Hide Forgot
Description of problem: Using Windows Server 2012. I am getting a not digitally signed error on all drivers except NetKVM. Version-Release number of selected component (if applicable): VirtIO 1.6.5-6 How reproducible: 100% Steps to Reproduce: 1.Run Microsoft DISM tool to add Virt IO drivers to install media C:\Users\Administrator>dism /image:C:\temp\mount /add-driver /driver:c:\temp\dri vers\ /recurse Deployment Image Servicing and Management tool Version: 6.1.7600.16385 Image Version: 6.2.9200.16384 Searching for driver packages to install... Found 5 driver package(s) to install. Installing 1 of 5 - c:\temp\drivers\2012\Balloon\2k12\amd64\balloon.inf: Error - The driver package contains x64 boot-critical drivers, but the drivers are not properly signed. Use the /forceunsigned option to install the drivers. Installing 2 of 5 - c:\temp\drivers\2012\NetKVM\2k12\amd64\netkvm.inf: The drive r package was successfully installed. Installing 3 of 5 - c:\temp\drivers\2012\vioscsi\2k12\amd64\vioscsi.inf: Error - The driver package contains x64 boot-critical drivers, but the drivers are not properly signed. Use the /forceunsigned option to install the drivers. Installing 4 of 5 - c:\temp\drivers\2012\vioserial\2k12\amd64\vioser.inf: Error - The driver package contains x64 boot-critical drivers, but the drivers are not properly signed. Use the /forceunsigned option to install the drivers. Installing 5 of 5 - c:\temp\drivers\2012\viostor\2k12\amd64\viostor.inf: Error - The driver package contains x64 boot-critical drivers, but the drivers are not properly signed. Use the /forceunsigned option to install the drivers. Error: 50 The command completed with errors. For more information, refer to the log file. The DISM log file can be found at C:\Windows\Logs\DISM\dism.log Actual results: Drivers do not get installed unless /forceunsigned flag is passed Expected results: Drivers are installed without error Additional info: DISM.log entries: 2013-09-27 09:52:29, Error DISM DISM Driver Manager: PID=2988 TID=1668 Cannot install non-signed boot-critical drivers on amd64 images. Use /forceunsigned switch to override. c:\temp\drivers\2012\Balloon\2k12\amd64\balloon.inf - CDriverManager::CheckClientAddDriverScenarios(hr:0x80070032) 2013-09-27 09:52:29, Info DISM DISM Driver Manager: PID=2988 TID=1668 Successfully proccessed driver package 'c:\temp\drivers\2012\NetKVM\2k12\amd64\netkvm.inf'. - CDriverPackage::InstallEx 2013-09-27 09:52:29, Error DISM DISM Driver Manager: PID=2988 TID=1668 Cannot install non-signed boot-critical drivers on amd64 images. Use /forceunsigned switch to override. c:\temp\drivers\2012\vioscsi\2k12\amd64\vioscsi.inf - CDriverManager::CheckClientAddDriverScenarios(hr:0x80070032) 2013-09-27 09:52:29, Error DISM DISM Driver Manager: PID=2988 TID=1668 Cannot install non-signed boot-critical drivers on amd64 images. Use /forceunsigned switch to override. c:\temp\drivers\2012\vioserial\2k12\amd64\vioser.inf - CDriverManager::CheckClientAddDriverScenarios(hr:0x80070032) 2013-09-27 09:52:29, Error DISM DISM Driver Manager: PID=2988 TID=1668 Cannot install non-signed boot-critical drivers on amd64 images. Use /forceunsigned switch to override. c:\temp\drivers\2012\viostor\2k12\amd64\viostor.inf - CDriverManager::CheckClientAddDriverScenarios(hr:0x80070032)
(In reply to Shawn Duex from comment #0) > Description of problem: Using Windows Server 2012. I am getting a not > digitally signed error on all drivers except NetKVM. > > > Version-Release number of selected component (if applicable): > VirtIO 1.6.5-6 > > How reproducible: > 100% > > > Steps to Reproduce: > 1.Run Microsoft DISM tool to add Virt IO drivers to install media > > C:\Users\Administrator>dism /image:C:\temp\mount /add-driver > /driver:c:\temp\dri > vers\ /recurse > > Deployment Image Servicing and Management tool > Version: 6.1.7600.16385 > > Image Version: 6.2.9200.16384 > > Searching for driver packages to install... > Found 5 driver package(s) to install. > Installing 1 of 5 - c:\temp\drivers\2012\Balloon\2k12\amd64\balloon.inf: > Error - > The driver package contains x64 boot-critical drivers, but the drivers are > not > properly signed. > Use the /forceunsigned option to install the drivers. > Installing 2 of 5 - c:\temp\drivers\2012\NetKVM\2k12\amd64\netkvm.inf: The > drive > r package was successfully installed. > Installing 3 of 5 - c:\temp\drivers\2012\vioscsi\2k12\amd64\vioscsi.inf: > Error - > The driver package contains x64 boot-critical drivers, but the drivers are > not > properly signed. > Use the /forceunsigned option