Driver digital signing issue Win7 64x

[swesound]

I am having a problem with the mirror driver (using the addons x64 1190 installer) in Win 7 Enterprise 64. The install proceeds correctly, but upon reboot, windows disables the driver saying there is a problem with the digital signature. I have tried installs on 3 machines with the same results. The installer from 5-2-2013 does not have this problem and works correctly.

Scott

[Rudi De Vos]

Reuploaded.

Looks like the .cat was not remade after resigning.

[swesound]

Hi Rudi,
After testing the new install file, I am having the same issue.

Scott

[Rudi De Vos]

retested myself and it installed without a problem on win7 x64...
I get the popup that the driver is from uvnc bvba and after accept all is OK.

Possible you imported the certificat ( Globalsign) as trused publisher to avoid this popup.
Because we know have a new certificat from Verisign it's not the same as the imported one
In that case you need to import also the new cert.

What error did you get ?

[swesound]

Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)
I get the "do you trust this provider" pop-up during the driver install, but after rebooting, error 52 shows up in device manager.
I think the issue lies with the fact that we are running the Enterprise edition of Win7. We have had this issue in the past with audio card drivers. There is a difference in how Enterprise treats driver verification. I'm not sure what it is, but I know that it exists. The vendor had to do some research and correct the problem.
The previous installer goes in without any issues.

Scott

[Rudi De Vos]

I'm testing on a win7 x64 enterprise edition
No error and the driver verification tell the kernel mode cross signing is OK.
if you have the signtool, it would be handy to run the verify to see what is say

The previous installer used a certificat from Globalsin and the globalsign cross and root certificat.
We moved to verisign because it was required by MS. They only accept verisgn signed exe for logo testing.

You could try to install the certificats from MS, it could be that one of the root certifacts ( they are not auto updated)
is to old.

Code: Select all

http://msdn.microsoft.com/en-us/library/dn170454(v=vs.85).aspx

Download cross-certificate for VeriSign Class 3 Public Primary Certification Authority – G5
Download cross-certificate for VeriSign Universal Root Certification Authority



The signing looks ok
signtool verify /v /kp ../mv2.sys
-----------------
verifying: ..mv2.sys
SHA1 hash of file: A9493CB6B6BEDAB7E83E2B8DEC1956927A579A6A
Signing Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: 1/11/2025 15:54:03
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: Microsoft Code Verification Root
Expires: 22/02/2021 21:35:17
SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B

Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: 8/02/2020 1:59:59
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: uvnc bvba
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: 12/10/2016 1:59:59
SHA1 hash: 075BD1CAB5AE085E523AF7883FC0A8127BE08C71

The signature is timestamped: 19/09/2013 0:16:32
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: 1/01/2021 1:59:59
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: 31/12/2020 1:59:59
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: 30/12/2020 1:59:59
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

Successfully verified: ../mv2.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
-------------------

[Rudi De Vos]

The driver zip you can download is the old version, meaning driver signed with a Globalsign certificat.
The drivers in the addon exe are signed with the new verisign certificat.

The install program didn't changed for years, only we resigned all driver files.

I realy don't know what's wrong with this certificat as it works on my own system and all files signed with it are accepted
my MS for file verification. ( THat's the reason we changed to Verisign, as it is the only certificat accepte by MS)

Possible this certificat is to new and depend on other certificats, like i explained in the previous post.
If that is the case, some certificats (root) need to be updated on the system before our cert wil work.

[Rudi De Vos]

My workpc also seems to have the not signed issue, while the same exe install proper on my home pc.
This allow me todo some tests

[Rudi De Vos]

Erro is actual
Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider

This mean that the problem is not the uvnc certificat, but the cross sign verisign certificat that isn't thrusted " root certificat"
For some reason MS isn't thrusting the Verisign root certificat.

Google tell me that more people seems to have the same issue...
Searching for a solution

[Rudi De Vos]

I guess we are seeing a mix if things.

I updated the signature, but driver was still the same version.
If the previous version was installed, you now get parts cached in the driver store with new... in other words all get messed.
The cat file contain a hash of the sys and dll, when you start mixing sys/dll/cat a sys with a verisign or globalsign signing has a different hash

But the cause is still that the verisign cert is not accepted by the OS.
And it works proper on my Home PC but fail on my Office PC.
Something is wrong with the signature... but's a hell to find what's causing it.

Gonne take some time.

[Rudi De Vos]

Tested using vmware workstation
en_windows_7_ultimate_n_with_sp1_x64_dvd_u_677543.iso (2011)
driver work correct.
gonna test now with 65922 (2009)
That version also works
Tested with a win7 enterprise -> driver ok

Now i'm running into circles....
The only difference is that on the work computer the old version of the driver was previous installed.

Next test are for tomorrow.

[Rudi De Vos]

Found
The answer was simple !ç"'(à!çé"è(!é"è(!çé(è"

The download is the incorrect (11/9)version.
I was testing @home with my local version (19/9) and @work with the downloaded version.

The .cat files was wrong in the 11/9 version

[Rudi De Vos]

files updated

[swesound]

Rudi,
Thanks for all your work on this issue!!

[rcooke]

Aha!

I noticed that on a machine and was wondering what caused it.

Glad you figured it out! I'm so used to uVNC "just working" that this really threw me for a loop!

[JCLB]

Hi,

I'm currently updating and simplifying my UVNC deployment GPO, and I jsut realized that the uvnc bca certificate expired on March 18th.

Is there a new one ?



For those who are interested, my GPO is detailed below:

• Settings
• Add UVNC BVA certificate in Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers.
  This will allow mirror driver installation.
  
• Create a VNC.bat as follow

  Code: Select all

  SET VNCversion=1_1_9
  :: Version is used for dynamic setup files references.
  
  SET REP=%~dp0
  PUSHD %REP%
  
  :: Know and push current directory, this enables use of UNC paths without problems, you can also move the whole on a new file server and redeploy without changing anything in the script.
  
  
  REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /V PROCESSOR_ARCHITECTURE | FINDSTR /I /c:AMD64
  SET ERRORARCHI64=%ERRORLEVEL%
  
  REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /V PROCESSOR_ARCHITECTURE | FINDSTR /I /c:x86
  SET ERRORARCHI32=%ERRORLEVEL%
  
  IF %ERRORARCHI64%==0 (
  GOTO :ARCHI64
  ) ELSE (
  GOTO :ARCHI32
  )
  
  :ARCHI32
  SET ARCHI=32
  SET PROGRAMFILES32=%PROGRAMFILES%
  SET WINSYSTEM32=%SYSTEMROOT%\System32
  GOTO :After_detection
  
  :ARCHI64
  SET ARCHI=64
  SET PROGRAMFILES32=%PROGRAMFILES% (x86)
  SET WINSYSTEM32=%SYSTEMROOT%\SysWOW64
  GOTO :After_detection
  
  :After_detection
  
  :: That one enables to know whether it runs on x64 or x64. 
  
  :: Stop of OLD UVNC
  SC STOP uvnc_service
  
  :: Kill if still running
  taskkill /f /im winvnc.exe
  
  :: Service deletion
  SC DELETE uvnc_service
  
  :: Removing Folders (also remove former x86 edition on x64 PC)
  RD /S /Q "%PROGRAMFILES%\UltraVNC\"
  RD /S /Q "%PROGRAMFILES32%\UltraVNC\"
  RD /S /Q "%PROGRAMFILES%\uvnc bvba\UltraVNC\"
  RD /S /Q "%PROGRAMFILES32%\uvnc bvba\UltraVNC\"
  
  :: Shortcuts deletion
  RD /S /Q "%ALLUSERSPROFILE%\Start Menu\Programs\UltraVNC\"
  RD /S /Q "%ALLUSERSPROFILE%\Menu D‚marrer\Programmes\UltraVNC\"
  :: Remember XP is localized, above is for English and French, take care of accents when you save your bat file (choose right encoding), always test accents
  
  :: For Vista and later it's simple
  RD /S /Q "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\UltraVNC\"
  
  :: SETUP
  IF %ARCHI%==32 "%REP%UltraVNC_%VNCversion%_X86_Setup.exe" /verysilent /loadinf="setup-UVNC.inf"
  IF %ARCHI%==64 "%REP%UltraVNC_%VNCversion%_X64_Setup.exe" /verysilent /loadinf="setup-UVNC.inf"
  
  :: Addons Setup
  IF %ARCHI%==32 "%REP%UltraVNC_%VNCversion%_X86_Addons.exe" /verysilent /loadinf="setup-UVNC-addons.inf"
  IF %ARCHI%==64 "%REP%UltraVNC_%VNCversion%_X64_Addons.exe" /verysilent /loadinf="setup-UVNC-addons.inf"
  
  
  :: Unmount directory
  POPD
  
  

• Prepare setup inf with xxxsetup.exe /saveinf command on setup and addon, the same inf can be used with x86 and x64
  Here are mines:
  
  setup-UVNC.inf

  Code: Select all

  [Setup]
  Lang=fr
  Dir=C:\Program Files\uvnc bvba\UltraVNC
  Group=UltraVNC
  NoIcons=0
  SetupType=custom
  Components=ultravnc_server_s,ultravnc_viewer
  Tasks=installservice,startservice,associate
  

  setup-UVNC-addons.inf

  Code: Select all

  [Setup]
  Lang=fr
  Dir=C:\Program Files\uvnc bvba\UltraVNC
  Group=UltraVNC
  NoIcons=0
  SetupType=custom
  Components=mirrordriver,encryptionplugins,schooks,w8hooks,w8keys
  Tasks=
  

• Prepare your(s) ultravnc.ini conf files, I personally have 2
  One for clients (ask for connections)
  One for servers (doesn't ask)
  
  They are named ultravnc.ini and ultravnc-sans-confirmation.ini (French for no confirmation....)
  You can deploy conf files either in others GPO, or in this one, even multiples by using item level targeting, see below
  
  In this exemple I copy a conf if the computer is a client and has a different NETBIOS name than PCLA0999.
  
  The 2nd line copy the without confirmation conf on computers types servers or domain controllers
  select * from Win32_OperatingSystem where (ProductType = "2" or ProductType = "3")
  or that is named PCLA0999
  
  This is the opposite of the first one.
  
  
  If you need fine tuned conf, I invite you to use GPO .ini setings, see http://www.grouppolicy.biz/2012/02/how- ... ini-files/
  
  
  Please note that if you want to be sure that the .ini is ready before installing binaries, the conf part should be in another GPO that apply it and create the directory before deploying the setup.
  
• Prepare a MSI with Windows Installer Wrapper Wizard 0.2.0 that just start a .bat when the MSI is installed Or repaired.
  I use exe because the provided MSI is not configurable, UVNC should provide informations for creating .mst transforms sets
• Add MSI to your GPO