标题: Windows文件签名简介 作者: bluerust 创建: 2017-03-17 22:51 更新: 2017-03-29 10:44 链接: http://scz.617.cn:8/windows/201703172251.txt -------------------------------------------------------------------------- 目录: ☆ 签名方式 ☆ 检查方法 1) signtool.exe 2) sigcheck.exe ☆ Windows Policies ☆ 小米线刷工具安装告警 ☆ 一些讨论备忘 ☆ 参考资源 -------------------------------------------------------------------------- ☆ 签名方式 参[1],Windows文件有两种签名方式: -------------------------------------------------------------------------- a) PE文件自嵌 adding a digital signature to the PE file (embedded digital signature) b) 在catalog文件中存放文件hash adding a hash of the file to a security catalog file (filetype .cat) -------------------------------------------------------------------------- 对于第一种方式,在PE文件右键属性中可以看到"Digital Signatures"标签页,比如 Windows补丁文件和"boot-start driver"采用此种方式。第二种方式无此现象。 第一种方式只适用于PE文件,第二种方式适用于任何文件,比如inf文件。 signtool.exe、sigcheck.exe等工具检查签名时,会遍历系统目录 %systemroot%\system32\catroot\下的cat文件来查找文件hash。 另有一个目录%systemroot%\system32\catroot2\,其用途与catroot并不一致,参 [2]: -------------------------------------------------------------------------- catroot and catroot2 are Windows operating system folders that are required for the Windows Update process. When you run Windows Update, the catroot2 folder stores the signatures of the Windows Update package and helps in its installation. -------------------------------------------------------------------------- ☆ 检查方法 1) signtool.exe Windows SDK中有这个工具,一般装了Visual Studio就有。 -------------------------------------------------------------------------- $ signtool.exe /? Usage: signtool [options] Valid commands: sign -- Sign files using an embedded signature. timestamp -- Timestamp previously-signed files. verify -- Verify embedded or catalog signatures. catdb -- Modify a catalog database. For help on a specific command, enter "signtool /?" -------------------------------------------------------------------------- $ signtool.exe verify /? Usage: signtool verify [options] Use the "verify" command to verify embedded or catalog signatures. Verification determines if the signing certificate was issued by a trusted party, whether that certificate has been revoked, and whether the certificate is valid under a specific policy. Options allow you to specify requirements that must be met and to specify how to find the catalog, if appropriate. Catalogs are used by Microsoft and others to sign many files very efficiently. Catalog options: /a Automatically attempt to verify the file using all methods. First search for a catalog using all catalog databases. If the file is not signed in any catalog, attempt to verify the embedded signature. When verifying files that may or may not be signed in a catalog, such as Windows files and drivers, this option is the easiest way to ensure that the signature is found. /ad Find the catalog automatically using the default catalog database. /as Find the catalog automatically using the system component (driver) catalog database. /ag Find the catalog automatically in the specified catalog database. Catalog databases are identified by GUID. Example GUID: {F750E6C3-38EE-11D1-85E5-00C04FC295EE} /c Specify the catalog file. /o When verifying a file that is in a signed catalog, verify that the file is valid for the specified platform. Parameter format is: PlatformID:VerMajor.VerMinor.BuildNumber SignTool uses the "Windows Driver" Verification Policy by default. The options below allow you to use alternate Policies. Verification Policy options: /pa Use the "Default Authenticode" Verification Policy. /pg Specify the verification policy by GUID (also called ActionID). Signature requirement options: /r Specify the Subject Name of a Root cert that the signing cert must chain to. /tw Generate a Warning if the signature is not timestamped. Other options: /kp Perform the verification with the kernel-mode driver signing policy. /q No output on success and minimal output on failure. As