| Summary: | [virtio-win], [balloon][vioscsi][vioserial][viostor] drivers are not digitally signed for win2012 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Shawn Duex <shawn> | ||||||
| Component: | virtio-win | Assignee: | Vadim Rozenfeld <vrozenfe> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | Virtualization Bugs <virt-bugs> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 6.5 | CC: | acathrow, bcao, bsarathy, juzhang, mdeng, michen, shawn | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Windows | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2013-11-30 08:39:49 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Attachments: |
|
||||||||
|
Description
Shawn Duex
2013-09-27 18:31:56 UTC
(In reply to Shawn Duex from comment #0) > Description of problem: Using Windows Server 2012. I am getting a not > digitally signed error on all drivers except NetKVM. > > > Version-Release number of selected component (if applicable): > VirtIO 1.6.5-6 > > How reproducible: > 100% > > > Steps to Reproduce: > 1.Run Microsoft DISM tool to add Virt IO drivers to install media > > C:\Users\Administrator>dism /image:C:\temp\mount /add-driver > /driver:c:\temp\dri > vers\ /recurse > > Deployment Image Servicing and Management tool > Version: 6.1.7600.16385 > > Image Version: 6.2.9200.16384 > > Searching for driver packages to install... > Found 5 driver package(s) to install. > Installing 1 of 5 - c:\temp\drivers\2012\Balloon\2k12\amd64\balloon.inf: > Error - > The driver package contains x64 boot-critical drivers, but the drivers are > not > properly signed. > Use the /forceunsigned option to install the drivers. > Installing 2 of 5 - c:\temp\drivers\2012\NetKVM\2k12\amd64\netkvm.inf: The > drive > r package was successfully installed. > Installing 3 of 5 - c:\temp\drivers\2012\vioscsi\2k12\amd64\vioscsi.inf: > Error - > The driver package contains x64 boot-critical drivers, but the drivers are > not > properly signed. > Use the /forceunsigned option to install the drivers. > Installing 4 of 5 - c:\temp\drivers\2012\vioserial\2k12\amd64\vioser.inf: > Error > - The driver package contains x64 boot-critical drivers, but the drivers are > not > properly signed. > Use the /forceunsigned option to install the drivers. > Installing 5 of 5 - c:\temp\drivers\2012\viostor\2k12\amd64\viostor.inf: > Error - > The driver package contains x64 boot-critical drivers, but the drivers are > not > properly signed. > Use the /forceunsigned option to install the drivers. > > Error: 50 > > The command completed with errors. For more information, refer to the log > file. > > The DISM log file can be found at C:\Windows\Logs\DISM\dism.log > > Actual results: > Drivers do not get installed unless /forceunsigned flag is passed > > Expected results: > Drivers are installed without error > > Additional info: > DISM.log entries: > > 2013-09-27 09:52:29, Error DISM DISM Driver Manager: > PID=2988 TID=1668 Cannot install non-signed boot-critical drivers on amd64 > images. Use /forceunsigned switch to override. > c:\temp\drivers\2012\Balloon\2k12\amd64\balloon.inf - > CDriverManager::CheckClientAddDriverScenarios(hr:0x80070032) > 2013-09-27 09:52:29, Info DISM DISM Driver Manager: > PID=2988 TID=1668 Successfully proccessed driver package > 'c:\temp\drivers\2012\NetKVM\2k12\amd64\netkvm.inf'. - > CDriverPackage::InstallEx > 2013-09-27 09:52:29, Error DISM DISM Driver Manager: > PID=2988 TID=1668 Cannot install non-signed boot-critical drivers on amd64 > images. Use /forceunsigned switch to override. > c:\temp\drivers\2012\vioscsi\2k12\amd64\vioscsi.inf - > CDriverManager::CheckClientAddDriverScenarios(hr:0x80070032) > 2013-09-27 09:52:29, Error DISM DISM Driver Manager: > PID=2988 TID=1668 Cannot install non-signed boot-critical drivers on amd64 > images. Use /forceunsigned switch to override. > c:\temp\drivers\2012\vioserial\2k12\amd64\vioser.inf - > CDriverManager::CheckClientAddDriverScenarios(hr:0x80070032) > 2013-09-27 09:52:29, Error DISM DISM Driver Manager: > PID=2988 TID=1668 Cannot install non-signed boot-critical drivers on amd64 > images. Use /forceunsigned switch to override. > c:\temp\drivers\2012\viostor\2k12\amd64\viostor.inf - > CDriverManager::CheckClientAddDriverScenarios(hr:0x80070032) That's strange ,All drivers has passed whql certification before we push it to the public , I will check this issue later . BTW,Can you paste the output of # SignTool.exe verify /v /kp /c <driver>.cat <driver>.sys ? Mike is absolutely right. Shawn, where did you get all these drivers from? Did you build the drivers by yourself? Thanks, Vadim. Hello guys,
The drivers I am using came from this RPM virtio-win-1.6.5-6.el6_4.noarch.rpm. The RPM includes a ISO with the windows drivers virtio-win-1.6.5.iso. I extracted this iso and am trying to use the drivers included. Please find the output of the SignTool command line request.
