Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

OSR Seminars


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 4  
12 Jul 18 14:37
Francis Litterio
xxxxxx@gmail.com
Join Date: 27 May 2016
Posts To This List: 7
Why does my attestation-signed legacy driver load on Windows 7?

We accidentally installed a cross-signed and then attestation-signed legacy driver on (a fully updated) Windows 7 ... and to our surprise it loaded! It was cross-signed first and then attestation-signed. I expected the attestation signature to invalidate the cross signature, thus rendering the driver unusable on Windows 7. Why did this work? -- Fran Litterio Principal Software Engineer IntervalZero Inc
  Message 2 of 4  
12 Jul 18 14:51
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 12008
Why does my attestation-signed legacy driver load on Windows 7?

xxxxx@gmail.com wrote: > We accidentally installed a cross-signed and then attestation-signed legacy driver on (a fully updated) Windows 7 ... and to our surprise it loaded! It was cross-signed first and then attestation-signed. I expected the attestation signature to invalidate the cross signature, thus rendering the driver unusable on Windows 7. > > Why did this work? The "Windows 10 only" limitation with attestation signing is only in the CAT file.  If you have a legacy driver, then you aren't doing a PnP install, so the CAT file is not used.  The actual attestation signature uses the same Microsoft certificate you get from WHQL. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 3 of 4  
12 Jul 18 23:14
Alan Adams
xxxxxx@novell.com
Join Date: 20 Dec 2010
Posts To This List: 32
Why does my attestation-signed legacy driver load on Windows 7?

> We accidentally installed a cross-signed and then attestation-signed > legacy driver on (a fully updated) Windows 7 ... and to our surprise > it loaded! It was cross-signed first and then attestation-signed. > I expected the attestation signature to invalidate the cross signature, > thus rendering the driver unusable on Windows 7. As Mr. Roberts already clarified, its expected the driver LOADED successfully on Windows 7. The binary itself does have an embedded signature, which is what Windows 7 is looking for at load time. In your case the binary file is expected to have TWO signatures: your cross-signed signature, and now also Microsoft's certificate signature. Binary files that already have a signature prior to being submitted for attested signing will have the Microsoft signature added to the binary files IN ADDITION to the signature already there. (You should be able to see that there are two separate signatures in the "Digital Signatures" tab in the properties of the binary files you received back.) You may or may not be using an .INF-based installation method to install your legacy driver. If you are using an .INF, then I would have expected the SETUPAPI-based installation process to complain that the driver was "not signed". Because as Mr. Roberts indicated, the .CAT file produced by attested signing only works for Windows 10. (It's not that "the signature on the .CAT" is specific to Windows 10; it's the contents of the .CAT file itself that indicate "this .CAT file is only intended for Windows 10." The .CAT file was created from scratch by the attested signing process, and will ONLY have a Microsoft signature on it, regardless of any .CAT or .CAT file signature you submitted in your attested signing .CAB package.) But since you didn't report such an issue, we're assuming you're using a non-.INF installation method to register the driver with Windows. Alan Adams Client for Open Enterprise Server Micro Focus xxxxx@microfocus.com
  Message 4 of 4  
13 Jul 18 09:10
Francis Litterio
xxxxxx@gmail.com
Join Date: 27 May 2016
Posts To This List: 7
Why does my attestation-signed legacy driver load on Windows 7?

Thanks, Tim and Alan. Your replies clarify the situation for me. -- Fran Litterio Principal Software Engineer IntervalZero Inc.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 19:28.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license