always, SignTool returns 0 on success, 1 on failure, and 2 on warning. /v Print verbose success and status messages. This may also provide slightly more information on error. If you want to see information about the signer, you should use this option. /ph Print and verify page hash values. /d Print Description and Description URL. -------------------------------------------------------------------------- 常见用法示例: -------------------------------------------------------------------------- $ signtool.exe verify /a /kp /v /ph /d %systemroot%\system32\drivers\acpi.sys Verifying: C:\Windows\system32\drivers\acpi.sys File is signed in catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat Hash of file (sha1): 189FCAC26B3B7351E3A6830BF0DE5DA7FDC523F2 Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Mon May 10 07:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Windows Verification PCA Issued by: Microsoft Root Certificate Authority Expires: Wed Mar 16 06:05:41 2016 SHA1 hash: 5DF0D7571B0780783960C68B78571FFD7EDAF021 Issued to: Microsoft Windows Issued by: Microsoft Windows Verification PCA Expires: Tue Mar 08 05:57:40 2011 SHA1 hash: 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4 The signature is timestamped: Sun Nov 21 03:37:07 2010 Timestamp Verified by: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Mon May 10 07:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Time-Stamp PCA Issued by: Microsoft Root Certificate Authority Expires: Sat Apr 03 21:03:09 2021 SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF Issued to: Microsoft Time-Stamp Service Issued by: Microsoft Time-Stamp PCA Expires: Tue Jul 26 03:23:45 2011 SHA1 hash: 7CB0244C7CEC5283E7EFDADF5CCC58772DD67F42 Cross Certificate Chain: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Mon May 10 07:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Windows Verification PCA Issued by: Microsoft Root Certificate Authority Expires: Wed Mar 16 06:05:41 2016 SHA1 hash: 5DF0D7571B0780783960C68B78571FFD7EDAF021 Issued to: Microsoft Windows Issued by: Microsoft Windows Verification PCA Expires: Tue Mar 08 05:57:40 2011 SHA1 hash: 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4 Description: Microsoft Windows Description URL: http://www.microsoft.com Successfully verified: C:\Windows\system32\drivers\acpi.sys Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 0 -------------------------------------------------------------------------- 工具显示acpi.sys的SHA1等于"189FCAC26B3B7351E3A6830BF0DE5DA7FDC523F2",不知 这个数据源是啥?手工求SHA1,得到"54fb26c69829d3f1d0774d4e608327ffefa34d76"。 -------------------------------------------------------------------------- $ signtool.exe verify /a /pa /v /ph /d %systemroot%\system32\ntdll.dll Verifying: C:\Windows\system32\ntdll.dll File is signed in catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_178_for_KB4012215~31bf3856ad364e35~amd64~~6.1.1.2.cat Hash of file (sha1): CB06E72F615B4CC217433B1A5A61256FDD806BC8 Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Mon May 10 07:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Windows Verification PCA Issued by: Microsoft Root Certificate Authority Expires: Mon May 10 07:28:13 2021 SHA1 hash: A5EEF4E193075BD3C271793C950729360059593A Issued to: Microsoft Windows Issued by: Microsoft Windows Verification PCA Expires: Tue May 23 02:12:21 2017 SHA1 hash: 2297004E2D61F9F0F40B7651E57E6D6A69D9678A The signature is timestamped: Sun Mar 05 14:50:33 2017 Timestamp Verified by: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Mon May 10 07:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Time-Stamp PCA Issued by: Microsoft Root Certificate Authority Expires: Sat Apr 03 21:03:09 2021 SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF Issued to: Microsoft Time-Stamp Service Issued by: Microsoft Time-Stamp PCA Expires: Sat Sep 08 01:58:53 2018 SHA1 hash: 1A6BFE1180E89B963BA4C6A64BF3604DBDB9EE84 Embedded page hashes: 0x00000000 142FB5EAD998ADB93BBFAB3BA27FCD62DEFDC8EC 0x00000400 D2193ED570DACD6DF3B0C92DF18607BC19F9FBB5 ... 