C:\share\3M\VirtIO-Win-1.6.5-6\2012\Balloon\2k12\amd64>dir
Volume in drive C has no label.
Volume Serial Number is EC4F-88D7
Directory of C:\share\3M\VirtIO-Win-1.6.5-6\2012\Balloon\2k12\amd64
09/30/2013 02:01 PM <DIR> .
09/30/2013 02:01 PM <DIR> ..
06/28/2013 01:44 AM 11,352 balloon.cat
06/28/2013 01:44 AM 3,060 balloon.inf
06/28/2013 01:44 AM 863,232 balloon.pdb
06/28/2013 01:44 AM 36,552 balloon.sys
06/28/2013 01:44 AM 27,432 blnsvr.exe
06/28/2013 01:44 AM 822,272 blnsvr.pdb
07/14/2009 10:10 PM 237,376 signtool.exe
06/28/2013 01:44 AM 1,795,952 WdfCoInstaller01011.dll
8 File(s) 3,797,228 bytes
2 Dir(s) 6,785,417,216 bytes free
C:\share\3M\VirtIO-Win-1.6.5-6\2012\Balloon\2k12\amd64>signtool.exe verify /v /kp /c balloon.cat balloon.sys
Verifying: balloon.sys
SignTool Error: File not found in the specified catalog.
SignTool Error: File not valid: balloon.sys
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
C:\share\3M\VirtIO-Win-1.6.5-6\2012\Balloon\2k12\amd64>
Removing the flag for the catalog file.
C:\share\3M\VirtIO-Win-1.6.5-6\2012\Balloon\2k12\amd64>signtool.exe verify /v /kp balloon.cat balloon.sys
Verifying: balloon.cat
Hash of file (sha256): A6A9172BBD224B36757E62E7827647840A8AA13ED7AE5DFE158CC57F7202E000
Signing Certificate Chain:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sat Jun 23 15:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Issued to: Microsoft Windows Third Party Component CA 2012
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sun Apr 18 16:58:38 2027
SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73
Issued to: Microsoft Windows Hardware Compatibility Publisher
Issued by: Microsoft Windows Third Party Component CA 2012
Expires: Wed Sep 18 15:58:07 2013
SHA1 hash: 3E9C8940ADB3ED3950F378D6052BBC5BFE81205E
The signature is timestamped: Mon Jan 21 13:26:45 2013
Timestamp Verified by:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sat Jun 23 15:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Issued to: Microsoft Time-Stamp PCA 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Tue Jul 01 14:46:55 2025
SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE
Issued to: Microsoft Time-Stamp Service
Issued by: Microsoft Time-Stamp PCA 2010
Expires: Tue Apr 09 14:45:34 2013
SHA1 hash: 75C4C17C025218C637BCB9BB85D16CB07145211A
SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.
Verifying: balloon.sys
Hash of file (sha1): CC6196AE4446E33849C1D1B5FAA066E5B3EBAE53
Signing Certificate Chain:
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Wed Jul 16 16:59:59 2036
SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Fri Feb 07 16:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F
Issued to: Red Hat, Inc.
