none
Signtool Error: The provided cross certificate would not be present in the certificate chain RRS feed

  • Question

  • I'm using Windows Driver Kit build 7600.16385.1.

    In the past I have successfully Kernel-Mode code signed my Driver.  Now, after I have renewed my Verisign code-signing certificate, I am unable to resign my driver.

    First I tried resigning a previously, successfully signed driver:
        Signtool sign /v /ac C:\temp\CERT\MSCV-VSClass3.cer /f pfxfile -p xxxxxx /d "My Driver Name" /du "
    www.xxxxxx.com" /t "http://timestamp.verisign.com/scripts/timstamp.dll" c:\temp\drivers\myDriverCat.cat

    I got this error:

    The following certificate was selected:
        Issued to: XXXXXX.com
        Issued by: VeriSign Class 3 Code Signing 2010 CA
        Expires:   Fri Jan 20 15:59:59 2012
        SHA1 hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    Cross certificate chain (using user store):
        Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
        Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
        Expires:   Wed Jul 16 15:59:59 2036
        SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5

            Issued to: VeriSign Class 3 Code Signing 2010 CA
            Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
            Expires:   Fri Feb 07 15:59:59 2020
            SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

                Issued to: XXXXXX.com
                Issued by: VeriSign Class 3 Code Signing 2010 CA
                Expires:   Fri Jan 20 15:59:59 2012
                SHA1 hash:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    Signtool Error: The provided cross certificate would not be present in the certificate chain.

    I redownloaded Microsoft's Cross-Certificate for Verisign and tried again - no luck, same error.  I also tried on two other developer machines (XP x32 and Win 7 x64) will no success.

    The only difference between now and last time I successfully signed my driver is my Verisign Authenticode cert that was renewed.  When I received it, it was already in .pfx format where previously I had to convert it myself to pfx using Pvk2Pfx.

    Does someone know if I'm doing something wrong?  I can't figure out what this error means: "Signtool Error: The provided cross certificate would not be present in the certificate chain."

    Thanks!

    Friday, February 11, 2011 10:51 PM

Answers

  • I had the same issue. After 2 hours of discussion with Verisign support:

    1) In IE Certificates section, import the new pfx into General tab (select exportable option)
    2) Import "Alternative Code Signing Intermediate 2010.cer" into "Intermediate tab"
    3) Now export the new pfx file from General (check "Include all certs..." option)
    4) Use the new pfx file along with same old MSCV-VSClass3.cer file from Microsoft

     

    Alternative Code Signing Intermediate 2010.cer

    -----BEGIN CERTIFICATE-----
    MIIEwzCCBCygAwIBAgIQTWKQ5YxU8PHrFzQaExDmpDANBgkqhkiG9w0BAQUFADBf
    MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
    LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
    HhcNMTAwOTMwMDAwMDAwWhcNMTQwMTAxMjM1OTU5WjCBtDELMAkGA1UEBhMCVVMx
    FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
    dCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cu
    dmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3Mg
    MyBDb2RlIFNpZ25pbmcgMjAxMCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
    AQoCggEBAPUjS16l14q7MunUV/fv5Mcmfq0ZmP6onX2U9jZrENd1gTB/BGh/yyt1
    Hs0dCIzfaZSnN6Oce4DgmeHuN01fzjsU7obU0PUnNbwlCzinjGOdF6MIpauw+81q
    YoJM1SHaG9nx44Q7iipPhVuQAU/Jp3YQfycDfL6ufn3B3fkFvBtInGnnwKQ8PEEA
    Pt+W5cXklHHWVQHHACZKQDy1oSapDKdtgI6QJXvPvz8c6y+W+uWHd8a1VrJ6O1Qw
    UxvfYjT/HtH0WpMoheVMF05+W/2kk5l/383vpHXv7xX2R+f4GXLYLjQaprSnTH69
    u08MPVfxMNamNo7WgHbXGS6lzX40LYkCAwEAAaOCAaQwggGgMBIGA1UdEwEB/wQI
    MAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtghkgBhvhFAQcXAzBWMCgGCCsGAQUFBwIB
    FhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoGCCsGAQUFBwICMB4aHGh0
    dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwDgYDVR0PAQH/BAQDAgEGMG0GCCsG
    AQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l
    0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92
    c2xvZ28uZ2lmMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDAzAoBgNVHREE
    ITAfpB0wGzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItODAdBgNVHQ4EFgQUz5mp
    6nsm9EvJjo/X8AUm7+PSp50wMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC52
    ZXJpc2lnbi5jb20vcGNhMy5jcmwwDQYJKoZIhvcNAQEFBQADgYEArt0hHV+PgHrS
    Ugnq227SXYvowhtpBL5RpQEOWfo30XSj7tztiXQrYtWmv0+tNhdU8BPgo0XSTCbL
    4m2iH9AeegcPtrN7b1Booukxs7eZfYBwoKfeCx6k//NNgRvdIMkcxK/P8Y/62dqV
    8OzcXL/ojFo+erCj61lDdBHgmxpq828=
    -----END CERTIFICATE-----

    Friday, February 18, 2011 6:06 PM
  • Okay... I've found the following URL:

    http://www.64k-tec.de/2011/02/kernel-driver-code-signing-with-the-verisign-class-3-primary-ca-g5-certificate/

     

    That gives some inforamation about the steps and other links.

