Troubleshoot Driver development: Signed driver not recognized by Windows CodeIntegrity 3004

StackOverflow https://stackoverflow.com/questions/21530675

Question

Short description: I have a signed driver that passes SignTool verification but Windows refuses to load it with error: CodeIntegrity 3004 - file hash not found on system. How do I fix this?

Long description: I'm using the Cypress Suite USB 3.4.7 development kit to create a USB driver for our instrument to run under Windows 7 64-bit. I've configured the INF with the proper IDs and the unsigned driver works fine as long as I by bypass driver signature enforcement. I want to create a signed driver and have been following the steps described in http://www.davidegrayson.com/signing/

I've created a catalog file using Inf2Cat v3.2 with the /os:7_X64 flag among others. I'm using SignTool /sha1 to sign and can verify signatures on the .cat and cyusb.sys files. File explorer shows that both files have digital signatures and the advanced tab shows "This digital signature is OK."

I plug in my USB device and it shows up as an Unknown device in device manager. I select Update Driver and I see a screen stating that the driver is signed by me. I continue and after a few moments the installation fails stating that the driver is not properly signed. The eventviewer shows a CodeIntegrity error 3004, "Windows is unable to verify the image integrity of CYUSB.sys because the file hash could not be found on the system"

I haven't been able to find an explanation for this "file hash" that could not be found. Any help with how to further troubleshoot and resolve this issue would be GREATLY appreciated!

Was it helpful?

Solution

The error message in the event log is misleading. The missing "file hash" is really a Microsoft Root level certificate. I had my driver signed by GlobalSign ObjectSign CA which was a valid signature but I did not specify the cross-certificate which links GlobalSign to the Microsoft root certificate.

To clearly detect the original error I needed to use SignTool Verify with the /kp switch which tests for kernel level permissions needed by this USB driver. Using that switch I got an error clearly stating it couldn't find the Microsoft root certificate.

I downloaded the cross certificate for GlobalSign here: http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454(v=vs.85).aspx

Using /ac switch with SignTool Sign I was able to sign the .cat file with a chain that went down to the Microsoft root certificate. This driver successfully installed on a Win 7 64-bit system. Victory!

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top