Driver digital signing issue Win7 64x

118 with a lot of bug fixes.

Driver digital signing issue Win7 64x

Postby swesound » 2013-09-10 20:52

I am having a problem with the mirror driver (using the addons x64 1190 installer) in Win 7 Enterprise 64. The install proceeds correctly, but upon reboot, windows disables the driver saying there is a problem with the digital signature. I have tried installs on 3 machines with the same results. The installer from 5-2-2013 does not have this problem and works correctly.

Scott
swesound
 
Posts: 5
Joined: 2013-09-10 20:44

Re: Driver digital signing issue Win7 64x

Postby Rudi De Vos » 2013-09-11 20:44

Reuploaded.

Looks like the .cat was not remade after resigning.
Rudi De Vos
Admin & Developer
Admin & Developer
 
Posts: 5933
Joined: 2004-04-23 10:21

Re: Driver digital signing issue Win7 64x

Postby swesound » 2013-09-18 18:32

Hi Rudi,
After testing the new install file, I am having the same issue.

Scott
swesound
 
Posts: 5
Joined: 2013-09-10 20:44

Re: Driver digital signing issue Win7 64x

Postby Rudi De Vos » 2013-09-18 19:12

retested myself and it installed without a problem on win7 x64...
I get the popup that the driver is from uvnc bvba and after accept all is OK.

Possible you imported the certificat ( Globalsign) as trused publisher to avoid this popup.
Because we know have a new certificat from Verisign it's not the same as the imported one
In that case you need to import also the new cert.

What error did you get ?
Rudi De Vos
Admin & Developer
Admin & Developer
 
Posts: 5933
Joined: 2004-04-23 10:21

Re: Driver digital signing issue Win7 64x

Postby swesound » 2013-09-18 20:25

Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)
I get the "do you trust this provider" pop-up during the driver install, but after rebooting, error 52 shows up in device manager.
I think the issue lies with the fact that we are running the Enterprise edition of Win7. We have had this issue in the past with audio card drivers. There is a difference in how Enterprise treats driver verification. I'm not sure what it is, but I know that it exists. The vendor had to do some research and correct the problem.
The previous installer goes in without any issues.

Scott
swesound
 
Posts: 5
Joined: 2013-09-10 20:44

Re: Driver digital signing issue Win7 64x

Postby Rudi De Vos » 2013-09-18 22:33

I'm testing on a win7 x64 enterprise edition
No error and the driver verification tell the kernel mode cross signing is OK.
if you have the signtool, it would be handy to run the verify to see what is say

The previous installer used a certificat from Globalsin and the globalsign cross and root certificat.
We moved to verisign because it was required by MS. They only accept verisgn signed exe for logo testing.

You could try to install the certificats from MS, it could be that one of the root certifacts ( they are not auto updated)
is to old.

Code: Select all
http://msdn.microsoft.com/en-us/library/dn170454(v=vs.85).aspx

Download cross-certificate for VeriSign Class 3 Public Primary Certification Authority – G5
Download cross-certificate for VeriSign Universal Root Certification Authority



The signing looks ok
signtool verify /v /kp ../mv2.sys
-----------------
verifying: ..mv2.sys
SHA1 hash of file: A9493CB6B6BEDAB7E83E2B8DEC1956927A579A6A
Signing Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: 1/11/2025 15:54:03
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: Microsoft Code Verification Root
Expires: 22/02/2021 21:35:17
SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B

Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: 8/02/2020 1:59:59
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: uvnc bvba
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: 12/10/2016 1:59:59
SHA1 hash: 075BD1CAB5AE085E523AF7883FC0A8127BE08C71

The signature is timestamped: 19/09/2013 0:16:32
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: 1/01/2021 1:59:59
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: 31/12/2020 1:59:59
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: 30/12/2020 1:59:59
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

Successfully verified: ../mv2.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
-------------------
Rudi De Vos
Admin & Developer
Admin & Developer
 
Posts: 5933
Joined: 2004-04-23 10:21

Re: Driver digital signing issue Win7 64x

Postby Rudi De Vos » 2013-09-24 07:44

The driver zip you can download is the old version, meaning driver signed with a Globalsign certificat.
The drivers in the addon exe are signed with the new verisign certificat.

The install program didn't changed for years, only we resigned all driver files.