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Sat Nov 28 16:59:59 2015
SHA1 hash: 1B4E5E00774E3E6B6D4C58A63FFB54E0771F5C25
The signature is timestamped: Wed Jan 16 04:14:20 2013
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 16:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Wed Dec 30 16:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Tue Dec 29 16:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: Microsoft Code Verification Root
Expires: Mon Feb 22 12:35:17 2021
SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B
Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Fri Feb 07 16:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F
Issued to: Red Hat, Inc.
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Sat Nov 28 16:59:59 2015
SHA1 hash: 1B4E5E00774E3E6B6D4C58A63FFB54E0771F5C25
Successfully verified: balloon.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 1
C:\share\3M\VirtIO-Win-1.6.5-6\2012\Balloon\2k12\amd64>
C:\share\3M\VirtIO-Win-1.6.5-6\2012\vioscsi\2k12\amd64>signtool.exe verify /v /kp vioscsi.cat vioscsi.sys
Verifying: vioscsi.cat
Hash of file (sha256): 77A7F23C6D4BD1CEC8746B117A21055C9CC983C500701D9713E5D128914604C1
Signing Certificate Chain:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sat Jun 23 15:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Issued to: Microsoft Windows Third Party Component CA 2012
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sun Apr 18 16:58:38 2027
SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73
Issued to: Microsoft Windows Hardware Compatibility Publisher
Issued by: Microsoft Windows Third Party Component CA 2012
Expires: Wed Sep 18 15:58:07 2013
SHA1 hash: 3E9C8940ADB3ED3950F378D6052BBC5BFE81205E
The signature is timestamped: Mon Jan 21 12:26:37 2013
Timestamp Verified by:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sat Jun 23 15:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Issued to: Microsoft Time-Stamp PCA 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Tue Jul 01 14:46:55 2025
SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE
Issued to: Microsoft Time-Stamp Service
Issued by: Microsoft Time-Stamp PCA 2010
Expires: Mon May 20 15:39:22 2013
SHA1 hash: 125DAF5264765D160F6BE16480AAEF9AF9BE0BDC
SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.
Verifying: vioscsi.sys
Hash of file (sha1): 2224DB65A4EAFE15E4213BFAF8EB57AEFA7B0972
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: Wed Aug 02 16:59:59 2028
SHA1 hash: A1DB6393916F17E4185509400415C70240B0AE6B
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Mon May 20 16:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: Red Hat, Inc.
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Wed Mar 27 16:59:59 2013
SHA1 hash: 0ECAAC1E5E354447B4982E509F11D12DB28371A6
The signature is timestamped: Thu Nov 29 04:41:11 2012
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 16:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Tue Dec 03 16:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Issued to: Symantec Time Stamping Services Signer - G3
Issued by: VeriSign Time Stamping Services CA
Expires: Mon Dec 31 16:59:59 2012
SHA1 hash: 8FD99D63FB3AFBD534A4F6E31DACD27F59504021
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Class 3 Public Primary Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Mon May 23 10:11:29 2016
SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Mon May 20 16:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: Red Hat, Inc.
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Wed Mar 27 16:59:59 2013
SHA1 hash: 0ECAAC1E5E354447B4982E509F11D12DB28371A6
Successfully verified: vioscsi.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 1
C:\share\3M\VirtIO-Win-1.6.5-6\2012\vioscsi\2k12\amd64>
C:\share\3M\VirtIO-Win-1.6.5-6\2012\vioserial\2k12\amd64>signtool.exe verify /v /kp vioser.cat vioser.sys
Verifying: vioser.cat
Hash of file (sha256): 2CD7587532EA40FEFBD30A1EDEE1569114716282550D5EE9792A5BBD08ED3A6E
Signing Certificate Chain:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sat Jun 23 15:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Issued to: Microsoft Windows Third Party Component CA 2012
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sun Apr 18 16:58:38 2027
SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73
Issued to: Microsoft Windows Hardware Compatibility Publisher
Issued by: Microsoft Windows Third Party Component CA 2012
Expires: Wed Sep 18 15:58:07 2013
SHA1 hash: 3E9C8940ADB3ED3950F378D6052BBC5BFE81205E
The signature is timestamped: Mon Jun 24 09:47:09 2013
Timestamp Verified by:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sat Jun 23 15:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Issued to: Microsoft Time-Stamp PCA 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Tue Jul 01 14:46:55 2025
SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE
Issued to: Microsoft Time-Stamp Service
Issued by: Microsoft Time-Stamp PCA 2010
Expires: Fri Jun 27 13:13:15 2014
SHA1 hash: 174A03DAC10EA3F9367819E6F8453606580326BC
SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.