0x001a2800 1A97E76EE0123939F51673F980D0FCCCD99B671A 0x001a2e00 0000000000000000000000000000000000000000 Description: Windows Express Security Catalogs Description URL: http://www.microsoft.com Successfully verified: C:\Windows\system32\ntdll.dll Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 0 -------------------------------------------------------------------------- 同样不知"CB06E72F615B4CC217433B1A5A61256FDD806BC8"的数据源,未深究。 2) sigcheck.exe sigcheck.exe是sysinternals的工具,缺点是新版不再支持Windows XP。 -------------------------------------------------------------------------- $ sigcheck.exe Sigcheck v2.54 - File version and signature viewer Copyright (C) 2004-2016 Mark Russinovich Sysinternals - www.sysinternals.com usage: sigcheck.exe [-a][-h][-i][-e][-l][-n][[-s]|[-c|-ct]|[-m]][-q][-r][-u][-vt][-v[r][s]][-f catalog file] usage: sigcheck.exe -d [-c|-ct] usage: sigcheck.exe -o [-vt][-v[r]] usage: sigcheck.exe -t[u][v] [-i] [-c|-ct] -a Show extended version information. The entropy measure reported is the bits per byte of information of the file's contents. -c CSV output with comma delimiter -ct CSV output with tab delimiter Specify -nobanner to avoid banner being output to CSV -d Dump contents of a catalog file -e Scan executable images only (regardless of their extension) -f Look for signature in the specified catalog file -h Show file hashes -i Show catalog name and signing chain -l Traverse symbolic links and directory junctions -m Dump manifest -n Only show file version number -o Performs Virus Total lookups of hashes captured in a CSV file previously captured by Sighcheck when using the -h option. This usage is intended for scans of offline systems. -r Disable check for certificate revocation -s Recurse subdirectories -t[u][v] Dump contents of specified certificate store ('*' for all stores). Specify -tu to query the user store (machine store is the default). Append '-v' to have Sigcheck download the trusted Microsoft root certificate list and only output valid certificates not rooted to a certificate on that list. If the site is not accessible, authrootstl.cab or authroot.stl in the current directory are used instead, if present. -u If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files. -v[rs] Query VirusTotal (www.virustotal.com) for malware based on file hash. Add 'r' to open reports for files with non-zero detection. Files reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes. -vt Before using VirusTotal features, you must accept VirusTotal terms of service. See: https://www.virustotal.com/en/about/terms-of-service/ If you haven't accepted the terms and you omit this option, you will be interactively prompted. -nobanner Do not display the startup banner and copyright message. -------------------------------------------------------------------------- 常见用法示例: -------------------------------------------------------------------------- $ sigcheck.exe -e -h -i %systemroot%\system32\drivers\acpi.sys Sigcheck v2.54 - File version and signature viewer Copyright (C) 2004-2016 Mark Russinovich Sysinternals - www.sysinternals.com c:\windows\system32\drivers\acpi.sys: Verified: Signed Link date: 17:19 2010/11/20 Signing date: 21:32 2010/11/20 Catalog: c:\windows\system32\drivers\acpi.sys Signers: Microsoft Windows Cert Status: This certificate or one of the certificates in the certificate chain is not time valid. Valid Usage: Code Signing, NT5 Crypto Cert Issuer: Microsoft Windows Verification PCA Serial Number: 61 15 23 0F 00 00 00 00 00 0A Thumbprint: 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4 Algorithm: sha1RSA Valid from: 5:57 2009/12/8 Valid to: 5:57 2011/3/8 Microsoft Windows Verification PCA Cert Status: This certificate or one of the certificates in the certificate chain is not time valid. Valid Usage: Code