor, >> and a Cross Certificate obtain found at: >> http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx >> >> Must also use the signtool provided in the latest WDK (such as WDK >> 7600.16385.0) >> >> Now my situation and dilemma is at this point: >> I have bought a VeriSign Authenticode certification. >> Convert and import my spc file in my personal store. >> >> Now when I try to sign my driver I am getting this error. >> >> SignTool sign /v /ac C:\Verisign\MSCV-VSClass3.cer /s my /n "DATAWIND NET >> ACCESS CORPORATION" >> /t http://timestamp.verisign.com/scripts/timestamp.dll MyUsb.sys >> The following certificate was selected: >> Issued to: DATAWIND NET ACCESS CORPORATION >> Issued by: VeriSign Class 3 Code Signing 2009-2 CA >> Expires: Wed Sep 22 18:59:59 2010 >> SHA1 hash: 196399AA62717B1430405533474B44BDFD13C947 >> >> SignTool Error: An unexpected internal error has occurred. >> Error information: "CryptQueryObject" (-2147024893/0x80070003) >> >> >> I am stuck help if you please? >> Denis >> >> > >
From: Tim Roberts on 7 Nov 2009 19:43 "DenisCo @ Work" <denisco(a)ica.net> wrote: > >OOpsi! > >Okay now it is different it says: >SignTool Error: No certificates were found that met all the given criteria. >What is wrong again? "Now it is different"? What did you change? You need the cross-certificate and the timestamp to satisfy KMSC. The "no certificates found" message means it didn't match your certificate name in the specified store. Are you using the 7600 WDK? There was a bug in signtool in the pre-release 7100 WDKs such that a search by cert name did not work -- you had to use a hash. That was fixed in the final. >Comment: There should be a better way to do this... It's a complicated task. Once you get the recipe, you'll be set from then on. -- Tim Roberts, timr(a)probo.com Providenza & Boekelheide, Inc.
From: DenisCo on 7 Nov 2009 20:55
What did you change? I forgot about the "VeriSign" path I just moved it. Also I am at home right now and have imported my pfx in. Something very troubling though... In the KMCS_Walkthrough it talks about this in page 33 in step 2 Obtain an SPC. Would you know what does that mean? Important: For signing kernel-mode drivers, the certificates and key stored in the .pfx file must be imported into the local Personal certificate store. SignTool does not support using .pfx files for signing kernel-mode drivers. The restriction is due to a conflict in adding cross-certificates in the signature while using a certificate from a .pfx file. Denis "Tim Roberts" <timr(a)probo.com> wrote in message news:gu4cf5ll6eo7ultgsn9torsgq7l484br04(a)4ax.com... > "DenisCo @ Work" <denisco(a)ica.net> wrote: >> >>OOpsi! >> >>Okay now it is different it says: >>SignTool Error: No certificates were found that met all the given >>criteria. >>What is wrong again? > > "Now it is different"? What did you change? You need the > cross-certificate and the timestamp to satisfy KMSC. The "no certificates > found" message means it didn't match your certificate name in the > specified > store. > > Are you using the 7600 WDK? There was a bug in signtool in the > pre-release > 7100 WDKs such that a search by cert name did not work -- you had to use a > hash. That was fixed in the final. > >>Comment: There should be a better way to do this... > > It's a complicated task. Once you get the recipe, you'll be set from then > on. > -- > Tim Roberts, timr(a)probo.com > Providenza & Boekelheide, Inc. |