I realy don't know what's wrong with this certificat as it works on my own system and all files signed with it are accepted
my MS for file verification. ( THat's the reason we changed to Verisign, as it is the only certificat accepte by MS)

Possible this certificat is to new and depend on other certificats, like i explained in the previous post.
If that is the case, some certificats (root) need to be updated on the system before our cert wil work.
Rudi De Vos
Admin & Developer
Admin & Developer
 
Posts: 5933
Joined: 2004-04-23 10:21

Re: Driver digital signing issue Win7 64x

Postby Rudi De Vos » 2013-09-24 07:59

My workpc also seems to have the not signed issue, while the same exe install proper on my home pc.
This allow me todo some tests
Rudi De Vos
Admin & Developer
Admin & Developer
 
Posts: 5933
Joined: 2004-04-23 10:21

Re: Driver digital signing issue Win7 64x

Postby Rudi De Vos » 2013-09-24 09:22

Erro is actual
Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider

This mean that the problem is not the uvnc certificat, but the cross sign verisign certificat that isn't thrusted " root certificat"
For some reason MS isn't thrusting the Verisign root certificat.

Google tell me that more people seems to have the same issue...
Searching for a solution
Rudi De Vos
Admin & Developer
Admin & Developer
 
Posts: 5933
Joined: 2004-04-23 10:21

Re: Driver digital signing issue Win7 64x

Postby Rudi De Vos » 2013-09-24 12:37

I guess we are seeing a mix if things.

I updated the signature, but driver was still the same version.
If the previous version was installed, you now get parts cached in the driver store with new... in other words all get messed.
The cat file contain a hash of the sys and dll, when you start mixing sys/dll/cat a sys with a verisign or globalsign signing has a different hash

But the cause is still that the verisign cert is not accepted by the OS.
And it works proper on my Home PC but fail on my Office PC.
Something is wrong with the signature... but's a hell to find what's causing it.

Gonne take some time.
Rudi De Vos
Admin & Developer
Admin & Developer
 
Posts: 5933
Joined: 2004-04-23 10:21

Re: Driver digital signing issue Win7 64x

Postby Rudi De Vos » 2013-09-24 21:19

Tested using vmware workstation
en_windows_7_ultimate_n_with_sp1_x64_dvd_u_677543.iso (2011)
driver work correct.
gonna test now with 65922 (2009)
That version also works
Tested with a win7 enterprise -> driver ok

Now i'm running into circles....
The only difference is that on the work computer the old version of the driver was previous installed.

Next test are for tomorrow.
Rudi De Vos
Admin & Developer
Admin & Developer
 
Posts: 5933
Joined: 2004-04-23 10:21

Re: Driver digital signing issue Win7 64x

Postby Rudi De Vos » 2013-09-25 19:28

Found
The answer was simple !ç"'(à!çé"è(!é"è(!çé(è"

The download is the incorrect (11/9)version.
I was testing @home with my local version (19/9) and @work with the downloaded version.

The .cat files was wrong in the 11/9 version
Rudi De Vos
Admin & Developer
Admin & Developer
 
Posts: 5933
Joined: 2004-04-23 10:21

Re: Driver digital signing issue Win7 64x

Postby Rudi De Vos » 2013-09-25 19:43

files updated
Rudi De Vos
Admin & Developer
Admin & Developer
 
Posts: 5933
Joined: 2004-04-23 10:21

Re: Driver digital signing issue Win7 64x

Postby swesound » 2013-09-26 00:22

Rudi,
Thanks for all your work on this issue!!
swesound
 
Posts: 5
Joined: 2013-09-10 20:44

Re: Driver digital signing issue Win7 64x

Postby rcooke » 2013-10-08 14:09

Aha!

I noticed that on a machine and was wondering what caused it.

Glad you figured it out! I'm so used to uVNC "just working" that this really threw me for a loop!
Regards,
Richard Cooke
User avatar
rcooke
40
40
 
Posts: 96
Joined: 2011-02-19 13:06
Location: Toronto, Canada

Re: Driver digital signing issue Win7 64x

Postby JCLB » 2014-03-28 10:58

Hi,

I'm currently updating and simplifying my UVNC deployment GPO, and I jsut realized that the uvnc bca certificate expired on March 18th.

Is there a new one ?



For those who are interested, my GPO is detailed below:

    Settings

  • Add UVNC BVA certificate in Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers.
    This will allow mirror driver installation.


  • Create a VNC.bat as follow
    Code: Select all
    SET VNCversion=1_1_9
    :: Version is used for dynamic setup files references.

    SET REP=%~dp0
    PUSHD %REP%

    :: Know and push current directory, this enables use of UNC paths without problems, you can also move the whole on a new file server and redeploy without changing anything in the script.


    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /V PROCESSOR_ARCHITECTURE | FINDSTR /I /c:AMD64
    SET ERRORARCHI64=%ERRORLEVEL%

    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /V PROCESSOR_ARCHITECTURE | FINDSTR /I /c:x86
    SET ERRORARCHI32=%ERRORLEVEL%

    IF %ERRORARCHI64%==0 (
    GOTO :ARCHI64
    ) ELSE (
    GOTO :ARCHI32
    )

    :ARCHI32
    SET ARCHI=32
    SET PROGRAMFILES32=%PROGRAMFILES%
    SET WINSYSTEM32=%SYSTEMROOT%\System32
    GOTO :After_detection

    :ARCHI64
    SET ARCHI=64
    SET PROGRAMFILES32=%PROGRAMFILES% (x86)
    SET WINSYSTEM32=%SYSTEMROOT%\SysWOW64
    GOTO :After_detection

    :After_detection

    :: That one enables to know whether it runs on x64 or x64.

    :: Stop of OLD UVNC
    SC STOP uvnc_service

    :: Kill if still running
    taskkill /f /im winvnc.exe

    :: Service deletion
    SC DELETE uvnc_service

    :: Removing Folders (also remove former x86 edition on x64 PC)
    RD /S /Q "%PROGRAMFILES%\UltraVNC\"
    RD /S /Q "%PROGRAMFILES32%\UltraVNC\"
    RD /S /Q "%PROGRAMFILES%\uvnc bvba\UltraVNC\"
    RD /S /Q "%PROGRAMFILES32%\uvnc bvba\UltraVNC\"

    :: Shortcuts deletion
    RD /S /Q "%ALLUSERSPROFILE%\Start Menu\Programs\UltraVNC\"
    RD /S /Q "%ALLUSERSPROFILE%\Menu D‚marrer\Programmes\UltraVNC\"
    :: Remember XP is localized, above is for English and French, take care of accents when you save your bat file (choose right encoding), always test accents

    :: For Vista and later it's simple
    RD /S /Q "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\UltraVNC\"

    :: SETUP
    IF %ARCHI%==32 "%REP%UltraVNC_%VNCversion%_X86_Setup.exe" /verysilent /loadinf="setup-UVNC.inf"
    IF %ARCHI%==64 "%REP%UltraVNC_%VNCversion%_X64_Setup.exe" /verysilent /loadinf="setup-UVNC.inf"

    :: Addons Setup
    IF %ARCHI%==32 "%REP%UltraVNC_%VNCversion%_X86_Addons.exe" /verysilent /loadinf="setup-UVNC-addons.inf"
    IF %ARCHI%==64 "%REP%UltraVNC_%VNCversion%_X64_Addons.exe" /verysilent /loadinf="setup-UVNC-addons.inf"


    :: Unmount directory
    POPD



  • Prepare setup inf with xxxsetup.exe /saveinf command on setup and addon, the same inf can be used with x86 and x64
    Here are mines:

    setup-UVNC.inf
    Code: Select all
    [Setup]
    Lang=fr
    Dir=C:\Program Files\uvnc bvba\UltraVNC
    Group=UltraVNC
    NoIcons=0
    SetupType=custom
    Components=ultravnc_server_s,ultravnc_viewer
    Tasks=installservice,startservice,associate


    setup-UVNC-addons.inf
    Code: Select all
    [Setup]
    Lang=fr
    Dir=C:\Program Files\uvnc bvba\UltraVNC
    Group=UltraVNC
    NoIcons=0
    SetupType=custom
    Components=mirrordriver,encryptionplugins,schooks,w8hooks,w8keys
    Tasks=



  • Prepare your(s) ultravnc.ini conf files, I personally have 2
    One for clients (ask for connections)
    One for servers (doesn't ask)

    They are named ultravnc.ini and ultravnc-sans-confirmation.ini (French for no confirmation....)
    You can deploy conf files either in others GPO, or in this one, even multiples by using item level targeting, see below
    Image
    In this exemple I copy a conf if the computer is a client and has a different NETBIOS name than PCLA0999.

    The 2nd line copy the without confirmation conf on computers types servers or domain controllers
    select * from Win32_OperatingSystem where (ProductType = "2" or ProductType = "3")
    or that is named PCLA0999

    This is the opposite of the first one.


    If you need fine tuned conf, I invite you to use GPO .ini setings, see http://www.grouppolicy.biz/2012/02/how-to-use-group-policy-to-configured-ini-files/


    Please note that if you want to be sure that the .ini is ready before installing binaries, the conf part should be in another GPO that apply it and create the directory before deploying the setup.


  • Prepare a MSI with Windows Installer Wrapper Wizard 0.2.0 that just start a .bat when the MSI is installed Or repaired.
    I use exe because the provided MSI is not configurable, UVNC should provide informations for creating .mst transforms sets

  • Add MSI to your GPO
JCLB
 
Posts: 2
Joined: 2011-07-21 10:46


Return to 1.1.9.x

Who is online

Users browsing this forum: No registered users and 1 guest