to install the drivers. > Installing 4 of 5 - c:\temp\drivers\2012\vioserial\2k12\amd64\vioser.inf: > Error > - The driver package contains x64 boot-critical drivers, but the drivers are > not > properly signed. > Use the /forceunsigned option to install the drivers. > Installing 5 of 5 - c:\temp\drivers\2012\viostor\2k12\amd64\viostor.inf: > Error - > The driver package contains x64 boot-critical drivers, but the drivers are > not > properly signed. > Use the /forceunsigned option to install the drivers. > > Error: 50 > > The command completed with errors. For more information, refer to the log > file. > > The DISM log file can be found at C:\Windows\Logs\DISM\dism.log > > Actual results: > Drivers do not get installed unless /forceunsigned flag is passed > > Expected results: > Drivers are installed without error > > Additional info: > DISM.log entries: > > 2013-09-27 09:52:29, Error DISM DISM Driver Manager: > PID=2988 TID=1668 Cannot install non-signed boot-critical drivers on amd64 > images. Use /forceunsigned switch to override. > c:\temp\drivers\2012\Balloon\2k12\amd64\balloon.inf - > CDriverManager::CheckClientAddDriverScenarios(hr:0x80070032) > 2013-09-27 09:52:29, Info DISM DISM Driver Manager: > PID=2988 TID=1668 Successfully proccessed driver package > 'c:\temp\drivers\2012\NetKVM\2k12\amd64\netkvm.inf'. - > CDriverPackage::InstallEx > 2013-09-27 09:52:29, Error DISM DISM Driver Manager: > PID=2988 TID=1668 Cannot install non-signed boot-critical drivers on amd64 > images. Use /forceunsigned switch to override. > c:\temp\drivers\2012\vioscsi\2k12\amd64\vioscsi.inf - > CDriverManager::CheckClientAddDriverScenarios(hr:0x80070032) > 2013-09-27 09:52:29, Error DISM DISM Driver Manager: > PID=2988 TID=1668 Cannot install non-signed boot-critical drivers on amd64 > images. Use /forceunsigned switch to override. > c:\temp\drivers\2012\vioserial\2k12\amd64\vioser.inf - > CDriverManager::CheckClientAddDriverScenarios(hr:0x80070032) > 2013-09-27 09:52:29, Error DISM DISM Driver Manager: > PID=2988 TID=1668 Cannot install non-signed boot-critical drivers on amd64 > images. Use /forceunsigned switch to override. > c:\temp\drivers\2012\viostor\2k12\amd64\viostor.inf - > CDriverManager::CheckClientAddDriverScenarios(hr:0x80070032) That's strange ,All drivers has passed whql certification before we push it to the public , I will check this issue later . BTW,Can you paste the output of # SignTool.exe verify /v /kp /c <driver>.cat <driver>.sys ?
Mike is absolutely right. Shawn, where did you get all these drivers from? Did you build the drivers by yourself? Thanks, Vadim.
Hello guys, The drivers I am using came from this RPM virtio-win-1.6.5-6.el6_4.noarch.rpm. The RPM includes a ISO with the windows drivers virtio-win-1.6.5.iso. I extracted this iso and am trying to use the drivers included. Please find the output of the SignTool command line request. C:\share\3M\VirtIO-Win-1.6.5-6\2012\Balloon\2k12\amd64>dir Volume in drive C has no label. Volume Serial Number is EC4F-88D7 Directory of C:\share\3M\VirtIO-Win-1.6.5-6\2012\Balloon\2k12\amd64 09/30/2013 02:01 PM <DIR> . 09/30/2013 02:01 PM <DIR> .. 06/28/2013 01:44 AM 11,352 balloon.cat 06/28/2013 01:44 AM 3,060 balloon.inf 06/28/2013 01:44 AM 863,232 balloon.pdb 06/28/2013 01:44 AM 36,552 balloon.sys 06/28/2013 01:44 AM 27,432 blnsvr.exe 06/28/2013 01:44 AM 822,272 blnsvr.pdb 07/14/2009 10:10 PM 237,376 signtool.exe 06/28/2013 01:44 AM 1,795,952 WdfCoInstaller01011.dll 8 File(s) 3,797,228 bytes 2 Dir(s) 6,785,417,216 bytes free C:\share\3M\VirtIO-Win-1.6.5-6\2012\Balloon\2k12\amd64>signtool.exe verify /v /kp /c balloon.cat balloon.sys Verifying: balloon.sys SignTool Error: File not found in the specified catalog. SignTool Error: File not valid: balloon.sys Number of files successfully Verified: 0 Number of warnings: 0 Number of errors: 1 C:\share\3M\VirtIO-Win-1.6.5-6\2012\Balloon\2k12\amd64> Removing the flag for the catalog file. C:\share\3M\VirtIO-Win-1.6.5-6\2012\Balloon\2k12\amd64>signtool.exe verify /v /kp balloon.cat balloon.sys Verifying: balloon.cat Hash of file (sha256): A6A9172BBD224B36757E62E7827647840A8AA13ED7AE5DFE158CC57F7202E000 Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sat Jun 23 15:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Issued to: Microsoft Windows Third Party Component CA 2012 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sun Apr 18 16:58:38 2027 SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73 Issued to: Microsoft Windows Hardware Compatibility Publisher Issued by: Microsoft Windows Third Party