Signing, NT5 Crypto Cert Issuer: Microsoft Root Certificate Authority Serial Number: 61 07 02 DC 00 00 00 00 00 0B Thumbprint: 5DF0D7571B0780783960C68B78571FFD7EDAF021 Algorithm: sha1RSA Valid from: 5:55 2005/9/16 Valid to: 6:05 2016/3/16 Microsoft Root Certificate Authority Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority Serial Number: 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65 Thumbprint: CDD4EEAE6000AC7F40C3802C171E30148030C072 Algorithm: sha1RSA Valid from: 7:19 2001/5/10 Valid to: 7:28 2021/5/10 Counter Signers: Microsoft Time-Stamp Service Cert Status: This certificate or one of the certificates in the certificate chain is not time valid. Valid Usage: Timestamp Signing Cert Issuer: Microsoft Time-Stamp PCA Serial Number: 61 03 DC F6 00 00 00 00 00 0C Thumbprint: 56E832A33DDC8CF2C916DA7CBB1175CBACABAE2C Algorithm: sha1RSA Valid from: 3:12 2008/7/26 Valid to: 3:22 2011/7/26 Microsoft Time-Stamp PCA Cert Status: Valid Valid Usage: Timestamp Signing Cert Issuer: Microsoft Root Certificate Authority Serial Number: 61 16 68 34 00 00 00 00 00 1C Thumbprint: 375FCB825C3DC3752A02E34EB70993B4997191EF Algorithm: sha1RSA Valid from: 20:53 2007/4/3 Valid to: 21:03 2021/4/3 Microsoft Root Certificate Authority Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority Serial Number: 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65 Thumbprint: CDD4EEAE6000AC7F40C3802C171E30148030C072 Algorithm: sha1RSA Valid from: 7:19 2001/5/10 Valid to: 7:28 2021/5/10 Company: Microsoft Corporation Description: ACPI Driver for NT Product: Microsoft? Windows? Operating System Prod version: 6.1.7601.17514 File version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) MachineType: 64-bit MD5: D81D9E70B8A6DD14D42D7B4EFA65D5F2 SHA1: 54FB26C69829D3F1D0774D4E608327FFEFA34D76 PESHA1: 189FCAC26B3B7351E3A6830BF0DE5DA7FDC523F2 PE256: 98ABEDD5DBE7CDB12EE75B151E6E9181377E091B3577D628892E1D02E2D7EC08 SHA256: FDAAB7E23012B4D31537C5BDEF245BB0A12FA060A072C250E21C68E18B22E002 IMP: 59C0C982EE3E674A58BF16BEFC1F212C -------------------------------------------------------------------------- $ sigcheck.exe -e -h -i %systemroot%\system32\ntdll.dll Sigcheck v2.54 - File version and signature viewer Copyright (C) 2004-2016 Mark Russinovich Sysinternals - www.sysinternals.com c:\windows\system32\ntdll.dll: Verified: Signed Link date: 0:33 2017/2/10 Signing date: 0:32 2017/2/10 Catalog: c:\windows\system32\ntdll.dll Signers: Microsoft Windows Cert Status: Valid Valid Usage: NT5 Crypto, Code Signing Cert Issuer: Microsoft Windows Verification PCA Serial Number: 33 00 00 00 47 27 42 19 51 D6 77 97 3D 00 01 00 00 00 47 Thumbprint: 2297004E2D61F9F0F40B7651E57E6D6A69D9678A Algorithm: sha1RSA Valid from: 2:12 2016/11/23 Valid to: 2:12 2017/5/23 Microsoft Windows Verification PCA Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority Serial Number: 61 0A 59 2B 00 00 00 00 00 3B Thumbprint: A5EEF4E193075BD3C271793C950729360059593A Algorithm: sha1RSA Valid from: 7:24 2016/2/12 Valid to: 7:28 2021/5/10 Microsoft Root Certificate Authority Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority Serial Number: 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65 Thumbprint: CDD4EEAE6000AC7F40C3802C171E30148030C072 Algorithm: sha1RSA Valid from: 7:19 2001/5/10 Valid to: 7:28 2021/5/10 Counter Signers: Microsoft Time-Stamp Service Cert Status: Valid Valid Usage: Timestamp Signing Cert Issuer: Microsoft Time-Stamp PCA Serial Number: 33 00 00 00 C5 96 40 60 4B F4 DE AE 2E 00 00 00 00 00 C5 Thumbprint: 7BA57715B0F79CA2CF921E5F2A72BE11C2FADC67 Algorithm: sha1RSA Valid from: 1:58 2016/9/8 Valid to: 1:58 2018/9/8 Microsoft Time-Stamp PCA Cert Status: Valid Valid Usage: Timestamp Signing Cert Issuer: Microsoft Root Certificate Authority Serial Number: 61 16 68 34 00 00 00 00 00 1C Thumbprint: 375FCB825C3DC3752A02E34EB70993B4997191EF Algorithm: sha1RSA Valid from: 20:53 2007/4/3 