    Monday, February 28, 2011 10:48 PM

All replies

  • I had the same issue. After 2 hours of discussion with Verisign support:

    1) In IE Certificates section, import the new pfx into General tab (select exportable option)
    2) Import "Alternative Code Signing Intermediate 2010.cer" into "Intermediate tab"
    3) Now export the new pfx file from General (check "Include all certs..." option)
    4) Use the new pfx file along with same old MSCV-VSClass3.cer file from Microsoft

     

    Alternative Code Signing Intermediate 2010.cer

    -----BEGIN CERTIFICATE-----
    MIIEwzCCBCygAwIBAgIQTWKQ5YxU8PHrFzQaExDmpDANBgkqhkiG9w0BAQUFADBf
    MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
    LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
    HhcNMTAwOTMwMDAwMDAwWhcNMTQwMTAxMjM1OTU5WjCBtDELMAkGA1UEBhMCVVMx
    FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
    dCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cu
    dmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3Mg
    MyBDb2RlIFNpZ25pbmcgMjAxMCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
    AQoCggEBAPUjS16l14q7MunUV/fv5Mcmfq0ZmP6onX2U9jZrENd1gTB/BGh/yyt1
    Hs0dCIzfaZSnN6Oce4DgmeHuN01fzjsU7obU0PUnNbwlCzinjGOdF6MIpauw+81q
    YoJM1SHaG9nx44Q7iipPhVuQAU/Jp3YQfycDfL6ufn3B3fkFvBtInGnnwKQ8PEEA
    Pt+W5cXklHHWVQHHACZKQDy1oSapDKdtgI6QJXvPvz8c6y+W+uWHd8a1VrJ6O1Qw
    UxvfYjT/HtH0WpMoheVMF05+W/2kk5l/383vpHXv7xX2R+f4GXLYLjQaprSnTH69
    u08MPVfxMNamNo7WgHbXGS6lzX40LYkCAwEAAaOCAaQwggGgMBIGA1UdEwEB/wQI
    MAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtghkgBhvhFAQcXAzBWMCgGCCsGAQUFBwIB
    FhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoGCCsGAQUFBwICMB4aHGh0
    dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwDgYDVR0PAQH/BAQDAgEGMG0GCCsG
    AQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l
    0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92
    c2xvZ28uZ2lmMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDAzAoBgNVHREE
    ITAfpB0wGzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItODAdBgNVHQ4EFgQUz5mp
    6nsm9EvJjo/X8AUm7+PSp50wMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC52
    ZXJpc2lnbi5jb20vcGNhMy5jcmwwDQYJKoZIhvcNAQEFBQADgYEArt0hHV+PgHrS
    Ugnq227SXYvowhtpBL5RpQEOWfo30XSj7tztiXQrYtWmv0+tNhdU8BPgo0XSTCbL
    4m2iH9AeegcPtrN7b1Booukxs7eZfYBwoKfeCx6k//NNgRvdIMkcxK/P8Y/62dqV
    8OzcXL/ojFo+erCj61lDdBHgmxpq828=
    -----END CERTIFICATE-----

    Friday, February 18, 2011 6:06 PM
  • I imported the above certificate and followed the directions as indicated.  But my binary (boot driver) doesn't have the Microsoft Certificate.  This is what my binary's certificates look like:

    $ signtool.exe verify /v  /kp bo.exe

    Verifying: bo.exe
    SHA1 hash of file: 72E00EB508DC8E65F702FE28BB32C9746ECACC3B
    Signing Certificate Chain:
       Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
       Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
       Expires:   7/16/2036 5:59:59 PM
       SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5

           Issued to: VeriSign Class 3 Code Signing 2010 CA
           Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
           Expires:   2/7/2020 5:59:59 PM
           SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

               Issued to: Silicon Graphics International
               Issued by: VeriSign Class 3 Code Signing 2010 CA
               Expires:   2/5/2012 5:59:59 PM
               SHA1 hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    The signature is timestamped: 2/25/2011 3:20:17 PM
    Timestamp Verified by:
       Issued to: Thawte Timestamping CA
       Issued by: Thawte Timestamping CA
       Expires:   12/31/2020 5:59:59 PM
       SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

           Issued to: VeriSign Time Stamping Services CA
           Issued by: Thawte Timestamping CA
           Expires:   12/3/2013 5:59:59 PM
           SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

               Issued to: VeriSign Time Stamping Services Signer - G2
               Issued by: VeriSign Time Stamping Services CA
               Expires:   6/14/2012 5:59:59 PM
               SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

    Successfully verified: bo.exe

    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0

    When I boot vista/64 I get the error indicating that it can't verify the certificate.

    Saturday, February 26, 2011 3:57 PM
  • Okay... I've found the following URL:

    http://www.64k-tec.de/2011/02/kernel-driver-code-signing-with-the-verisign-class-3-primary-ca-g5-certificate/

     

    That gives some inforamation about the steps and other links.

    Monday, February 28, 2011 10:48 PM