Component CA 2012 Expires: Wed Sep 18 15:58:07 2013 SHA1 hash: 3E9C8940ADB3ED3950F378D6052BBC5BFE81205E The signature is timestamped: Mon Jan 21 13:26:45 2013 Timestamp Verified by: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sat Jun 23 15:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Issued to: Microsoft Time-Stamp PCA 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Tue Jul 01 14:46:55 2025 SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE Issued to: Microsoft Time-Stamp Service Issued by: Microsoft Time-Stamp PCA 2010 Expires: Tue Apr 09 14:45:34 2013 SHA1 hash: 75C4C17C025218C637BCB9BB85D16CB07145211A SignTool Error: Signing Cert does not chain to a Microsoft Root Cert. Verifying: balloon.sys Hash of file (sha1): CC6196AE4446E33849C1D1B5FAA066E5B3EBAE53 Signing Certificate Chain: Issued to: VeriSign Class 3 Public Primary Certification Authority - G5 Issued by: VeriSign Class 3 Public Primary Certification Authority - G5 Expires: Wed Jul 16 16:59:59 2036 SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Issued to: VeriSign Class 3 Code Signing 2010 CA Issued by: VeriSign Class 3 Public Primary Certification Authority - G5 Expires: Fri Feb 07 16:59:59 2020 SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F Issued to: Red Hat, Inc. Issued by: VeriSign Class 3 Code Signing 2010 CA Expires: Sat Nov 28 16:59:59 2015 SHA1 hash: 1B4E5E00774E3E6B6D4C58A63FFB54E0771F5C25 The signature is timestamped: Wed Jan 16 04:14:20 2013 Timestamp Verified by: Issued to: Thawte Timestamping CA Issued by: Thawte Timestamping CA Expires: Thu Dec 31 16:59:59 2020 SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656 Issued to: Symantec Time Stamping Services CA - G2 Issued by: Thawte Timestamping CA Expires: Wed Dec 30 16:59:59 2020 SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1 Issued to: Symantec Time Stamping Services Signer - G4 Issued by: Symantec Time Stamping Services CA - G2 Expires: Tue Dec 29 16:59:59 2020 SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4 Cross Certificate Chain: Issued to: Microsoft Code Verification Root Issued by: Microsoft Code Verification Root Expires: Sat Nov 01 06:54:03 2025 SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3 Issued to: VeriSign Class 3 Public Primary Certification Authority - G5 Issued by: Microsoft Code Verification Root Expires: Mon Feb 22 12:35:17 2021 SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B Issued to: VeriSign Class 3 Code Signing 2010 CA Issued by: VeriSign Class 3 Public Primary Certification Authority - G5 Expires: Fri Feb 07 16:59:59 2020 SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F Issued to: Red Hat, Inc. Issued by: VeriSign Class 3 Code Signing 2010 CA Expires: Sat Nov 28 16:59:59 2015 SHA1 hash: 1B4E5E00774E3E6B6D4C58A63FFB54E0771F5C25 Successfully verified: balloon.sys Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 1 C:\share\3M\VirtIO-Win-1.6.5-6\2012\Balloon\2k12\amd64> C:\share\3M\VirtIO-Win-1.6.5-6\2012\vioscsi\2k12\amd64>signtool.exe verify /v /kp vioscsi.cat vioscsi.sys Verifying: vioscsi.cat Hash of file (sha256): 77A7F23C6D4BD1CEC8746B117A21055C9CC983C500701D9713E5D128914604C1 Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sat Jun 23 15:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Issued to: Microsoft Windows Third Party Component CA 2012 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sun Apr 18 16:58:38 2027 SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73 Issued to: Microsoft Windows Hardware Compatibility Publisher Issued by: Microsoft Windows Third Party Component CA 2012 Expires: Wed Sep 18 15:58:07 2013 SHA1 hash: 3E9C8940ADB3ED3950F378D6052BBC5BFE81205E The signature is timestamped: Mon Jan 21 12:26:37 2013 Timestamp Verified by: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sat Jun 23 15:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Issued to: Microsoft Time-Stamp PCA 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Tue Jul 01 14:46:55 2025 SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE Issued to: Microsoft Time-Stamp Service Issued by: Microsoft Time-Stamp PCA 2010 Expires: Mon May 20 15:39:22 2013 SHA1 hash: 125DAF5264765D160F6BE16480AAEF9AF9BE0BDC SignTool Error: Signing Cert does not chain to a Microsoft Root Cert. Verifying: vioscsi.sys Hash of file (sha1): 2224DB65A4EAFE15E4213BFAF8EB57AEFA7B0972 Signing Certificate Chain: Issued to: Class 3 Public Primary Certification Authority Issued by: Class 3 Public Primary Certification Authority Expires: Wed Aug 02 16:59:59 2028 SHA1 hash: