Recently our SafeNet Authentication Token used for software and driver signing expired (Symantec) and we ordered a new one (now Thales, bought Symantec?).
The expired one had these CAs:
- VeriSign Class 3 Public Primarey Certification Authority - G5
- Symantec Class 3 Extended Validation Code Signing CA - G2
The user certificate has the intended Purpose: Code Signing
The replacement token has these CAs:
- Digicert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
- Digicert Trusted Root G4
The user certificate has the intended Purpose: Code Signing
With the old token: We could sign driver and catalogs and use these direct on PCs without Secure Boot. We could attestation sign these drivers at Microsoft to get them to work on PCs with Secure boot.
With the new token: We can sign drivers and catalogs. We can attestation sign these drivers at Microsoft to get them to work on PCs with (and without) Secure boot. But they no longer work on PCs without Secure Boot.
The device manager presents this:
Windows cannot verify the digital signature for the drivers required
for this device. A recent hardware or software change might have installed
a file that is signed incorrectly or damaged, or that might be malicious
software from an unknown source. (Code 52)
The driver itself presents the new signature:
And a nice chain of trust:
One possibility to get this still working on the test PCs, would be to disable driver verification using "bcedit". But I would not like to force beta testers to do it. Also, I do not want to manually "attestation sign" every CI build...
This wrecks out CI infrastructure and automatic test environment.
My questions:
Is this intended behavior with new code signing tokens?
Did we receive a bad or not-good-enough token as a replacement?
This is the command-line of signtool:
sign /s MY /sha1 KEY_SHA1 /n "My GmbH" /fd sha256 /tr http://timestamp.digicert.com' driver.sys
I ask this openly because I think there are a few guys in different companies getting these issues with token updates and I hope the answers to this thread will help them (and us).
Bye Gunther
Ok today I found out:
Microsoft deprecated code signing certificates mid 2021:
https://learn.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates#will-we-continue-to-be-able-to-sign-non-driver-code-with-our-existing-3rd-party-issued-certificates-after-2021
Very short answer: New certificates like our new code signing dongle are not cross-signed to "Microsoft Code verification Root" or do not provide any cross certificate chain.
So our signed driver will not load in production Windows.
Possible Options for testing and debugging:
Enable testsigning:
In this mode any driver with or without signature is allowed.