Verifying: vioser.sys
Hash of file (sha1): 2A03619A1E64104E919861C965CD4A01CBB7D40D
Signing Certificate Chain:
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Wed Jul 16 16:59:59 2036
SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Fri Feb 07 16:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F
Issued to: Red Hat, Inc.
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Sat Nov 28 16:59:59 2015
SHA1 hash: 1B4E5E00774E3E6B6D4C58A63FFB54E0771F5C25
The signature is timestamped: Mon Jun 03 02:44:13 2013
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 16:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Wed Dec 30 16:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Tue Dec 29 16:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: Microsoft Code Verification Root
Expires: Mon Feb 22 12:35:17 2021
SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B
Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Fri Feb 07 16:59:59 2020
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F
Issued to: Red Hat, Inc.
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Sat Nov 28 16:59:59 2015
SHA1 hash: 1B4E5E00774E3E6B6D4C58A63FFB54E0771F5C25
Successfully verified: vioser.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 1
C:\share\3M\VirtIO-Win-1.6.5-6\2012\vioserial\2k12\amd64>
C:\share\3M\VirtIO-Win-1.6.5-6\2012\viostor\2k12\amd64>signtool.exe verify /v /kp viostor.cat viostor.sys
Verifying: viostor.cat
Hash of file (sha256): 848FFAB3E9534EA7C08C4D61570C875998976ABB29F5D401A974642FB7544125
Signing Certificate Chain:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sat Jun 23 15:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Issued to: Microsoft Windows Third Party Component CA 2012
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sun Apr 18 16:58:38 2027
SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73
Issued to: Microsoft Windows Hardware Compatibility Publisher
Issued by: Microsoft Windows Third Party Component CA 2012
Expires: Wed Sep 18 15:58:07 2013
SHA1 hash: 3E9C8940ADB3ED3950F378D6052BBC5BFE81205E
The signature is timestamped: Mon Jan 21 11:56:38 2013
Timestamp Verified by:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sat Jun 23 15:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Issued to: Microsoft Time-Stamp PCA 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Tue Jul 01 14:46:55 2025
SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE
Issued to: Microsoft Time-Stamp Service
Issued by: Microsoft Time-Stamp PCA 2010
Expires: Tue Apr 09 14:45:37 2013
SHA1 hash: C9231E0C550F956D32EADD6E731A173831F345FF
SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.
Verifying: viostor.sys
Hash of file (sha1): AA120DDBAFAD96A18AD0A134B01FA465FF5273F9
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: Wed Aug 02 16:59:59 2028
SHA1 hash: A1DB6393916F17E4185509400415C70240B0AE6B
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Mon May 20 16:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: Red Hat, Inc.
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Wed Mar 27 16:59:59 2013
SHA1 hash: 0ECAAC1E5E354447B4982E509F11D12DB28371A6
The signature is timestamped: Thu Nov 29 04:41:14 2012
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 16:59:59 2020
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Tue Dec 03 16:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Issued to: Symantec Time Stamping Services Signer - G3
Issued by: VeriSign Time Stamping Services CA
Expires: Mon Dec 31 16:59:59 2012
SHA1 hash: 8FD99D63FB3AFBD534A4F6E31DACD27F59504021
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 06:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Class 3 Public Primary Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Mon May 23 10:11:29 2016
SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Mon May 20 16:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: Red Hat, Inc.
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Wed Mar 27 16:59:59 2013
SHA1 hash: 0ECAAC1E5E354447B4982E509F11D12DB28371A6
Successfully verified: viostor.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 1
C:\share\3M\VirtIO-Win-1.6.5-6\2012\viostor\2k12\amd64>
So looking at this output I think the issue is with all the .cat files not having the cert chain to microsoft root cert.
