问题总结
我的Windows应用程序包括一个加载相当简单的驱动程序的服务。根据MS Kernel Signing doc中描述的KMCS要求,该驱动程序包含嵌入式SHA1和SHA256签名,并包括两个签名证书的交叉签名证书链,用于在不使用CAT文件的情况下对驱动程序进行签名。
该驱动程序在大多数Windows安装中都可以很好地加载,但是在极少数情况下无法加载,主要是在Windows 7 x64和Windows 10 x64上。错误为0x241(577):Windows无法验证此文件的数字签名。最近的硬件或软件更改可能安装了未正确签名或损坏的文件,或者可能是来自未知来源的恶意软件。
更多信息
在两个星期的大部分时间里,我一直在试图找出导致此问题的原因。如您所料,此错误仅出现在用户的计算机上。我已经安装了4台Windows 7 x64虚拟机和另外4台Windows 10 x64虚拟机,并具有各种配置和不同级别的更新。我尽最大努力在其中一个Windows 10 VM中完全复制了用户的设置-我花了一整天的时间使用正确的语言以及他们拥有的所有软件(精确到版本)安装确切的Windows版本,以尝试复制Windows 10 VM。问题。但是,没有这样的运气:安装我的应用程序时,驱动程序加载得很好。
为了希望有人对可能发生的事情有所了解,或者至少可以为我指明正确的方向,我决定在这里问:可能是什么导致似乎正确签名的驱动程序在某些情况下无法通过验证Windows安装?
更多详细信息
我正在使用StartCom 3类代码签名证书。我从Microsoft Cross-Certificates for Kernel Mode Code Signing页面下载了交叉签名的StartCom证书。
我的证书在pfx文件中,并且按如下所示对驱动程序进行签名:
signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll /p %1 driver.sys
signtool.exe sign /v /ac "MS_xs_st.crt" /d "Driver description" /du "https://webpage/" /f my_certificate.pfx /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /p %1 driver.sys
signtool.exe verify /v /kp driver.sys
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 16:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: StartCom Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 23:23:19 2021
SHA1 hash: E6069E048DEA8D817AFC4188B1BEF1D888D0AF17
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
Successfully verified: driver.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
signtool.exe verify /v /pa /all driver.sys
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Signature Index: 1
Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:53 2016
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-256 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA
Successfully verified: driver.sys
Number of signatures successfully Verified: 2
Number of warnings: 0
Number of errors: 0
signtool.exe verify /v /all driver.sys
Verifying: driver.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): EE2FE2A16395DC66ACCB5264742987D99ECF5A66
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:52 2016
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Signature Index: 1
Hash of file (sha256): 79E9A2EF552906EA10F56FF7B2F95A1999B52902BCD9B78DD076157B563E900B
Signing Certificate Chain:
Issued to: StartCom Certification Authority
Issued by: StartCom Certification Authority
Expires: Wed Sep 17 22:46:36 2036
SHA1 hash: 3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
Issued to: StartCom Class 3 Object CA
Issued by: StartCom Certification Authority
Expires: Mon Dec 16 04:00:05 2030
SHA1 hash: E181101EE744817E49B6F97466E14DFA0809BD46
Issued to: My company
Issued by: StartCom Class 3 Object CA
Expires: Sun Aug 04 16:18:18 2019
SHA1 hash: 62...E9
The signature is timestamped: Sun Sep 25 12:49:53 2016
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Issued to: COMODO SHA-256 Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: Tue Jul 09 21:40:36 2019
SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of signatures successfully Verified: 0
Number of warnings: 0
Number of errors: 2
最佳答案
正如马丁·德拉布(Martin Drab)所说,问题是双重的。顺便说一句,谢谢Martin,您的意见帮助我进行了梳理,通过设置启用了安全启动的VM,我能够重现Windows 10问题。
对于Windows 10之前的操作系统,似乎可以通过安装所有最新更新来解决此问题。如果PC自2015年1月11日(发行新的Microsoft代码验证根证书)以来未更新,则它将无法验证,因为内核无法识别根证书。
