driver signing issues for win7, win2K8 and win2k8 R2

I am currently working on signing my driver. We are facing some issues with driver signing and need your guidance for solving it.
As you know for Windows 10, it’s mandatory to use the Microsoft EV certificate for the driver signing. we are in the process of getting EV certificates.will get it in a couple of days.
We have a SHA256 certificate on our setup and have no issues driver signing for Windows 8, 2012 and Win10.
But we are facing issues while driver signing for Windows7 , Windows 2008 and Windows 2008R2.
The reason being they don’t support SHA256 signatures. You can create a workaround for Win 7, and 2K8R2 with updating them to SP1 + KB3033929.
But this will still not work for Win2008 as there is no support on it from Microsoft.

To fix this we tried forcing the signtool to use sha1 file digest for operating system’s lower than Windows 8 and sha256 file digest for rest of them.

By using the command “signtool sign /fd SHA1” and “signtool sign /fd sha256” ( but certificate installed in built environment is SHA256).

It works fine at creation and we get drivers signed with sha1 file digest and sha256 respectively. This we checked by right clicking the drivers and checking its property.

But while loading the drivers it still says driver unsigned for win7, win2k8 and win2k8R2.

The exact command I used is given below.

signtool sign /fd sha1 /v /ac /s /n /t timeserver targetFile"’

Could anybody throw some light on the above issue. Is the way I am doing is correct?

Regards,
Vidhya

SHA-1 or SHA-2 is a characteristic of a CERTIFICATE. It’s not something you can change with Signtool.

If you need to support Vista Server (I’m sorry for you but), you need a SHA-1 Certificate. Full stop.

I guess I’d suggest you get a SHA-1 Cert if you REALLY have to support Vista and Vista Server.

Peter
OSR
@OSRDrivers

Hi Peter,
Thanks for the update. I happen to see the other long thread which talks about driver signing. Our driver was modified after windows 10 RTM and our current SHA-1 is expired. currently we are using a SHA 256 cross certificate for internal testing. with this certificate we had problems with windows 7, windows 2k8 and windows 2k8 r2 OS without updates.

we thought we would use the above signtool command (posted previously) to use the sha 1 digest algorithm for signing using the SHA 256 cross certificate for windows 7, windows 2k8 and windows 2k8 r2.

But did not work. Could you please let me know what /fd SHA1 and /fd SHA256 mean. My understanding was that it will use the corresponding digest algorithm to sign the binary. so I expected it to work on windows 7, windows 2k8 and windows 2k8 r2 OS without updates.
when you say SHA1 or SHA2 is a characteristic of a certificate. Could you elaborate on this.

reference:
https://msdn.microsoft.com/en-us/library/windows/hardware/hh967734(v=vs.85).aspx
section:Signing a driver package with two signatures

we have already procured EV certificate. For other OS like windows 7, windows 2k8 and windows 2k8 r2 I understand that we need to procure SHA1 . We have raised a request for SHA1.

Regards,
Vidhya

Vidhya,

I think the only way to work around this issue is to get a certificate that doesn’t use SHA-256 in its certification path. While you sign your driver with SHA1 hash, but the certificate itself is signed with SHA-256/SHA-384…

I’m experiencing the same problems at the moment. Moreover I need to support Windows Vista and Windows XP x64 and it looks like there is no other ways for doing this except having SHA-1 certificate.

Thanks,
Roman

Also it would be interested if someone could check the statement from this blog:
http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx

How do I sign a driver so that it is compatible with Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10?
Simple. All you need to do is submit your drivers to the Windows Hardware Developer Center Dashboard portal. The portal will sign the driver the right way so that it will work on all platforms that you indicate the driver is applicable for.

Hi,

I have a certificate. How can I check whether my certificate itself is signed by SHA256/SHA 384…I have dumped the certificate. But don’t know how to check how my certificate is signed.

Regards,
Vidhya

Another question:
signtool sign /fd sha1 /v /ac /s /n /t
timeserver targetFile"’ <br>
If I use the above command according to my understanding the binary will have sha 1 hash algorithm and along with that will the certificate be added to the signature block(as per /ac sign option)
If this the case then whatever you said makes sense that the certificate itself is signed by SHA256 and hence it will fail in windows 7, 2k8 or 2k8 r2 which doesn’t recognize SHA 256 without update.

If I give this command shouldn’t it work since there is no additional certificate appended, no /ac sign option passed in the below.
Signtool sign /fd sha256 /ph /as /sha1 XX…XX $(TargetPath)

as per the link
https://msdn.microsoft.com/en-us/library/windows/hardware/hh967734(v=vs.85).aspx

Please correct my understanding. I am confused.

Regards,
Vidhya

xxxxx@yahoo.co.in wrote:

But did not work. Could you please let me know what /fd SHA1 and /fd SHA256 mean. My understanding was that it will use the corresponding digest algorithm to sign the binary. so I expected it to work on windows 7, windows 2k8 and windows 2k8 r2 OS without updates.
when you say SHA1 or SHA2 is a characteristic of a certificate. Could you elaborate on this.