Please let me know if you need any additional information.
(In reply to Shawn Duex from comment #4) > Hello guys, > > > So looking at this output I think the issue is with all the .cat files not > having the cert chain to microsoft root cert. > > Please let me know if you need any additional information. Thanks for your feedback ,I will try to reproduce it Hi Shawn,
you must be using wrong toolchain.
Win8/Win2012 serial, balloon, block and scsi driver were signed with signtool
from Win8 WDK. You should use signtool from Win8 WDK if you want to verify the signature.
It is what you see when checking with signtool from WDK7.1
Verifying: viostor.cat
Hash of file (sha256): 848FFAB3E9534EA7C08C4D61570C875998976ABB29F5D401A974642FB7544125
Signing Certificate Chain:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sun Jun 24 08:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Issued to: Microsoft Windows Third Party Component CA 2012
Issued by: Microsoft Root Certificate Authority 2010
Expires: Mon Apr 19 09:58:38 2027
SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73
Issued to: Microsoft Windows Hardware Compatibility Publisher
Issued by: Microsoft Windows Third Party Component CA 2012
Expires: Thu Sep 19 08:58:07 2013
SHA1 hash: 3E9C8940ADB3ED3950F378D6052BBC5BFE81205E
The signature is timestamped: Tue Jan 22 04:56:38 2013
Timestamp Verified by:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sun Jun 24 08:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Issued to: Microsoft Time-Stamp PCA 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Wed Jul 02 07:46:55 2025
SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE
Issued to: Microsoft Time-Stamp Service
Issued by: Microsoft Time-Stamp PCA 2010
Expires: Wed Apr 10 07:45:37 2013
SHA1 hash: C9231E0C550F956D32EADD6E731A173831F345FF
Verifying: viostor.sys
Hash of file (sha1): AA120DDBAFAD96A18AD0A134B01FA465FF5273F9
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: Wed Aug 02 09:59:59 2028
SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Tue May 21 09:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: Red Hat, Inc.
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Thu Mar 28 09:59:59 2013
SHA1 hash: 0ECAAC1E5E354447B4982E509F11D12DB28371A6
The signature is timestamped: Thu Nov 29 21:41:14 2012
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 09:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Wed Dec 04 09:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Issued to: Symantec Time Stamping Services Signer - G3
Issued by: VeriSign Time Stamping Services CA
Expires: Tue Jan 01 09:59:59 2013
SHA1 hash: 8FD99D63FB3AFBD534A4F6E31DACD27F59504021
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 23:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Class 3 Public Primary Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Tue May 24 03:11:29 2016
SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Tue May 21 09:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: Red Hat, Inc.
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Thu Mar 28 09:59:59 2013
SHA1 hash: 0ECAAC1E5E354447B4982E509F11D12DB28371A6
Successfully verified: viostor.sys
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 1
But it is what you should see when using the right signtool from WDK8
Verifying: viostor.cat
Signature Index: 0 (Primary Signature)
Hash of file (sha256): 848FFAB3E9534EA7C08C4D61570C875998976ABB29F5D401A974642FB7544125
Signing Certificate Chain:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sun Jun 24 08:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Issued to: Microsoft Windows Third Party Component CA 2012
Issued by: Microsoft Root Certificate Authority 2010
Expires: Mon Apr 19 09:58:38 2027
SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73
Issued to: Microsoft Windows Hardware Compatibility Publisher
Issued by: Microsoft Windows Third Party Component CA 2012
Expires: Thu Sep 19 08:58:07 2013
SHA1 hash: 3E9C8940ADB3ED3950F378D6052BBC5BFE81205E
The signature is timestamped: Tue Jan 22 04:56:38 2013
Timestamp Verified by:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sun Jun 24 08:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Issued to: Microsoft Time-Stamp PCA 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Wed Jul 02 07:46:55 2025
SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE
Issued to: Microsoft Time-Stamp Service
Issued by: Microsoft Time-Stamp PCA 2010
Expires: Wed Apr 10 07:45:37 2013
SHA1 hash: C9231E0C550F956D32EADD6E731A173831F345FF
Cross Certificate Chain:
Issued to: Microsoft Root Certificate Authority 2010
Issued by: Microsoft Root Certificate Authority 2010
Expires: Sun Jun 24 08:04:01 2035
SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Issued to: Microsoft Windows Third Party Component CA 2012
Issued by: Microsoft Root Certificate Authority 2010
Expires: Mon Apr 19 09:58:38 2027
SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73
Issued to: Microsoft Windows Hardware Compatibility Publisher
Issued by: Microsoft Windows Third Party Component CA 2012
Expires: Thu Sep 19 08:58:07 2013
SHA1 hash: 3E9C8940ADB3ED3950F378D6052BBC5BFE81205E
Successfully verified: viostor.cat
Verifying: viostor.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha1): AA120DDBAFAD96A18AD0A134B01FA465FF5273F9
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: Wed Aug 02 09:59:59 2028
SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Tue May 21 09:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: Red Hat, Inc.