A1DB6393916F17E4185509400415C70240B0AE6B Issued to: VeriSign Class 3 Code Signing 2009-2 CA Issued by: Class 3 Public Primary Certification Authority Expires: Mon May 20 16:59:59 2019 SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3 Issued to: Red Hat, Inc. Issued by: VeriSign Class 3 Code Signing 2009-2 CA Expires: Wed Mar 27 16:59:59 2013 SHA1 hash: 0ECAAC1E5E354447B4982E509F11D12DB28371A6 The signature is timestamped: Thu Nov 29 04:41:11 2012 Timestamp Verified by: Issued to: Thawte Timestamping CA Issued by: Thawte Timestamping CA Expires: Thu Dec 31 16:59:59 2020 SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656 Issued to: VeriSign Time Stamping Services CA Issued by: Thawte Timestamping CA Expires: Tue Dec 03 16:59:59 2013 SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D Issued to: Symantec Time Stamping Services Signer - G3 Issued by: VeriSign Time Stamping Services CA Expires: Mon Dec 31 16:59:59 2012 SHA1 hash: 8FD99D63FB3AFBD534A4F6E31DACD27F59504021 Cross Certificate Chain: Issued to: Microsoft Code Verification Root Issued by: Microsoft Code Verification Root Expires: Sat Nov 01 06:54:03 2025 SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3 Issued to: Class 3 Public Primary Certification Authority Issued by: Microsoft Code Verification Root Expires: Mon May 23 10:11:29 2016 SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408 Issued to: VeriSign Class 3 Code Signing 2009-2 CA Issued by: Class 3 Public Primary Certification Authority Expires: Mon May 20 16:59:59 2019 SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3 Issued to: Red Hat, Inc. Issued by: VeriSign Class 3 Code Signing 2009-2 CA Expires: Wed Mar 27 16:59:59 2013 SHA1 hash: 0ECAAC1E5E354447B4982E509F11D12DB28371A6 Successfully verified: vioscsi.sys Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 1 C:\share\3M\VirtIO-Win-1.6.5-6\2012\vioscsi\2k12\amd64> C:\share\3M\VirtIO-Win-1.6.5-6\2012\vioserial\2k12\amd64>signtool.exe verify /v /kp vioser.cat vioser.sys Verifying: vioser.cat Hash of file (sha256): 2CD7587532EA40FEFBD30A1EDEE1569114716282550D5EE9792A5BBD08ED3A6E Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sat Jun 23 15:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Issued to: Microsoft Windows Third Party Component CA 2012 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sun Apr 18 16:58:38 2027 SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73 Issued to: Microsoft Windows Hardware Compatibility Publisher Issued by: Microsoft Windows Third Party Component CA 2012 Expires: Wed Sep 18 15:58:07 2013 SHA1 hash: 3E9C8940ADB3ED3950F378D6052BBC5BFE81205E The signature is timestamped: Mon Jun 24 09:47:09 2013 Timestamp Verified by: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sat Jun 23 15:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Issued to: Microsoft Time-Stamp PCA 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Tue Jul 01 14:46:55 2025 SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE Issued to: Microsoft Time-Stamp Service Issued by: Microsoft Time-Stamp PCA 2010 Expires: Fri Jun 27 13:13:15 2014 SHA1 hash: 174A03DAC10EA3F9367819E6F8453606580326BC SignTool Error: Signing Cert does not chain to a Microsoft Root Cert. Verifying: vioser.sys Hash of file (sha1): 2A03619A1E64104E919861C965CD4A01CBB7D40D Signing Certificate Chain: Issued to: VeriSign Class 3 Public Primary Certification Authority - G5 Issued by: VeriSign Class 3 Public Primary Certification Authority - G5 Expires: Wed Jul 16 16:59:59 2036 SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Issued to: VeriSign Class 3 Code Signing 2010 CA Issued by: VeriSign Class 3 Public Primary Certification Authority - G5 Expires: Fri Feb 07 16:59:59 2020 SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F Issued to: Red Hat, Inc. Issued by: VeriSign Class 3 Code Signing 2010 CA Expires: Sat Nov 28 16:59:59 2015 SHA1 hash: 1B4E5E00774E3E6B6D4C58A63FFB54E0771F5C25 The signature is timestamped: Mon Jun 03 02:44:13 2013 Timestamp Verified by: Issued to: Thawte Timestamping CA Issued by: Thawte Timestamping CA Expires: Thu Dec 31 16:59:59 2020 SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656 Issued to: Symantec Time Stamping Services CA - G2 Issued by: Thawte Timestamping CA Expires: Wed Dec 30 16:59:59 2020 SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1 Issued to: Symantec Time Stamping Services Signer - G4 Issued by: Symantec Time Stamping Services CA - G2 Expires: Tue Dec 29 16:59:59 2020 SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4 Cross Certificate Chain: Issued to: Microsoft Code Verification Root Issued by: Microsoft Code Verification Root Expires: Sat Nov 01 06:54:03 2025 SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3 Issued to: VeriSign Class 3 Public Primary Certification Authority - G5 Issued by: Microsoft Code Verification Root Expires: Mon Feb 22 12:35:17 2021 SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B Issued to: VeriSign Class 3 Code Signing 2010 CA Issued by: VeriSign Class 3 Public Primary Certification Authority - G5 Expires: Fri Feb 07 16:59:59 2020 SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F Issued to: Red Hat, Inc. Issued by: VeriSign Class 3 Code Signing 2010 CA Expires: Sat Nov 28 16:59:59 2015 SHA1 hash: 1B4E5E00774E3E6B6D4C58A63FFB54E0771F5C25 Successfully verified: vioser.sys Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 1 C:\share\3M\VirtIO-Win-1.6.5-6\2012\vioserial\2k12\amd64> C:\share\3M\VirtIO-Win-1.6.5-6\2012\viostor\2k12\amd64>signtool.exe verify /v /kp viostor.cat viostor.sys Verifying: viostor.cat Hash of file (sha256): 848FFAB3E9534EA7C08C4D61570C875998976ABB29F5D401A974642FB7544125 Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sat Jun 23 15:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Issued to: Microsoft Windows Third Party Component CA 2012 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sun Apr 18 16:58:38 2027 SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73 Issued to: Microsoft Windows Hardware Compatibility Publisher Issued by: Microsoft Windows Third Party Component CA 2012 Expires: Wed Sep 18 15:58:07 2013 SHA1 hash: 3E9C8940ADB3ED3950F378D6052BBC5BFE81205E The signature is timestamped: Mon Jan 21 11:56:38 2013 Timestamp Verified by: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sat Jun 23 15:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Issued to: Microsoft Time-Stamp PCA 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Tue Jul 01 14:46:55 2025 SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE Issued to: Microsoft Time-Stamp Service Issued by: Microsoft Time-Stamp PCA 2010 Expires: Tue Apr 09 14:45:37 2013 SHA1 hash: C9231E0C550F956D32EADD6E731A173831F345FF SignTool Error: Signing Cert does not chain to a Microsoft Root Cert. Verifying: viostor.sys Hash of file (sha1): AA120DDBAFAD96A18AD0A134B01FA465FF5273F9 Signing Certificate Chain: Issued to: Class 3 Public Primary Certification Authority Issued by: Class 3 Public Primary Certification Authority Expires: Wed Aug 02 16:59:59 2028 SHA1 hash: A1DB6393916F17E4185509400415C70240B0AE6B Issued to: VeriSign Class 3 Code Signing 2009-2 CA Issued by: Class 3 Public Primary Certification Authority Expires: Mon May 20 16:59:59 2019 SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3 Issued to: Red Hat, Inc. Issued by: VeriSign Class 3 Code Signing 2009-2 CA Expires: Wed Mar 27 16:59:59 2013 SHA1 hash: 0ECAAC1E5E354447B4982E509F11D12DB28371A6 The signature is timestamped: Thu Nov 29 04:41:14 2012 Timestamp Verified by: Issued to: Thawte Timestamping CA Issued by: Thawte Timestamping CA Expires: Thu Dec 31 16:59:59 2020 SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656 Issued to: VeriSign Time Stamping Services CA Issued by: Thawte Timestamping CA Expires: Tue Dec 03 16:59:59 2013 SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D Issued to: Symantec Time Stamping Services Signer - G3 Issued by: VeriSign Time Stamping Services CA Expires: Mon Dec 31 16:59:59 2012 SHA1 hash: 8FD99D63FB3AFBD534A4F6E31DACD27F59504021 Cross Certificate Chain: Issued to: Microsoft Code Verification Root Issued by: Microsoft Code Verification Root Expires: Sat Nov 01 06:54:03 2025 SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3 Issued to: Class 3 Public Primary Certification Authority Issued by: Microsoft Code Verification Root Expires: Mon May 23 10:11:29 2016 SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408 Issued to: VeriSign Class 3 Code Signing 2009-2 CA Issued by: Class 3 Public Primary Certification Authority Expires: Mon May 20 16:59:59 2019 SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3 Issued to: Red Hat, Inc. Issued by: VeriSign Class 3 Code Signing 2009-2 CA Expires: Wed Mar 27 16:59:59 2013 SHA1 hash: 0ECAAC1E5E354447B4982E509F11D12DB28371A6 Successfully verified: viostor.sys Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 1 C:\share\3M\VirtIO-Win-1.6.5-6\2012\viostor\2k12\amd64> So looking at this output I think the issue is with all the .cat files not having the cert chain to microsoft root cert. Please let me know if you need any additional information.
