Hi,
I am trying to work out what is possible regarding signing drivers to make
them valid on multiple OS’s. Our software supports client and server OS’s
from XP to Windows 10. (I know we need to use the EV signing process for
Windows 10 kernel mode drivers).
Is it possible to dual sign drivers with Sha1 and Sha256 so that they are
compatible with different versions of windows that accept just one or the
other of those formats?
I read this thread which includes some discussion of dual signing:
https://www.osronline.com/showthread.cfm?link=266662
The thread has a link to this msdn page:
https://msdn.microsoft.com/en-us/windows-drivers/develop/signing_a_driver_fo
r_public_release
The msdn page says that “signing the catalog file is the same as signing the
driver package”. Then, it goes on to say “Suppose you want to build and sign
a driver package that will run on Windows 7 and Windows 8 on x64 hardware
platforms. You can sign your driver package with a primary signature that
uses SHA1. Then you can append a secondary signature that uses SHA256.”
But, when I dual sign my .cat file with signtool, I find when I look at the
file’s properties and look at the details of the second signature it says
“No signature was present in the subject”.
So msdn seems to indicate I should dual sign the cat file, but in my
testing, it seems that this is not possible.
My question is, can a driver be dual signed and it so, how?
If there is a method where older OS’s display a warning about unsigned
drivers, but still install and run the software ok, that would probably be
acceptable.
Thanks in advance for your help,
-Scott
After running some experiments today, I?ve found that if I sign the .cat
file with a Sha1 signature (generated with a Sha256 certificate). And dual
sign the .sys file. Then, it appears to install and run ok on:
WinXp 32
Win7 64
Win10 64 (without secure boot, I have tried with secure boot enabled)
On the Win7 and Win10 64 boxes I ran the following to make them believe Sha1
certs are already deprecated:
certutil -setreg chain\Default\WeakSha1ThirdPartyFlags 0x80C00000
certutil -setreg chain\Default\WeakSha1ThirdPartyAfterTime @1/1/2015 ?
Use 2015 to test (real date it 2016)
I?ve found the above appears to work just by trial and error. Can anybody
confirm if this is how it is supposed to be done?
Thanks,
-Scott
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Scott Langham
Sent: 09 November 2015 11:03
To: Windows System Software Devs Interest List
Subject: [ntdev] Dual signing drivers
Hi,
I am trying to work out what is possible regarding signing drivers to make
them valid on multiple OS?s. Our software supports client and server OS?s
from XP to Windows 10. (I know we need to use the EV signing process for
Windows 10 kernel mode drivers).
Is it possible to dual sign drivers with Sha1 and Sha256 so that they are
compatible with different versions of windows that accept just one or the
other of those formats?
I read this thread which includes some discussion of dual signing:
https://www.osronline.com/showthread.cfm?link=266662
The thread has a link to this msdn page:
https://msdn.microsoft.com/en-us/windows-drivers/develop/signing_a_driver_fo
r_public_release
The msdn page says that ?signing the catalog file is the same as signing the
driver package?. Then, it goes on to say ?Suppose you want to build and sign
a driver package that will run on Windows 7 and Windows 8 on x64 hardware
platforms. You can sign your driver package with a primary signature that
uses SHA1. Then you can append a secondary signature that uses SHA256.?
But, when I dual sign my .cat file with signtool, I find when I look at the
file?s properties and look at the details of the second signature it says
?No signature was present in the subject?.
So msdn seems to indicate I should dual sign the cat file, but in my
testing, it seems that this is not possible.
My question is, can a driver be dual signed and it so, how?
If there is a method where older OS?s display a warning about unsigned
drivers, but still install and run the software ok, that would probably be
acceptable.
Thanks in advance for your help,
-Scott
—
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Scott Langham wrote:
After running some experiments today, I’ve found that if I sign the
.cat file with a Sha1 signature (generated with a Sha256 certificate).
And dual sign the .sys file. Then, it appears to install and run ok on:
WinXp 32
Win7 64
Win10 64 (without secure boot, I have tried with secure boot enabled)
Was your certificate issued prior to 8/1/2015? I’m assuming it was.
With a certificate issued after 8/1/2015, your driver should not work on
Windows 10 unless the package has been signed through the Microsoft
attestation process.
At the present time, with a recent certificate, it is simply impossible
to create a single driver package that works on every system.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Yes, the certificate shows as valid from 23 April 2015.
My driver appears to work on Windows 10. I was wondering if there’s any nice persin ‘in the know’ who could confirm whether I’m dual signing the driver correctly and it’s correct to only Sha1 sign the cat file to achieve that.
Once I’ve got my dual signing working, I’m going to get started on the EV signing.
Cheers,
-Scott
xxxxx@hotmail.com wrote:
Yes, the certificate shows as valid from 23 April 2015.
My driver appears to work on Windows 10. I was wondering if there’s any nice persin ‘in the know’ who could confirm whether I’m dual signing the driver correctly and it’s correct to only Sha1 sign the cat file to achieve that.
Until your current certificate expires, you don’t need the
dual-signing. Your SHA1 will work everywhere. After it expires, then
your life becomes more complicated.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.