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Thu Mar 28 09:59:59 2013
SHA1 hash: 0ECAAC1E5E354447B4982E509F11D12DB28371A6
The signature is timestamped: Thu Nov 29 21:41:14 2012
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 09:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: VeriSign Time Stamping Services CA
Issued by: Thawte Timestamping CA
Expires: Wed Dec 04 09:59:59 2013
SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Issued to: Symantec Time Stamping Services Signer - G3
Issued by: VeriSign Time Stamping Services CA
Expires: Tue Jan 01 09:59:59 2013
SHA1 hash: 8FD99D63FB3AFBD534A4F6E31DACD27F59504021
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 23:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: Class 3 Public Primary Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Tue May 24 03:11:29 2016
SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: Tue May 21 09:59:59 2019
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: Red Hat, Inc.
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: Thu Mar 28 09:59:59 2013
SHA1 hash: 0ECAAC1E5E354447B4982E509F11D12DB28371A6
Successfully verified: viostor.sys
Number of files successfully Verified: 2
Number of warnings: 0
Number of errors: 0
Best regards,
Vadim.
(In reply to Mike Cao from comment #5) > (In reply to Shawn Duex from comment #4) > > Hello guys, > > > > > > So looking at this output I think the issue is with all the .cat files not > > having the cert chain to microsoft root cert. > > > > Please let me know if you need any additional information. > > Thanks for your feedback ,I will try to reproduce it I can not reproduce your issue .Seems Vadim is right . in your output ,it shows : Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 While during my testing ,it shows : Signing Certificate Chain: Issued to: Class 3 Public Primary Certification Authority Issued by: Class 3 Public Primary Certification Authority Could you help to check it ? Hello, I did verify the drivers using signtool from the Windows 8.0 SDK and have the same results as you guys the drivers look OK. However, per my initial issue filed, the drivers are still causing an error when trying to add them to add them off-line to the Windows Server 2012 install media via the DISM.exe tool. Please see this support page on the tool - http://technet.microsoft.com/en-us/library/hh825070.aspx When adding the drivers I am still getting errors on all drivers other than the NIC driver. Please see the output below: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools>dism /image:C:\temp\mount /add-driver /driver:c:\temp\drivers\ /recurse Deployment Image Servicing and Management tool Version: 6.2.9200.16384 Image Version: 6.2.9200.16384 Searching for driver packages to install... Found 5 driver package(s) to install. Installing 1 of 5 - c:\temp\drivers\Balloon\2k12\amd64\balloon.inf: Error - The driver package contains x64 boot-critical drivers, but the drivers are not properly signed. Use the /forceunsigned option to install the drivers. Installing 2 of 5 - c:\temp\drivers\NetKVM\2k12\amd64\netkvm.inf: The driver package was successfully installed. Installing 3 of 5 - c:\temp\drivers\vioscsi\2k12\amd64\vioscsi.inf: Error - The driver package contains x64 boot-critical drivers, but the drivers are not properly signed. Use the /forceunsigned option to install the drivers. Installing 4 of 5 - c:\temp\drivers\vioserial\2k12\amd64\vioser.inf: Error - The driver package contains x64 boot-critical drivers, but the drivers are not properly signed. Use the /forceunsigned option to install the drivers. Installing 5 of 5 - c:\temp\drivers\viostor\2k12\amd64\viostor.inf: Error - The driver package contains x64 boot-critical drivers, but the drivers are not properly signed. Use the /forceunsigned option to install the drivers. Error: 50 