(In reply to Shawn Duex from comment #4) > Hello guys, > > > So looking at this output I think the issue is with all the .cat files not > having the cert chain to microsoft root cert. > > Please let me know if you need any additional information. Thanks for your feedback ,I will try to reproduce it
Hi Shawn, you must be using wrong toolchain. Win8/Win2012 serial, balloon, block and scsi driver were signed with signtool from Win8 WDK. You should use signtool from Win8 WDK if you want to verify the signature. It is what you see when checking with signtool from WDK7.1 Verifying: viostor.cat Hash of file (sha256): 848FFAB3E9534EA7C08C4D61570C875998976ABB29F5D401A974642FB7544125 Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sun Jun 24 08:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Issued to: Microsoft Windows Third Party Component CA 2012 Issued by: Microsoft Root Certificate Authority 2010 Expires: Mon Apr 19 09:58:38 2027 SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73 Issued to: Microsoft Windows Hardware Compatibility Publisher Issued by: Microsoft Windows Third Party Component CA 2012 Expires: Thu Sep 19 08:58:07 2013 SHA1 hash: 3E9C8940ADB3ED3950F378D6052BBC5BFE81205E The signature is timestamped: Tue Jan 22 04:56:38 2013 Timestamp Verified by: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sun Jun 24 08:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Issued to: Microsoft Time-Stamp PCA 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Wed Jul 02 07:46:55 2025 SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE Issued to: Microsoft Time-Stamp Service Issued by: Microsoft Time-Stamp PCA 2010 Expires: Wed Apr 10 07:45:37 2013 SHA1 hash: C9231E0C550F956D32EADD6E731A173831F345FF Verifying: viostor.sys Hash of file (sha1): AA120DDBAFAD96A18AD0A134B01FA465FF5273F9 Signing Certificate Chain: Issued to: Class 3 Public Primary Certification Authority Issued by: Class 3 Public Primary Certification Authority Expires: Wed Aug 02 09:59:59 2028 SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2 Issued to: VeriSign Class 3 Code Signing 2009-2 CA Issued by: Class 3 Public Primary Certification Authority Expires: Tue May 21 09:59:59 2019 SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3 Issued to: Red Hat, Inc. Issued by: VeriSign Class 3 Code Signing 2009-2 CA Expires: Thu Mar 28 09:59:59 2013 SHA1 hash: 0ECAAC1E5E354447B4982E509F11D12DB28371A6 The signature is timestamped: Thu Nov 29 21:41:14 2012 Timestamp Verified by: Issued to: Thawte Timestamping CA Issued by: Thawte Timestamping CA Expires: Fri Jan 01 09:59:59 2021 SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656 Issued to: VeriSign Time Stamping Services CA Issued by: Thawte Timestamping CA Expires: Wed Dec 04 09:59:59 2013 SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D Issued to: Symantec Time Stamping Services Signer - G3 Issued by: VeriSign Time Stamping Services CA Expires: Tue Jan 01 09:59:59 2013 SHA1 hash: 8FD99D63FB3AFBD534A4F6E31DACD27F59504021 Cross Certificate Chain: Issued to: Microsoft Code Verification Root Issued by: Microsoft Code Verification Root Expires: Sat Nov 01 23:54:03 2025 SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3 Issued to: Class 3 Public Primary Certification Authority Issued by: Microsoft Code Verification Root Expires: Tue May 24 03:11:29 2016 SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408 Issued to: VeriSign Class 3 Code Signing 2009-2 CA Issued by: Class 3 Public Primary Certification Authority Expires: Tue May 21 09:59:59 2019 SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3 Issued to: Red Hat, Inc. Issued by: VeriSign Class 3 Code Signing 2009-2 CA Expires: Thu Mar 28 09:59:59 2013 SHA1 hash: 0ECAAC1E5E354447B4982E509F11D12DB28371A6 Successfully verified: viostor.sys Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 1 But it is what you should see when using the right signtool from WDK8 Verifying: viostor.cat Signature Index: 0 (Primary Signature) Hash of file (sha256): 848FFAB3E9534EA7C08C4D61570C875998976ABB29F5D401A974642FB7544125 Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sun Jun 24 08:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Issued to: Microsoft Windows Third Party Component CA 2012 Issued by: Microsoft Root Certificate Authority 2010 Expires: Mon Apr 19 09:58:38 2027 SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73 Issued to: Microsoft Windows Hardware Compatibility Publisher Issued by: Microsoft Windows Third Party Component CA 2012 Expires: Thu Sep 19 08:58:07 2013 SHA1 hash: 3E9C8940ADB3ED3950F378D6052BBC5BFE81205E The signature is timestamped: Tue Jan 22 04:56:38 2013 Timestamp Verified by: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sun Jun 24 08:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Issued to: Microsoft Time-Stamp PCA 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Wed Jul 02 07:46:55 2025 SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE Issued to: Microsoft Time-Stamp Service Issued by: Microsoft Time-Stamp PCA 2010 Expires: Wed Apr 10 07:45:37 2013 SHA1 hash: C9231E0C550F956D32EADD6E731A173831F345FF Cross Certificate Chain: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sun Jun 24 08:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Issued to: Microsoft Windows Third Party Component CA 2012 Issued by: Microsoft Root Certificate Authority 2010 Expires: Mon Apr 19 09:58:38 2027 SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73 Issued to: Microsoft Windows Hardware Compatibility Publisher Issued by: Microsoft Windows Third Party Component CA 2012 Expires: Thu Sep 19 08:58:07 2013 SHA1 hash: 3E9C8940ADB3ED3950F378D6052BBC5BFE81205E Successfully verified: viostor.cat Verifying: viostor.sys Signature Index: 0 (Primary Signature) Hash of file (sha1): AA120DDBAFAD96A18AD0A134B01FA465FF5273F9 Signing Certificate Chain: Issued to: Class 3 Public Primary Certification Authority Issued by: Class 3 Public Primary Certification Authority Expires: Wed Aug 02 09:59:59 2028 SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2 Issued to: VeriSign Class 3 Code Signing 2009-2 CA Issued by: Class 3 Public Primary Certification Authority Expires: Tue May 21 09:59:59 2019 SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3 Issued to: Red Hat, Inc. Issued by: VeriSign Class 3 Code Signing 2009-2 CA Expires: Thu Mar 28 09:59:59 2013 SHA1 hash: 0ECAAC1E5E354447B4982E509F11D12DB28371A6 The signature is timestamped: Thu Nov 29 21:41:14 2012 Timestamp Verified by: Issued to: Thawte Timestamping CA Issued by: Thawte Timestamping CA Expires: Fri Jan 01 09:59:59 2021 SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656 Issued to: VeriSign Time Stamping Services CA Issued by: Thawte Timestamping CA Expires: Wed Dec 04 09:59:59 2013 SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D Issued to: Symantec Time Stamping Services Signer - G3 Issued by: VeriSign Time Stamping Services CA Expires: Tue Jan 01 09:59:59 2013 SHA1 hash: 8FD99D63FB3AFBD534A4F6E31DACD27F59504021 Cross Certificate Chain: Issued to: Microsoft Code Verification Root Issued by: Microsoft Code Verification Root Expires: Sat Nov 01 23:54:03 2025 SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3 Issued to: Class 3 Public Primary Certification Authority Issued by: Microsoft Code Verification Root Expires: Tue May 24 03:11:29 2016 SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408 Issued to: VeriSign Class 3 Code Signing 2009-2 CA Issued by: Class 3 Public Primary Certification Authority Expires: Tue May 21 09:59:59 2019 SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3 Issued to: Red Hat, Inc. Issued by: VeriSign Class 3 Code Signing 2009-2 CA Expires: Thu Mar 28 09:59:59 2013 SHA1 hash: 0ECAAC1E5E354447B4982E509F11D12DB28371A6 Successfully verified: viostor.sys Number of files successfully Verified: 2 Number of warnings: 0 Number of errors: 0 Best regards, Vadim.
(In reply to Mike Cao from comment #5) > (In reply to Shawn Duex from comment #4) > > Hello guys, > > > > > > So looking at this output I think the issue is with all the .cat files not > > having the cert chain to microsoft root cert. > > > > Please let me know if you need any additional information. > > Thanks for your feedback ,I will try to reproduce it I can not reproduce your issue .Seems Vadim is right . in your output ,it shows : Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 While during my testing ,it shows : Signing Certificate Chain: Issued to: Class 3 Public Primary Certification Authority Issued by: Class 3 Public Primary Certification Authority Could you help to check it ?