The /fd parameter determines what algorithm signtool will use for
computing file checksums. However, your certificate is also signed.
That’s what Peter means by “a characteristic of the certificate.” You
can tell signtool to use SHA1 for its checksumming, but since your
certificate is also embedded in the binary, if it uses SHA2, the
resulting binary can’t be validated by a client that doesn’t understand
SHA2.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

xxxxx@yahoo.co.in wrote:

If I give this command shouldn’t it work since there is no additional certificate appended, no /ac sign option passed in the below.
Signtool sign /fd sha256 /ph /as /sha1 XX…XX $(TargetPath)

That depends on your definition of “work”. :wink: Without /ac, the
resulting binary will be rejected by KMCS.

The only purpose of the /sha1 parameter is to choose a certificate.
That parameter has no impact on the resulting binary. So, your command
will produce a binary where the file checksumming is done with sha256
(because of /fd). The embedded certificate will use whatever algorithm
was used to create it.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks Tim for the clarification.
Few more doubts:)

  1. what does the below statement mean(taken from msdn link)
    Suppose you want to build and sign a driver package that will run on Windows 7 and Windows 8 on x64 hardware platforms. You can sign your driver package with a primary signature that uses SHA1. Then you can append a secondary signature that uses SHA256. You can use the same certificate for both signatures, or you can use separate certificates.

In the above statement they have mentioned we can use same certificate for both signatures or separate certificates. what does that mean.

  1. As I understand since my certificate itself is signed by SHA256 it is failing in windows 7, 2k8 and 2k8R2 machines. How can I check whether my certificate itself is signed by
    SHA256…I have dumped the certificate. But don’t know how to check how
    my certificate is signed.

Regards,
Vidhya

xxxxx@yahoo.co.in wrote:

Few more doubts:)

  1. what does the below statement mean(taken from msdn link)
    Suppose you want to build and sign a driver package that will run on Windows 7 and Windows 8 on x64 hardware platforms. You can sign your driver package with a primary signature that uses SHA1. Then you can append a secondary signature that uses SHA256. You can use the same certificate for both signatures, or you can use separate certificates.

In the above statement they have mentioned we can use same certificate for both signatures or separate certificates. what does that mean.

I don’t know. I’ve read that statement in a couple of contexts, but I
don’t know of a “signtool” command line that would actually do it. I
thought I had the signing thing all figured out, but they keep changing
the rules on me.

  1. As I understand since my certificate itself is signed by SHA256 it is failing in windows 7, 2k8 and 2k8R2 machines. How can I check whether my certificate itself is signed by
    SHA256…I have dumped the certificate. But don’t know how to check how
    my certificate is signed.

You should be able to use the Certificate Manager (certmgr.msc) to
examine the details of your certificate.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

On 4 September 2015 at 18:34, Tim Roberts wrote:

> xxxxx@yahoo.co.in wrote:
> > Few more doubts:)
> > 1. what does the below statement mean(taken from msdn link)
> > Suppose you want to build and sign a driver package that will run on
> Windows 7 and Windows 8 on x64 hardware platforms. You can sign your driver
> package with a primary signature that uses SHA1. Then you can append a
> secondary signature that uses SHA256. You can use the same certificate for
> both signatures, or you can use separate certificates.
> >
> > In the above statement they have mentioned we can use same certificate
> for both signatures or separate certificates. what does that mean.
>
> I don’t know. I’ve read that statement in a couple of contexts, but I
> don’t know of a “signtool” command line that would actually do it. I
> thought I had the signing thing all figured out, but they keep changing
> the rules on me.
>

I’m not sure it this will help, but I can sign files/drivers with two
timestamps (SHA1 and SHA256) using only single SHA256-cert by:
signtool.exe sign /v /ac “%~dp0\GlobalSign Root CA.cer” /s my /sha1
aabbcc… /t
http://timestamp.globalsign.com/scripts/timestamp.dll %1
signtool.exe sign /v /ac “%~dp0\GlobalSign Root CA.cer” /fd sha256 /s my
/ph /as /sha1 aabbcc… /tr
http://timestamp.globalsign.com/scripts/timestamp.dll /td sha256 %1

However Vista/2008 x64 (and possibly Win7/2008R2 without KB fix) will not
load such drivers, but in file properties (Digital properties) I see two
timestamps (sha1 and sha256). Exe/dll files will be signed and loaded
correctly (for example for UAC dialogs).

To make it work I need to use two certs, one SHA1 and one SHA256, and sign
drivers by:
signtool.exe sign /v /ac “%~dp0\GlobalSign Root CA.cer” /s my /sha1
aabbcc… /t
http://timestamp.globalsign.com/scripts/timestamp.dll %1 <- changed only
/sha1 aabbcc… to match SHA1 thumbprint of SHA1 cert instead of SHA256)
signtool.exe sign /v /ac “%~dp0\GlobalSign Root CA.cer” /fd sha256 /s my
/ph /as /sha1 aabbcc… /tr
http://timestamp.globalsign.com/scripts/timestamp.dll /td sha256 %1 <- no
change

Note for other users (for me it wasn’t obvious at a first time):
/sha1 parameter is used only to select correct certificate (instead of /n
parameter, because you can have more than one cert with same name) - it has
nothing to do with signing/timestamping by SHA1 or/and SHA256. You can find
it in "Digital Signature Details/General/View Certificate/Details and the
value of a “Thumbprint” field (copy it, and remove spaces)

Regards,
Krystian Bigaj