The command completed with errors. For more information, refer to the log file. The DISM log file can be found at C:\Windows\Logs\DISM\dism.log C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools> As you can see I am using the DISM tool from the Windows 8 ADK. I saw the same issue when using the 8.1 ADK - http://technet.microsoft.com/en-us/library/hh824947.aspx. It looks like the digital signature check being done by DISM during driver-add is not passing. reading this more closely - http://technet.microsoft.com/en-us/library/hh825070.aspx I see what the issue is. "To add drivers to a Windows® 8 image offline, you must use a technician computer running Windows 8, Windows Server® 2012, or Windows® Preinstallation Environment (Windows PE) 4.0. Driver signature verification may fail when you add a driver to a Windows 8 image offline from a technician computer running any other operating system." I am running these tools on Windows 7. Sorry for wasting everyones time. output using Windows Server 2012: C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools>dism /image:C:\temp\mount /add-driver /driver:c:\temp\drivers\ /recurse Deployment Image Servicing and Management tool Version: 6.3.9600.16384 Image Version: 6.2.9200.16384 Searching for driver packages to install... Found 5 driver package(s) to install. Installing 1 of 5 - c:\temp\drivers\Balloon\2k12\amd64\balloon.inf: The driver package was successfully installed. Installing 2 of 5 - c:\temp\drivers\NetKVM\2k12\amd64\netkvm.inf: The driver package was successfully installed. Installing 3 of 5 - c:\temp\drivers\vioscsi\2k12\amd64\vioscsi.inf: The driver package was successfully installed. Installing 4 of 5 - c:\temp\drivers\vioserial\2k12\amd64\vioser.inf: The driver package was successfully installed. Installing 5 of 5 - c:\temp\drivers\viostor\2k12\amd64\viostor.inf: The driver package was successfully installed. The operation completed successfully. C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools> Please close this bug. (In reply to Shawn Duex from comment #10) > output using Windows Server 2012: > > C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment > Kit\Deployment > Tools>dism /image:C:\temp\mount /add-driver /driver:c:\temp\drivers\ > /recurse > > Hi, Shawn Could you attach the layout under C:\temp\mount and C:\temp\Drivers ? Thanks, Mike Mike, I am using Windows Server 2012 volume license media. I have copied the entire media to c:\temp\windows2012iso\ on my machine. Then using dism I am getting the wim information for c:\temp\windows2012iso\sources\boot.wim C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools>dism /get-wiminfo /wimfile:C:\Temp\Windows2012ISO\sources\boot.wim Deployment Image Servicing and Management tool Version: 6.2.9200.16384 Details for image : C:\Temp\Windows2012ISO\sources\boot.wim Index : 1 Name : Microsoft Windows PE (x64) Description : Microsoft Windows PE (x64) Size : 1,187,717,208 bytes Index : 2 Name : Microsoft Windows Setup (x64) Description : Microsoft Windows Setup (x64) Size : 1,255,862,012 bytes The operation completed successfully. C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools> I am then mounting boot.wim index 2 to c:\mount C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools>dism /Mount-Wim /WimFile:C:\Temp\Windows2012ISO\sources\boot.wim /Index:2 /MountDir:c:\temp\mount c:\temp\mount is unmodified until I add the drivers recursively with dism the c:\temp\drivers folder contains the same directory structure as virtio-win-1.6.5.iso but only the 2k12 folders as they are the drivers I am after. Created attachment 810195 [details]
file layout of virtio-win-1.6.5.iso
Created attachment 810196 [details]
file layout of c:\temp\drivers
Mike, please see the attachments for the file layouts you requested. closing the bug based on comment #c10 |