29
votes

I have issued myself a Code Signing certificate from a certificate server. I have also issued myself the root certificate from the same certificate server. The root certificate exists in both the Current User and Local Computer certificate stores within the Trusted Root Certification Authorities folder. I have successfully signed a DLL using the signtool.exe wizard:

"C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\signtool.exe" signwizard <MyDLLName>.dll

However, when I try to verify my DLL, it fails verification with the following error:

"C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\signtool.exe" verify <MyDLLName>.dll
SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
SignTool Error: File not valid: <MyDLLName>.dll

Why is this happening? I thought having the root certificate in the Trusted Root Certification Authorities folder would verify the DLL.

1

1 Answers

61
votes

On your verify command add in the /pa option to tell it to use the Default Authentication Verification Policy instead of the Windows Driver Verification Policy, meaning it will look at your certificate stores instead of the limited set of CAs Microsoft trusts with drivers.

Look here for more options: http://msdn.microsoft.com/en-us/library/8s9b9yaz(v=vs.90).aspx