Valid to: 21:03 2021/4/3 Microsoft Root Certificate Authority Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority Serial Number: 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65 Thumbprint: CDD4EEAE6000AC7F40C3802C171E30148030C072 Algorithm: sha1RSA Valid from: 7:19 2001/5/10 Valid to: 7:28 2021/5/10 Company: Microsoft Corporation Description: NT Layer DLL Product: Microsoft? Windows? Operating System Prod version: 6.1.7601.23677 File version: 6.1.7601.23677 (win7sp1_ldr.170209-0600) MachineType: 64-bit MD5: 2D7984E5338364234FB69BC7A1D3F8D9 SHA1: BBE41AC895C1AC58ADE0D896B89E2D22C1D18B6D PESHA1: CB06E72F615B4CC217433B1A5A61256FDD806BC8 PE256: 2D3A070BC0AD8DA64AB475B2767637E40EA6597C8BA75D3F2E4C5C187F4D7280 SHA256: F20FB0B46146D508169271AFA4117AFE788E9EDD0431FD1A063B79BC93F3208C IMP: n/a -------------------------------------------------------------------------- 从sigcheck.exe的输出得知,signtool.exe显示的SHA1其实是PESHA1。PESHA1的算法 细节未见正式文档,估计用IDA逆一下sigcheck.exe可知,我没这种强需求,算了。 zyh补充: PESHA1就是去掉Checksum和Security DataDirectory(包括8字节的entry)后计算的Hash ☆ Windows Policies 从Vista之后所有64-bits系统,都要求驱动有合法签名,参[3]。这里合法的意思是 指由CA颁发的证书签名。从Win10开始,这个签名必须由"Windows Hardware Dev Center Dashboard"完成。 但是经过特殊配置,Windows依旧允许自签名驱动加载,以方便开发人员进行测试, 参[4]。 bcdedit /set testsigning on bcdedit /set testsigning off bcdedit /enum {current} | findstr testsigning 参[5],启用testsigning的后果: -------------------------------------------------------------------------- When the bcdedit option for test-signing is enabled, Windows does the following: a) Displays a watermark with the text "Test Mode" in all four corners of the desktop, to remind users the system has test-signing enabled. Note Starting with Windows 7, Windows displays this watermark only in the lower left-hand corner of the desktop. b) The operating system loader and the kernel load drivers that are signed by any certificate. The certificate validation is not required to chain up to a trusted root certification authority. However, each driver image file must have a digital signature. -------------------------------------------------------------------------- 即桌面有水印,不检查根证书有效性。 ☆ 小米线刷工具安装告警 http://bigota.d.miui.com/tools/MiFlashSetup201612220.msi 在64-bits Win7上安装时,会出现好几次UAC提示: Windows can't verify the publisher 用Process Monitor监控msiexec.exe,看到msiexec.exe会写: c:\windows\inf\setupapi.dev.log 研读setupapi.dev.log,就能找到出现安装告警的原因。 -------------------------------------------------------------------------- >>> [SetupCopyOEMInf - C:\XiaoMi\XiaoMiFlash\Source\ThirdParty\Google\Driver\android_winusb.inf] ... sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE} 14:54:41.827 inf: Opened INF: 'C:\Windows\System32\DriverStore\Temp\{6329a400-0df8-3623-f34d-7668ae915112}\android_winusb.inf' ([strings]) sig: {_VERIFY_FILE_SIGNATURE} 14:54:41.897 sig: Key = android_winusb.inf sig: FilePath = C:\Windows\System32\DriverStore\Temp\{6329a400-0df8-3623-f34d-7668ae915112}\android_winusb.inf sig: Catalog = C:\Windows\System32\DriverStore\Temp\{6329a400-0df8-3623-f34d-7668ae915112}\xiaomiwinusba64.cat ! sig: Verifying file against specific (valid) catalog failed! (0xe0000244) ! sig: Error 0xe0000244: The software was tested for compliance with Windows Logo requirements on a different version of Windows, and may not be compatible with this version. sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000244)} 14:54:41.928 sig: {_VERIFY_FILE_SIGNATURE} 14:54:41.929 sig: Key = android_winusb.inf sig: FilePath = C:\Windows\System32\DriverStore\Temp\{6329a400-0df8-3623-f34d-7668ae915112}\android_winusb.inf sig: Catalog = C:\Windows\System32\DriverStore\Temp\{6329a400-0df8-3623-f34d-7668ae915112}\xiaomiwinusba64.cat ! sig: Verifying file against specific (valid) catalog failed! (0xe0000244) ! sig: Error 0xe0000244: The software was tested for compliance with Windows Logo requirements on a different version of Windows, and may not be compatible with this version. sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000244)} 14:54:41.931 !!! sto: An unexpected error occurred while validating driver package. Assuming that driver package is unsigned. Catalog = xiaomiwinusba64.cat, Error = 0xE0000244 ! sto: Driver package is considered unsigned, but user wants to install driver package anyway. sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE exit(0x00000000)} 14:55:25.858 -------------------------------------------------------------------------- 注意感叹号打头的行。