对于Windows 10,有一个新的Kernel Mode Code Signining Policy,它指定所有全新安装的Windows 10 Anniversary Edition都不会验证未经Microsoft Dev Portal签名(需要EV证书)的任何内核代码,除非使用交叉签名进行签名。在2015年7月29日之前发布的证书或安全启动已禁用。
该问题很少发生的原因是,大多数人没有Windows 7机器,这些机器在很长一段时间内都没有更新过,并且在撰写本文时,大多数装有Windows 10的机器都没有使用全新的Anniversary。版。
Windows 10唯一真正的解决方案是获得EV证书。
关于windows - Windows内核模式代码签名问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/39721308/
我需要在客户计算机上运行Ruby应用程序。通常需要几天才能完成(复制大备份文件)。问题是如果启用sleep,它会中断应用程序。否则,计算机将持续运行数周,直到我下次访问为止。有什么方法可以防止执行期间休眠并让Windows在执行后休眠吗?欢迎任何疯狂的想法;-) 最佳答案 Here建议使用SetThreadExecutionStateWinAPI函数,使应用程序能够通知系统它正在使用中,从而防止系统在应用程序运行时进入休眠状态或关闭显示。像这样的东西:require'Win32API'ES_AWAYMODE_REQUIRED=0x0
我有一个模型:classItem项目有一个属性“商店”基于存储的值,我希望Item对象对特定方法具有不同的行为。Rails中是否有针对此的通用设计模式?如果方法中没有大的if-else语句,这是如何干净利落地完成的? 最佳答案 通常通过Single-TableInheritance. 关于ruby-on-rails-Rails-子类化模型的设计模式是什么?,我们在StackOverflow上找到一个类似的问题: https://stackoverflow.co
我想为Heroku构建一个Rails3应用程序。他们使用Postgres作为他们的数据库,所以我通过MacPorts安装了postgres9.0。现在我需要一个postgresgem并且共识是出于性能原因你想要pggem。但是我对我得到的错误感到非常困惑当我尝试在rvm下通过geminstall安装pg时。我已经非常明确地指定了所有postgres目录的位置可以找到但仍然无法完成安装:$envARCHFLAGS='-archx86_64'geminstallpg--\--with-pg-config=/opt/local/var/db/postgresql90/defaultdb/po
如何在buildr项目中使用Ruby?我在很多不同的项目中使用过Ruby、JRuby、Java和Clojure。我目前正在使用我的标准Ruby开发一个模拟应用程序,我想尝试使用Clojure后端(我确实喜欢功能代码)以及JRubygui和测试套件。我还可以看到在未来的不同项目中使用Scala作为后端。我想我要为我的项目尝试一下buildr(http://buildr.apache.org/),但我注意到buildr似乎没有设置为在项目中使用JRuby代码本身!这看起来有点傻,因为该工具旨在统一通用的JVM语言并且是在ruby中构建的。除了将输出的jar包含在一个独特的、仅限ruby
我主要使用Ruby来执行此操作,但到目前为止我的攻击计划如下:使用gemsrdf、rdf-rdfa和rdf-microdata或mida来解析给定任何URI的数据。我认为最好映射到像schema.org这样的统一模式,例如使用这个yaml文件,它试图描述数据词汇表和opengraph到schema.org之间的转换:#SchemaXtoschema.orgconversion#data-vocabularyDV:name:namestreet-address:streetAddressregion:addressRegionlocality:addressLocalityphoto:i
尝试通过RVM将RubyGems升级到版本1.8.10并出现此错误:$rvmrubygemslatestRemovingoldRubygemsfiles...Installingrubygems-1.8.10forruby-1.9.2-p180...ERROR:Errorrunning'GEM_PATH="/Users/foo/.rvm/gems/ruby-1.9.2-p180:/Users/foo/.rvm/gems/ruby-1.9.2-p180@global:/Users/foo/.rvm/gems/ruby-1.9.2-p180:/Users/foo/.rvm/gems/rub
在rails源中:https://github.com/rails/rails/blob/master/activesupport/lib/active_support/lazy_load_hooks.rb可以看到以下内容@load_hooks=Hash.new{|h,k|h[k]=[]}在IRB中,它只是初始化一个空哈希。和做有什么区别@load_hooks=Hash.new 最佳答案 查看rubydocumentationforHashnew→new_hashclicktotogglesourcenew(obj)→new_has
鉴于我有以下迁移:Sequel.migrationdoupdoalter_table:usersdoadd_column:is_admin,:default=>falseend#SequelrunsaDESCRIBEtablestatement,whenthemodelisloaded.#Atthispoint,itdoesnotknowthatusershaveais_adminflag.#Soitfails.@user=User.find(:email=>"admin@fancy-startup.example")@user.is_admin=true@user.save!ende
我的最终目标是安装当前版本的RubyonRails。我在OSXMountainLion上运行。到目前为止,这是我的过程:已安装的RVM$\curl-Lhttps://get.rvm.io|bash-sstable检查已知(我假设已批准)安装$rvmlistknown我看到当前的稳定版本可用[ruby-]2.0.0[-p247]输入命令安装$rvminstall2.0.0-p247注意:我也试过这些安装命令$rvminstallruby-2.0.0-p247$rvminstallruby=2.0.0-p247我很快就无处可去了。结果:$rvminstall2.0.0-p247Search
由于fast-stemmer的问题,我很难安装我想要的任何rubygem。我把我得到的错误放在下面。Buildingnativeextensions.Thiscouldtakeawhile...ERROR:Errorinstallingfast-stemmer:ERROR:Failedtobuildgemnativeextension./System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/bin/rubyextconf.rbcreatingMakefilemake"DESTDIR="cleanmake"DESTDIR=