Hello,
Our problem is simple: We've got a 64bit kernel startup driver and a
certificate purchased from GlobalSign (should be ok for Vista kernel 64bit
signing). We followed guide at
http://www.microsoft.com/whdc/winlog...lkthrough.mspx and
signed the file using signtool with embedded signature (we signed the driver
file itself) and verified it with "signtool verify /kp file.sys" command. All
check were OK. - BUT after the installation (system start driver) on testing
machine with Vista Ultimate 64bit, OS rejected to run this file with
CodeIntegrity message:

"Windows is unable to verify the image integrity of the file file.sys
because file hash could not be found on the system. A recent hardware or
software change might have installed a file that is signed incorrectly or
damaged, or that might be malicious software from an unknown source."

This doesn't give us any sense. What does this message mean? What went
wrong? Unsupported certificate? Not properly signed file? Should we install
any root certificates or something on users'/testing machine?

We tried solve this issue with GlobalSign staff, but they seem to be totally
incompetent.

Thanks for any help.

Regards,
Jan

If the driver has a companion WHQL test then self-signing will only work for
testing on x64. And then only if testsigning is enabled. There is (I
believe) an F8 boot-time option to enable testsigning on Vista. You can also
use BCDEDIT /set testsigning on to run a test-signed driver on Vista x64 for
testing.

If your driver type has a companion WHQL test, then you must get the driver
signed by WHQL before you distribute it. This restriction amy also apply to
boot-time drivers regardless of type, but I am not an authority on this.

You should open a support incident with Microsoft to get this resolved. Any
guidance that you may get from newsgroups will be second-hand and may not
apply to your specific issue.

Thomas F. Divine

"Jan" <Jan@discussions.microsoft.com> wrote in message
news:46D7C71E-688B-4E76-9030-365E8D7ED269@microsoft.com...

The driver doesn't have companion WHQL test. When we enable testsigning, then
it works fine, off course.
Our driver was signed for release with the real authenticode certificate
from real CA - it shoul work, but it doesn't.

Jan

"Thomas F. Divine" wrote:

I suppose you signed and cross-signed the binary, right?
Can you load your driver after the boot in some way, to see if the signature
is valid?



Have a nice day
GV

"Jan" <Jan@discussions.microsoft.com> wrote in message
news:46D7C71E-688B-4E76-9030-365E8D7ED269@microsoft.com...

Have you signed the driver binary and the .CAT (if there is a .CAT file...).

Thomas F. Divine

"Jan" <Jan@discussions.microsoft.com> wrote in message
news:4D4AC659-10C1-4E3D-9B63-7C7BEE42827B@microsoft.com...

We used this signtool command to sign driver file:

signtool sign /ac MSCV-GlobalSign.cer /s my /n "Our store name" /t
http://timestamp.verisign.com/scripts/timestamp.dll ourfile.sys

and then verification command:
signtool verify /kp ourfile.sys

All was OK - but the driver is disabled to run on Vista 64bit.

When we check the singature thru the files' properties, the we receive
message Digital signature is OK.

The only way to run the driver is to disable signature checking om Vista
64bit, but it is useless - we're testing the signature not the driver
functionality.

Jan

"Gianluca Varenni" wrote:

It is written in the title of this thread - yes, the driver file is signed
and seems to be corectly signed - but it doesn't run.
We used embedded signing - we signed the driver file (ourfile.sys) not the
..cat file, that we don't use at all.

Regards,
Jan

"Thomas F. Divine" wrote:

Open a support incident. I don't think you'll find the answer here.

Sorry.

Thomas F. Divine

"Jan" <Jan@discussions.microsoft.com> wrote in message
news:0408DDE8-64A3-4274-B0B3-E583357ED4E7@microsoft.com...