Hello, I did verify the drivers using signtool from the Windows 8.0 SDK and have the same results as you guys the drivers look OK. However, per my initial issue filed, the drivers are still causing an error when trying to add them to add them off-line to the Windows Server 2012 install media via the DISM.exe tool. Please see this support page on the tool - http://technet.microsoft.com/en-us/library/hh825070.aspx When adding the drivers I am still getting errors on all drivers other than the NIC driver. Please see the output below: C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools>dism /image:C:\temp\mount /add-driver /driver:c:\temp\drivers\ /recurse Deployment Image Servicing and Management tool Version: 6.2.9200.16384 Image Version: 6.2.9200.16384 Searching for driver packages to install... Found 5 driver package(s) to install. Installing 1 of 5 - c:\temp\drivers\Balloon\2k12\amd64\balloon.inf: Error - The driver package contains x64 boot-critical drivers, but the drivers are not properly signed. Use the /forceunsigned option to install the drivers. Installing 2 of 5 - c:\temp\drivers\NetKVM\2k12\amd64\netkvm.inf: The driver package was successfully installed. Installing 3 of 5 - c:\temp\drivers\vioscsi\2k12\amd64\vioscsi.inf: Error - The driver package contains x64 boot-critical drivers, but the drivers are not properly signed. Use the /forceunsigned option to install the drivers. Installing 4 of 5 - c:\temp\drivers\vioserial\2k12\amd64\vioser.inf: Error - The driver package contains x64 boot-critical drivers, but the drivers are not properly signed. Use the /forceunsigned option to install the drivers. Installing 5 of 5 - c:\temp\drivers\viostor\2k12\amd64\viostor.inf: Error - The driver package contains x64 boot-critical drivers, but the drivers are not properly signed. Use the /forceunsigned option to install the drivers. Error: 50 The command completed with errors. For more information, refer to the log file. The DISM log file can be found at C:\Windows\Logs\DISM\dism.log C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools> As you can see I am using the DISM tool from the Windows 8 ADK. I saw the same issue when using the 8.1 ADK - http://technet.microsoft.com/en-us/library/hh824947.aspx. It looks like the digital signature check being done by DISM during driver-add is not passing.
reading this more closely - http://technet.microsoft.com/en-us/library/hh825070.aspx I see what the issue is. "To add drivers to a Windows® 8 image offline, you must use a technician computer running Windows 8, Windows Server® 2012, or Windows® Preinstallation Environment (Windows PE) 4.0. Driver signature verification may fail when you add a driver to a Windows 8 image offline from a technician computer running any other operating system." I am running these tools on Windows 7. Sorry for wasting everyones time.
output using Windows Server 2012: C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools>dism /image:C:\temp\mount /add-driver /driver:c:\temp\drivers\ /recurse Deployment Image Servicing and Management tool Version: 6.3.9600.16384 Image Version: 6.2.9200.16384 Searching for driver packages to install... Found 5 driver package(s) to install. Installing 1 of 5 - c:\temp\drivers\Balloon\2k12\amd64\balloon.inf: The driver package was successfully installed. Installing 2 of 5 - c:\temp\drivers\NetKVM\2k12\amd64\netkvm.inf: The driver package was successfully installed. Installing 3 of 5 - c:\temp\drivers\vioscsi\2k12\amd64\vioscsi.inf: The driver package was successfully installed. Installing 4 of 5 - c:\temp\drivers\vioserial\2k12\amd64\vioser.inf: The driver package was successfully installed. Installing 5 of 5 - c:\temp\drivers\viostor\2k12\amd64\viostor.inf: The driver package was successfully installed. The operation completed successfully. C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools> Please close this bug.
(In reply to Shawn Duex from comment #10) > output using Windows Server 2012: > > C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment > Kit\Deployment > Tools>dism /image:C:\temp\mount /add-driver /driver:c:\temp\drivers\ > /recurse > > Hi, Shawn Could you attach the layout under C:\temp\mount and C:\temp\Drivers ? Thanks, Mike
Mike, I am using Windows Server 2012 volume license media. I have copied the entire media to c:\temp\windows2012iso\ on my machine. Then using dism I am getting the wim information for c:\temp\windows2012iso\sources\boot.wim C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools>dism /get-wiminfo /wimfile:C:\Temp\Windows2012ISO\sources\boot.wim Deployment Image Servicing and Management tool Version: 6.2.9200.16384 Details for image : C:\Temp\Windows2012ISO\sources\boot.wim Index : 1 Name : Microsoft Windows PE (x64) Description : Microsoft Windows PE (x64) Size : 1,187,717,208 bytes Index : 2 Name : Microsoft Windows Setup (x64) Description : Microsoft Windows Setup (x64) Size : 1,255,862,012 bytes The operation completed successfully. C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools> I am then mounting boot.wim index 2 to c:\mount C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools>dism /Mount-Wim /WimFile:C:\Temp\Windows2012ISO\sources\boot.wim /Index:2 /MountDir:c:\temp\mount c:\temp\mount is unmodified until I add the drivers recursively with dism the c:\temp\drivers folder contains the same directory structure as virtio-win-1.6.5.iso but only the 2k12 folders as they are the drivers I am after.
Created attachment 810195 [details] file layout of virtio-win-1.6.5.iso
Created attachment 810196 [details] file layout of c:\temp\drivers
Mike, please see the attachments for the file layouts you requested.
closing the bug based on comment #c10