Signtool Error: The provided cross certificate would not be present in the certificate chain
I'm using Windows Driver Kit build 7600.16385.1. In the past I have successfully Kernel-Mode code signed my Driver. Now, after I have renewed my Verisign code-signing certificate, I am unable to resign my driver. First I tried resigning a previously, successfully signed driver: Signtool sign /v /ac C:\temp\CERT\MSCV-VSClass3.cer /f pfxfile -p xxxxxx /d "My Driver Name" /du " www.xxxxxx.com" /t "http://timestamp.verisign.com/scripts/timstamp.dll" c:\temp\drivers\myDriverCat.cat I got this error: The following certificate was selected: Issued to: XXXXXX.com Issued by: VeriSign Class 3 Code Signing 2010 CA Expires: Fri Jan 20 15:59:59 2012 SHA1 hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Cross certificate chain (using user store): Issued to: VeriSign Class 3 Public Primary Certification Authority - G5 Issued by: VeriSign Class 3 Public Primary Certification Authority - G5 Expires: Wed Jul 16 15:59:59 2036 SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Issued to: VeriSign Class 3 Code Signing 2010 CA Issued by: VeriSign Class 3 Public Primary Certification Authority - G5 Expires: Fri Feb 07 15:59:59 2020 SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F Issued to: XXXXXX.com Issued by: VeriSign Class 3 Code Signing 2010 CA Expires: Fri Jan 20 15:59:59 2012 SHA1 hash:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Signtool Error: The provided cross certificate would not be present in the certificate chain. I redownloaded Microsoft's Cross-Certificate for Verisign and tried again - no luck, same error. I also tried on two other developer machines (XP x32 and Win 7 x64) will no success. The only difference between now and last time I successfully signed my driver is my Verisign Authenticode cert that was renewed. When I received it, it was already in .pfx format where previously I had to convert it myself to pfx using Pvk2Pfx. Does someone know if I'm doing something wrong? I can't figure out what this error means: "Signtool Error: The provided cross certificate would not be present in the certificate chain." Thanks!
February 11th, 2011 5:58pm

I had the same issue. After 2 hours of discussion with Verisign support: 1) In IE Certificates section, import the new pfx into General tab (select exportable option) 2) Import "Alternative Code Signing Intermediate 2010.cer" into "Intermediate tab" 3) Now export the new pfx file from General (check "Include all certs..." option) 4) Use the new pfx file along with same old MSCV-VSClass3.cer file from Microsoft Alternative Code Signing Intermediate 2010.cer -----BEGIN CERTIFICATE----- MIIEwzCCBCygAwIBAgIQTWKQ5YxU8PHrFzQaExDmpDANBgkqhkiG9w0BAQUFADBf MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw HhcNMTAwOTMwMDAwMDAwWhcNMTQwMTAxMjM1OTU5WjCBtDELMAkGA1UEBhMCVVMx FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz dCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cu dmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3Mg MyBDb2RlIFNpZ25pbmcgMjAxMCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAPUjS16l14q7MunUV/fv5Mcmfq0ZmP6onX2U9jZrENd1gTB/BGh/yyt1 Hs0dCIzfaZSnN6Oce4DgmeHuN01fzjsU7obU0PUnNbwlCzinjGOdF6MIpauw+81q YoJM1SHaG9nx44Q7iipPhVuQAU/Jp3YQfycDfL6ufn3B3fkFvBtInGnnwKQ8PEEA Pt+W5cXklHHWVQHHACZKQDy1oSapDKdtgI6QJXvPvz8c6y+W+uWHd8a1VrJ6O1Qw UxvfYjT/HtH0WpMoheVMF05+W/2kk5l/383vpHXv7xX2R+f4GXLYLjQaprSnTH69 u08MPVfxMNamNo7WgHbXGS6lzX40LYkCAwEAAaOCAaQwggGgMBIGA1UdEwEB/wQI MAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtghkgBhvhFAQcXAzBWMCgGCCsGAQUFBwIB FhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoGCCsGAQUFBwICMB4aHGh0 dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwDgYDVR0PAQH/BAQDAgEGMG0GCCsG AQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l 0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92 c2xvZ28uZ2lmMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDAzAoBgNVHREE ITAfpB0wGzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItODAdBgNVHQ4EFgQUz5mp 6nsm9EvJjo/X8AUm7+PSp50wMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC52 ZXJpc2lnbi5jb20vcGNhMy5jcmwwDQYJKoZIhvcNAQEFBQADgYEArt0hHV+PgHrS Ugnq227SXYvowhtpBL5RpQEOWfo30XSj7tztiXQrYtWmv0+tNhdU8BPgo0XSTCbL 4m2iH9AeegcPtrN7b1Booukxs7eZfYBwoKfeCx6k//NNgRvdIMkcxK/P8Y/62dqV 8OzcXL/ojFo+erCj61lDdBHgmxpq828= -----END CERTIFICATE-----
Free Windows Admin Tool Kit Click here and download it now
February 18th, 2011 1:08pm

I imported the above certificate and followed the directions as indicated. But my binary (boot driver) doesn't have the Microsoft Certificate. This is what my binary's certificates look like: $ signtool.exe verify /v /kp bo.exe Verifying: bo.exe SHA1 hash of file: 72E00EB508DC8E65F702FE28BB32C9746ECACC3B Signing Certificate Chain: Issued to: VeriSign Class 3 Public Primary Certification Authority - G5 Issued by: VeriSign Class 3 Public Primary Certification Authority - G5 Expires: 7/16/2036 5:59:59 PM SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Issued to: VeriSign Class 3 Code Signing 2010 CA Issued by: VeriSign Class 3 Public Primary Certification Authority - G5 Expires: 2/7/2020 5:59:59 PM SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F Issued to: Silicon Graphics International Issued by: VeriSign Class 3 Code Signing 2010 CA Expires: 2/5/2012 5:59:59 PM SHA1 hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX The signature is timestamped: 2/25/2011 3:20:17 PM Timestamp Verified by: Issued to: Thawte Timestamping CA Issued by: Thawte Timestamping CA Expires: 12/31/2020 5:59:59 PM SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656 Issued to: VeriSign Time Stamping Services CA Issued by: Thawte Timestamping CA Expires: 12/3/2013 5:59:59 PM SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D Issued to: VeriSign Time Stamping Services Signer - G2 Issued by: VeriSign Time Stamping Services CA Expires: 6/14/2012 5:59:59 PM SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE Successfully verified: bo.exe Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 0 When I boot vista/64 I get the error indicating that it can't verify the certificate.
February 26th, 2011 10:59am

Okay... I've found the following URL: http://www.64k-tec.de/2011/02/kernel-driver-code-signing-with-the-verisign-class-3-primary-ca-g5-certificate/ That gives some inforamation about the steps and other links.
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2011 5:50pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics