Code Signed Driver on Windows 7 Fails with 0xC0000428

My signed driver yields a Windows (Windows 7 with the SHA256 hot fix) that fails to start and yields error code 0xC0000428 (Windows cannot verify the digital signature for this file).

I took over a driver project, created using Visual Studio 2010, and my first task was to update the expired code signing certificate. Originally the digital certificate was with Global Sign and now using Digi Cert. The original programmer stated on an email to me that he has trouble with this topic every year.

I examined the working but expired icsflt.sys driver file and see that it is SHA256 with the thumbprint being SHA1. Everything else works. I tried many different variations (dual signed certificate, SHA1, and SHA2). My last attempt, straight from Digi Cert technical support uses the following command line.

C:\ICS\IM6000\Certificate>"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"
Done Adding Additional Store
Successfully signed: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys

Here is the certificate, which looks similar to the original one.

Here is the base certificate clearly showing SHA256 for the digest algorithm. The certificates are from the build machine. The first screenshot of the "Windows Boot Manager" is from the test machine.

Here are some of the links that I used from Digi Certs website.

Dual Signing SHA256 and SHA1

Sign Code SignTool.exe Command Line

Installing Code Signing Certificate

Here is the working expired certificate view.

Here is the driver properties Digital Signature for the good/working driver.

You can tell them apart, as I renamed the good/working one icflt-good.sys. Aside from the company name, dates, and Certificate Authority (CA) the two look identical, yet Windows 7 barks on the new one from Digi Cert.

Here is the code to the previous signtool.exe command lines, which I commented out.

@echo on

@REM see "How to Release-Sign a Driver Package" and "Release-Signing a Driver through an Embedded Signature in Windows DDK"
@REM despite the store's name seems to be Personal we should use MY when using Signtool. Otherwise the certificate is not found.
@REM when Personal store is created with makecert, another Personal is created. Weird.
@REM Signtool sign /v /ac MSCV-GlobalSign.cer /s MY /sha1 5250f1a5ddd11e3e4e924757e6da1c43dd3487c0 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /ac MSCV-GlobalSign.cer /s MY /sha1 5D743B02DCDE74B16D133BDFEB2E1C5F6F44E966 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%

@REM check $\IM6000\Certificate\current for the exact file names and password
@REM Signtool sign /v /ac %PROJECT_DIR%\..\Certificate\current\MSCV-GlobalSign.cer /f %PROJECT_DIR%\..\Certificate\current\OS201602156091.pfx /p 1C73295775925A7EE1C6D35ADF9DF611A55A60B8 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /ac %PROJECT_DIR%\..\Certificate\current\GlobalSignRootCA.crt /f %PROJECT_DIR%\..\Certificate\current\OS201701106786.pfx /p ICScertificate2017 /t http://timestamp.globalsign.com/scripts/timstamp.dll %mydriverpath%
@REM Signtool sign /v /fd sha256 /ac %PROJECT_DIR%\..\Certificate\current\GlobalSignRootCA.crt /f %PROJECT_DIR%\..\Certificate\current\OS201701106786.pfx /p ICScertificate2017 /tr http://timestamp.globalsign.com/scripts/timstamp.dll?td=sha256 /td sha256 %mydriverpath%

After much research, I figured out the problem. (Please give a thumbs up to the question and especially answer.)

Signing kernel level drivers requires a cross signing using the /AC switch, Additional Certificate, creates a cross certificate chain to a Microsoft Root Certificate.

Relevant links:

Microsoft Cross Certificate Links

Note: The article in the following link was wrong. The thumbprint DOES NOT need to match. The Issuer, however, needs to match exactly.

Cross Signing Kernel Mode Drivers

Signing Windows Drivers

Fetch Issuer needed

I went to mmc and added Certificates (Personal). I then double clicked on my SHA256 certificate and noted the Issuer, which in my case was:

CN = DigiCert Assured ID Root CA
OU = www.digicert.com
O = DigiCert Inc
C = US

‎ The thumbprint of my certificate, which does not matter, is:

‎05 63 b8 63 0d 62 d7 5a bb c8 ab 1e 4b df b5 a8 99 b2 4d 43

The Microsoft Cross Certificate List again is here. My download was DigiCert Assured ID Root CA, which has a thumbprint of:

ba 3e a5 4d 72 c1 45 d3 7c 25 5e 1e a4 0a fb c6 33 48 b9 6e

I used the download link to obtain the file. That gave me a file of "DigiCert Assured ID Root CA.crt".

Note: I was told that the certificate had to be a CER extension. My testing and a conversation with DigiCert revealed that not to be true. CRT is perfectly fine.

The working sign tool command line is:

C:\ICS\IM6000\Certificate>"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /v /ac "DigiCert Assured ID Root CA.crt" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"

To verify the sign is correctly cross sign, I highly recommend to issue the following line:

"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /kp /v "C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys"

Notice this output from the verification test:

Verifying: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys
Signature Index: 0 (Primary Signature)
Hash of file (sha256): FAFB2B31B8ED4A9E8F9EC84196E7E52009A4C709521457FD83FC1945DCF5872F

Signing Certificate Chain:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Sun Nov 09 17:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert SHA2 Assured ID Code Signing CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Sun Oct 22 05:00:00 2028
        SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6

            Issued to: JMR Electronics, Inc.
            Issued by: DigiCert SHA2 Assured ID Code Signing CA
            Expires:   Mon Jan 28 05:00:00 2019
            SHA1 hash: 9CDC225480659E8CDD6E794A81455C905403755B

The signature is timestamped: Mon Jun 04 16:35:45 2018
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Sun Nov 09 17:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert SHA2 Assured ID Timestamping CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Tue Jan 07 05:00:00 2031
        SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297

            Issued to: DigiCert SHA2 Timestamp Responder
            Issued by: DigiCert SHA2 Assured ID Timestamping CA
            Expires:   Mon Jan 17 17:00:00 2028
            SHA1 hash: 400191475C98891DEBA104AF47091B5EB6D4CBCB

Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires:   Sat Nov 01 06:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: DigiCert Assured ID Root CA
        Issued by: Microsoft Code Verification Root
        Expires:   Thu Apr 15 12:51:37 2021
        SHA1 hash: BA3EA54D72C145D37C255E1EA40AFBC63348B96E

            Issued to: DigiCert SHA2 Assured ID Code Signing CA
            Issued by: DigiCert Assured ID Root CA
            Expires:   Sun Oct 22 05:00:00 2028
            SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6

                Issued to: JMR Electronics, Inc.
                Issued by: DigiCert SHA2 Assured ID Code Signing CA
                Expires:   Mon Jan 28 05:00:00 2019
                SHA1 hash: 9CDC225480659E8CDD6E794A81455C905403755B


Successfully verified: C:\ICS\IM6000\filter\objfre_win7_AMD64\amd64\icsflt.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

The key here is aside from the Successfully verified the Cross Certificate Chain starts with Issued to: Microsoft Code Verification Root and ends with my digital code signing certificate and everything in between. That is what Microsoft wants with Windows. Windows 7 or Windows 10 does not matter.

I also had to use signtool.exe from at least Windows 8.1. Earlier versions did not support all the required switches that I was told to use.

Although I did not need the SHA1 certificate in the end, finding out how to obtain one took a few cycles. I was told several times that I needed that, which I did not. To anyone who is interested the instruction to obtain that is here. Everything is SHA256 nowadays even on Windows 7 with the hotfix.