Windows rejects driver signed by EV certificate and Microsoft hardware site [UPDATED]
-
UPDATE: I just contacted DigiCert support, and the rep couldn't figure it out either. He said everything looks OK with my certificate, so he escalated it to their development team. I might hear back from them on Monday. I have a Windows Filtering Platform driver that I have signed with a DigiCert EV code signing certificate. I submitted the package to the Windows Partner Center as a hardware submission, and it was successfully signed by Microsoft. I chose "Test Signing" and I checked the boxes for every listed version of Windows that was not ARM based. So when I run this command:
signtool verify gsllc.sys
It gives the following response:
File: gsllc.sys
Index Algorithm TimestampSignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.Number of errors: 1
When I attempt to load the driver into Windows, the event log shows the following error:
The gsllc service failed to start due to the following error:
A certificate was explicitly revoked by its issuer.My certificate is only days old, and it hasn't been revoked according to DigiCert. Anybody have any idea what could be wrong here?
The difficult we do right away... ...the impossible takes slightly longer.
-
UPDATE: I just contacted DigiCert support, and the rep couldn't figure it out either. He said everything looks OK with my certificate, so he escalated it to their development team. I might hear back from them on Monday. I have a Windows Filtering Platform driver that I have signed with a DigiCert EV code signing certificate. I submitted the package to the Windows Partner Center as a hardware submission, and it was successfully signed by Microsoft. I chose "Test Signing" and I checked the boxes for every listed version of Windows that was not ARM based. So when I run this command:
signtool verify gsllc.sys
It gives the following response:
File: gsllc.sys
Index Algorithm TimestampSignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.Number of errors: 1
When I attempt to load the driver into Windows, the event log shows the following error:
The gsllc service failed to start due to the following error:
A certificate was explicitly revoked by its issuer.My certificate is only days old, and it hasn't been revoked according to DigiCert. Anybody have any idea what could be wrong here?
The difficult we do right away... ...the impossible takes slightly longer.
Richard Andrew x64 wrote:
root certificate
Well the error means nothing is wrong with your actual cert. But certs have an parent chain (best phrase I can think of) and it doesn't like one of the parents. I didn't google but I am rather certain there is probably a tool that will tell you what the chain is. I will say that probably won't help with your problem since it is likely nothing you can do with a parent. But maybe something to so with how you created the cert in the first place. This supposes of course that just looking at the chain gives you an idea which one is a problem in the first place.
-
Richard Andrew x64 wrote:
root certificate
Well the error means nothing is wrong with your actual cert. But certs have an parent chain (best phrase I can think of) and it doesn't like one of the parents. I didn't google but I am rather certain there is probably a tool that will tell you what the chain is. I will say that probably won't help with your problem since it is likely nothing you can do with a parent. But maybe something to so with how you created the cert in the first place. This supposes of course that just looking at the chain gives you an idea which one is a problem in the first place.
jschell wrote:
But maybe something to so with how you created the cert in the first place
I'm impressed with the likelihood that you actually meant to use the word "so" to replace the word "do" in this sentence, so I think for a second, "what other substitutions can I make here that would still make sense and lend credence to authority and I came up with "io" ... lexicographers of the world UNITE! ;P
-
Richard Andrew x64 wrote:
root certificate
Well the error means nothing is wrong with your actual cert. But certs have an parent chain (best phrase I can think of) and it doesn't like one of the parents. I didn't google but I am rather certain there is probably a tool that will tell you what the chain is. I will say that probably won't help with your problem since it is likely nothing you can do with a parent. But maybe something to so with how you created the cert in the first place. This supposes of course that just looking at the chain gives you an idea which one is a problem in the first place.
Agreed. The signtool.exe can show the complete chain from the root to your certificate.
The difficult we do right away... ...the impossible takes slightly longer.