针对android_winusb.inf检查签名失败,错误码0xe0000244, 该文件在某个版本的OS上测试过,但与当前OS版本不符。进而导致"Assuming that driver package is unsigned",最终出现安装告警,询问用户是否继续。 android_winusb.inf中指定了对应的cat文件: -------------------------------------------------------------------------- [Version] Signature = "$Windows NT$" Class = AndroidUsbDeviceClass ClassGuid = {3F966BD9-FA04-4ec5-991C-D326973B5128} Provider = %ProviderName% DriverVer = 11/03/2016,16.0.0000.00000 CatalogFile.NTx86 = xiaomiwinusb86.cat CatalogFile.NTamd64 = xiaomiwinusba64.cat -------------------------------------------------------------------------- 手工检查xiaomiwinusb86.cat: $ sigcheck.exe -d xiaomiwinusba64.cat | grep "File: android_winusb.inf" -A 4 File: android_winusb.inf OS Attributes: Windows 10 Algorithm: sha1NoSign Hash: 781970265FC7B721D9C0B8E550A95EC06669024E File: android_winusb.inf OS Attributes: Windows 10 Algorithm: sha256NoSign Hash: 5C9197A898C0C3CAF1BD84EACEF26C0AA66D098AE19B139D7BE0760B07A04F39 手工计算android_winusb.inf的SHA1、SHA256,文件hash匹配,但"OS Attributes" 是Windows 10。 这是第一个安装告警的原因。第二个安装告警的原因则不同。 -------------------------------------------------------------------------- >>> [SetupCopyOEMInf - C:\XiaoMi\XiaoMiFlash\Source\ThirdParty\Nvidia\Driver\NvidiaUsb.inf] ... sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE} 14:55:27.109 ! sto: Driver package does not contain a catalog file, but user wants to install anyway. sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE exit(0x00000000)} 14:55:32.105 -------------------------------------------------------------------------- NvidiaUsb.inf中没有指定cat文件: -------------------------------------------------------------------------- [Version] Signature = "$Windows NT$" Class = NvBoot ClassGuid={EAD8C4F6-6102-45c7-AA66-36E6D7204600} Provider = %ProviderName% DriverVer=04/01/2010,1.00.01 ; CatalogFile=MyCatFile.cat FIXME Need own catlog file, which is signed -------------------------------------------------------------------------- 第三个安装告警: -------------------------------------------------------------------------- >>> [SetupCopyOEMInf - C:\XiaoMi\XiaoMiFlash\Source\ThirdParty\Microsoft\Driver\tetherxp.inf] ... sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE} 14:55:33.905 ! sto: Driver package does not contain a catalog file, but user wants to install anyway. sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE exit(0x00000000)} 14:55:35.880 -------------------------------------------------------------------------- tetherxp.inf中指定了cat文件: -------------------------------------------------------------------------- [Version] Signature = "$CHICAGO$" Class = Net ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318} Provider = %Android% Compatible = 1 MillenniumPreferred = .ME DriverVer = 08/22/2013,7.1.0.0 ; catalog file would be used by WHQL CatalogFile.NTx86 = Android_RNDIS_86.cat CatalogFile.NTamd64 = Android_RNDIS_A64.cat -------------------------------------------------------------------------- 但Android_RNDIS_A64.cat不存在,只有Android_RNDIS_86.cat。 