Signtool Error: The provided cross certificate would not be present in the certificate chain
I'm using Windows Driver Kit build 7600.16385.1.
In the past I have successfully Kernel-Mode code signed my Driver. Now, after I have renewed my Verisign code-signing certificate, I am unable to resign my driver.
First I tried resigning a previously, successfully signed driver:
Signtool sign /v /ac C:\temp\CERT\MSCV-VSClass3.cer /f pfxfile -p xxxxxx /d "My Driver Name" /du "
www.xxxxxx.com" /t "http://timestamp.verisign.com/scripts/timstamp.dll" c:\temp\drivers\myDriverCat.cat
I got this error:
The following certificate was selected:
Issued to: XXXXXX.com
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Fri Jan 20 15:59:59 2012
SHA1 hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Cross certificate chain (using user store):
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Wed Jul 16 15:59:59 2036
SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Fri Feb 07 15:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F
Issued to: XXXXXX.com
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Fri Jan 20 15:59:59 2012
SHA1 hash:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Signtool Error: The provided cross certificate would not be present in the certificate chain.
I redownloaded Microsoft's Cross-Certificate for Verisign and tried again - no luck, same error. I also tried on two other developer machines (XP x32 and Win 7 x64) will no success.
The only difference between now and last time I successfully signed my driver is my Verisign Authenticode cert that was renewed. When I received it, it was already in .pfx format where previously I had to convert it myself to pfx using Pvk2Pfx.
Does someone know if I'm doing something wrong? I can't figure out what this error means: "Signtool Error: The provided cross certificate would not be present in the certificate chain."
Thanks!
February 11th, 2011 5:58pm
I had the same issue. After 2 hours of discussion with Verisign support:
1) In IE Certificates section, import the new pfx into General tab (select exportable option)
2) Import "Alternative Code Signing Intermediate 2010.cer" into "Intermediate tab"
3) Now export the new pfx file from General (check "Include all certs..." option)
4) Use the new pfx file along with same old MSCV-VSClass3.cer file from Microsoft
Alternative Code Signing Intermediate 2010.cer
-----BEGIN CERTIFICATE-----
MIIEwzCCBCygAwIBAgIQTWKQ5YxU8PHrFzQaExDmpDANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMTAwOTMwMDAwMDAwWhcNMTQwMTAxMjM1OTU5WjCBtDELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cu
dmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3Mg
MyBDb2RlIFNpZ25pbmcgMjAxMCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAPUjS16l14q7MunUV/fv5Mcmfq0ZmP6onX2U9jZrENd1gTB/BGh/yyt1
Hs0dCIzfaZSnN6Oce4DgmeHuN01fzjsU7obU0PUnNbwlCzinjGOdF6MIpauw+81q
YoJM1SHaG9nx44Q7iipPhVuQAU/Jp3YQfycDfL6ufn3B3fkFvBtInGnnwKQ8PEEA
Pt+W5cXklHHWVQHHACZKQDy1oSapDKdtgI6QJXvPvz8c6y+W+uWHd8a1VrJ6O1Qw
UxvfYjT/HtH0WpMoheVMF05+W/2kk5l/383vpHXv7xX2R+f4GXLYLjQaprSnTH69
u08MPVfxMNamNo7WgHbXGS6lzX40LYkCAwEAAaOCAaQwggGgMBIGA1UdEwEB/wQI
MAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtghkgBhvhFAQcXAzBWMCgGCCsGAQUFBwIB
FhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoGCCsGAQUFBwICMB4aHGh0
dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwDgYDVR0PAQH/BAQDAgEGMG0GCCsG
AQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l
0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92
c2xvZ28uZ2lmMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDAzAoBgNVHREE
ITAfpB0wGzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItODAdBgNVHQ4EFgQUz5mp
6nsm9EvJjo/X8AUm7+PSp50wMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC52
ZXJpc2lnbi5jb20vcGNhMy5jcmwwDQYJKoZIhvcNAQEFBQADgYEArt0hHV+PgHrS
Ugnq227SXYvowhtpBL5RpQEOWfo30XSj7tztiXQrYtWmv0+tNhdU8BPgo0XSTCbL
4m2iH9AeegcPtrN7b1Booukxs7eZfYBwoKfeCx6k//NNgRvdIMkcxK/P8Y/62dqV
8OzcXL/ojFo+erCj61lDdBHgmxpq828=
-----END CERTIFICATE-----
Free Windows Admin Tool Kit Click here and download it now
February 18th, 2011 1:08pm
I imported the above certificate and followed the directions as indicated. But my binary (boot driver) doesn't have the Microsoft Certificate. This is what my binary's certificates look like:
$ signtool.exe verify /v /kp bo.exe
Verifying: bo.exe
SHA1 hash of file: 72E00EB508DC8E65F702FE28BB32C9746ECACC3B
Signing Certificate Chain:
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: 7/16/2036 5:59:59 PM
SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: 2/7/2020 5:59:59 PM
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F
Issued to: Silicon Graphics International
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: 2/5/2012 5:59:59 PM
SHA1 hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The signature is timestamped: 2/25/2011 3:20:17 PM
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: 12/31/2020 5:59:59 PM
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: 12/3/2013 5:59:59 PM
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Issued to: VeriSign Time Stamping Services Signer - G2
Issued by: VeriSign Time Stamping Services CA
Expires: 6/14/2012 5:59:59 PM
SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Successfully verified: bo.exe
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
When I boot vista/64 I get the error indicating that it can't verify the certificate.
February 26th, 2011 10:59am
Okay... I've found the following URL:
http://www.64k-tec.de/2011/02/kernel-driver-code-signing-with-the-verisign-class-3-primary-ca-g5-certificate/
That gives some inforamation about the steps and other links.
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2011 5:50pm