问题描述

我们的软件使用引导启动文件系统过滤器驱动程序.但是我们对KMCS政策存在疑问.我们有一个来自VeriSign的Class 3 SPC，一个spc和pvk文件.
我们将它们合并为一个pfx文件，并将其安装到签名计算机的Personal certicifate存储中.我们从Microsoft下载了VeriSign交叉证书，但是在Windows Vista x64(Ultimate，SP1)上，由于无法在系统上找到文件哈希，因此无法启动驱动程序.
驱动程序由CreateService API安装，则不会使用其他文件(没有inf或cat文件).
我们正在使用WDK(版本6.0.6001.18000)提供的signtool.exe，其语法为:
signtool sign/v/ac MSCV-VSClass3.cer/s我的/n我们的公司名称"； /t http://timestamp.verisign.com/scripts/timestamp.dll ourdriver.sys
它说一切正常，但是signtool验证/v/kp ourdriver.sys不显示``Microsoft代码验证根''，并且无法加载驱动程序.

其他有趣的事情是如果我们进行签名如果驱动程序没有交叉证书和时间戳，则输出二进制文件将与我们使用交叉证书对其进行签名时完全相同.也许/ac符号开关不起作用?

根据Peter Viscarola在OSR的NTDEV列表上的帖子，我们在3台计算机(Vista x64 SP1，Vista x32 SP1，XP x32 SP3)上尝试了签名过程，但都产生了相同的结果.

我们在做什么错了?

Our software using a boot start file system filter driver. But we have problems with the KMCS Policy. We have a Class 3 SPC from VeriSign, an spc and pvk file.
We merged them to a pfx file, and installed it to the signing computer's Personal certicifate store. We downloaded the VeriSign Cross Certificate from Microsoft, but on Windows Vista x64 (Ultimate, SP1), the driver cannot be started, because the file hash could not be found on the system.
The driver is installed by the CreateService API, no additional files are used (no inf, or cat file).
We are using the signtool.exe provided by the WDK (version 6.0.6001.18000) with the syntax:
signtool sign /v /ac MSCV-VSClass3.cer /s my /n "Our company name" /t http://timestamp.verisign.com/scripts/timestamp.dll ourdriver.sys
It says everything is ok, but signtool verify /v /kp ourdriver.sys doesn't display "Microsoft Code Verification Root", and the driver cannot be loaded.

Other interesting thing is if we sign the driver without the Cross Certificate and timestamp, the output binary file will be the same (exactly) as we sign it with the Cross Certificate. Maybe the /ac sign switch doesn't work?

According to Peter Viscarola's post on OSR's NTDEV list we tried the sign process on 3 computers (Vista x64 SP1, Vista x32 SP1, XP x32 SP3), but all produced the same result.

What are we doing wrong?

推荐答案

这篇关于签名x64引导启动驱动程序二进制文件时出现问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！