第四个安装告警: -------------------------------------------------------------------------- >>> [SetupCopyOEMInf - C:\XiaoMi\XiaoMiFlash\Source\ThirdParty\Microsoft\Driver\wpdmtphw.inf] ... ! inf: Could not find include INF file "layout.inf". Error = 0x00000002 ... ! inf: Could not find include INF file "layout.inf". Error = 0x00000002 ... sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE} 14:55:40.077 ! sto: Driver package does not contain a catalog file, but user wants to install anyway. sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE exit(0x00000000)} 14:55:48.771 -------------------------------------------------------------------------- wpdmtphw.inf: -------------------------------------------------------------------------- [Version] Signature = "$WINDOWS NT$" Class = WPD ClassGUID = {EEC5AD98-8080-425f-922A-DABF3DE3F69A} Provider = %Msft% LayoutFile = layout.inf DriverVer = 08/22/2013,7.1.0000.0000 CatalogFile.NTx86 = androidmtp86.cat CatalogFile.NTamd64 = androidmtpa64.cat -------------------------------------------------------------------------- androidmtpa64.cat不存在,只有androidmtp86.cat。此外,layout.inf也不存在。 第五个安装告警: -------------------------------------------------------------------------- >>> [SetupCopyOEMInf - C:\XiaoMi\XiaoMiFlash\Source\ThirdParty\Qualcomm\Driver\qcser.inf] ... sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE} 14:55:51.941 inf: Opened INF: 'C:\Windows\System32\DriverStore\Temp\{701a0de8-d199-1555-6405-2b1efe42f77f}\qcser.inf' ([strings]) sig: {_VERIFY_FILE_SIGNATURE} 14:55:51.977 sig: Key = qcser.inf sig: FilePath = C:\Windows\System32\DriverStore\Temp\{701a0de8-d199-1555-6405-2b1efe42f77f}\qcser.inf sig: Catalog = C:\Windows\System32\DriverStore\Temp\{701a0de8-d199-1555-6405-2b1efe42f77f}\qcser.cat ! sig: Verifying file against specific (valid) catalog failed! (0xe0000244) ! sig: Error 0xe0000244: The software was tested for compliance with Windows Logo requirements on a different version of Windows, and may not be compatible with this version. sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000244)} 14:55:51.990 sig: {_VERIFY_FILE_SIGNATURE} 14:55:51.990 sig: Key = qcser.inf sig: FilePath = C:\Windows\System32\DriverStore\Temp\{701a0de8-d199-1555-6405-2b1efe42f77f}\qcser.inf sig: Catalog = C:\Windows\System32\DriverStore\Temp\{701a0de8-d199-1555-6405-2b1efe42f77f}\qcser.cat ! sig: Verifying file against specific (valid) catalog failed! (0xe0000244) ! sig: Error 0xe0000244: The software was tested for compliance with Windows Logo requirements on a different version of Windows, and may not be compatible with this version. sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000244)} 14:55:51.992 !!! sto: An unexpected error occurred while validating driver package. Assuming that driver package is unsigned. Catalog = qcser.cat, Error = 0xE0000244 ! sto: Driver package is considered unsigned, but user wants to install driver package anyway. sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE exit(0x00000000)} 14:55:53.298 -------------------------------------------------------------------------- qcser.inf: -------------------------------------------------------------------------- [Version] signature = "$WINDOWS NT$" Class = Ports Provider = %QUALCOMM% ClassGuid = {4D36E978-E325-11CE-BFC1-08002BE10318} DriverVer = 01/04/2013,2.1.0.5 Catalogfile= qcser.cat -------------------------------------------------------------------------- $ sigcheck.exe -d qcser.cat | grep "File: qcser.inf" -A 4 File: qcser.inf OS Attributes: Windows 10 Algorithm: sha256NoSign Hash: DF6732C72386B83C127BAAE1213A74E592228C0D1B0EF9B3F67287A65F167EB1 -- File: qcser.inf OS Attributes: Windows 10 Algorithm: sha1NoSign Hash: 5DB6907A79CD9BD6317D968720153ACF79BF1180 qcser.inf告警原因同android_winusb.inf。 ☆ 一些讨论备忘 简单地说,现在默认情况下,SYS文件必须有合法签名,否则无法安装。对于INF文件 相对宽松。如果INF文件无签名或测试时的OS版本与当前OS版本不符,警告用户,用 户同意则继续。 小米线刷工具安装告警,是因为INF文件签名检查失败,但所有SYS文件都带有效签名。 -------------------------------------------------------------------------- $ sigcheck.exe -e -h -i qcusbser.sys C:\XiaoMi\XiaoMiFlash\Source\ThirdParty\Qualcomm\Driver\serial\amd64\qcusbser.sys: Verified: Signed Link date: 9:22 2013/1/15 Signing date: 14:55 2016/11/7 Catalog: C:\XiaoMi\XiaoMiFlash\Source\ThirdParty\Qualcomm\Driver\serial\amd64\qcusbser.sys Signers: Microsoft Windows Hardware Compatibility Publisher Cert Status: Valid Valid Usage: Code Signing, WHQL Crypto, 1.3.6.1.4.1.311.10.3.5.1 Cert Issuer: Microsoft Windows Third Party Component CA 2014 Serial Number: 33 00 00 00 12 B0 54 93 EA DD CE EB 4B 00 00 00 00 00 12 Thumbprint: D6882C24945DF2A25F14CAA5EB701E0F3BC7E4A2 Algorithm: sha256RSA Valid from: 8:59 2016/2/12 Valid to: 8:59 2017/5/12 Microsoft Windows Third Party Component CA 2014 Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority 2010 Serial Number: 33 00 00 00 0D 69 0D 5D 78 93 D0 76 DF 00 00 00 00 00 0D Thumbprint: 1906DCF62629B563252C826FDD874EFCEB6856C6 Algorithm: sha256RSA Valid from: 4:31 2014/10/16 Valid to: 4:41 2029/10/16 Microsoft Root Certificate Authority 2010 Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority 2010 Serial Number: 28 CC 3A 25 BF BA 44 AC 44 9A 9B 58 6B 43 39 AA Thumbprint: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Algorithm: sha256RSA Valid from: 5:57 2010/6/24 Valid to: 6:04 2035/6/24 Counter Signers: Microsoft Time-Stamp Service Cert Status: Valid Valid Usage: Timestamp Signing Cert Issuer: Microsoft Time-Stamp PCA 2010 Serial Number: 33 00 00 00 B4 43 3A 1C FE B6 BA 52 89 00 00 00 00 00 B4 Thumbprint: 07C09597AE2E4E6EC9D375F6D98951988B206D3A Algorithm: sha256RSA Valid from: 1:56 2016/9/8 Valid to: 1:56 2018/9/8 Microsoft Time-Stamp PCA 2010 Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority 2010 Serial Number: 61 09 81 2A 00 00 00 00 00 02 Thumbprint: 2AA752FE64C49ABE82913C463529CF10FF2F04EE Algorithm: sha256RSA Valid from: 5:36 2010/7/2 Valid to: 5:46 2025/7/2 Microsoft Root Certificate Authority 2010 Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority 2010 Serial Number: 28 CC 3A 25 BF BA 44 AC 44 9A 9B 58 6B 43 39 AA Thumbprint: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Algorithm: sha256RSA Valid from: 5:57 2010/6/24 Valid to: 6:04 2035/6/24 Company: QUALCOMM Incorporated Description: USB Modem/Serial Device Driver Product: QUALCOMM Incorporated USB Modem/Serial Device Driver Prod version: 2. 1. 0. 5 File version: 2. 1. 0. 5 MachineType: 64-bit MD5: 1E4F756618BC97254C577A2B91579B4C SHA1: B1B5523CEF012830CFA6DF0EE2133EC099278FDA PESHA1: 69D74302E937E26D182A1E2E27E60D33D5637E77 PE256: E1824EC480D9D88631D94855DC7CCE1B4A295988733DFD270898C8ADD1161647 SHA256: E577C47946DDD5E0A4309681666803DE387332A0E529F9E325C3591B79FF2906 IMP: 59F0E63706A4B756EFE8551DF4526EF9 -------------------------------------------------------------------------- 有人提到过: bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS bcdedit /set testsigning on bcdedit /set loadoptions DENABLE_INTEGRITY_CHECKS bcdedit /set testsigning off 注意有个前导字符D。没找到关于loadoptions的官方文档,不知这个信息源自何处? 在F8菜单里有: Disable Driver Signature Enforcement ☆ 参考资源 [1] The Case of the Missing Digital Signatures Tab - Didier Stevens [2008-01-11] https://blog.didierstevens.com/2008/01/11/the-case-of-the-missing-digital-signatures-tab/ [2] What is Catroot & Catroot2 folder, How do you reset catroot2 folder in Windows - Anand Khanse [2017-01-13] http://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows [3] Driver Signing https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/driver-signing Driver Signing changes in Windows 10 - Joshua Baxter [2015-04-01] https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/04/01/driver-signing-changes-in-windows-10/ [4] How to Test-Sign a Driver Package https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/how-to-test-sign-a-driver-package Configuring the Test Computer to Support Test-Signing https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/configuring-the-test-computer-to-support-test-signing [5] The TESTSIGNING Boot Configuration Option https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/the-testsigning-boot-configuration-option [6] Windows can't verify the publisher of this driver software https://knowledge.symantec.com/support/code-signing-support/index?page=content&id=SO16763