driver signing for multiple OS versions and Microsoft documentation

I hate to post another driver signing question. I just so much want to not
have a different package for Win10, so asking for clarification…

We support Win7 and above, and HCK is not an option for us. There are a
number of posts in this group saying that the attestation-signed driver is
only valid for Win10. And that makes sense, since Microsoft would return a
new .cat file to me. But this seems to be in contradiction to the
following documentation on
https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-drivers-signed-by-microsoft-for-multiple-windows-versions
:

“As an alternative to HLK and HCK testing, you can cross-sign your driver
yourself and submit it to the dashboard for attestation signing so that it
also works on Windows 10. This is more complicated, but still a valid
option. But it’s important to note that a submission signed this way will
not work on Windows Server 2016. For more information about how to
attestation sign a driver, see Attestation signing a kernel driver for
public release. Important You must still use Hardware Dev Center (Sysdev)
to attestation sign a driver until driver signing is available through the
new Windows Hardware Dev Center dashboard.”

This makes it sound like a can have a driver with signatures that will
support Win7-Win10. Is this Microsoft information incorrect or am I
missing something?

Thanks,
Diane

xxxxx@gmail.com wrote:

I hate to post another driver signing question.  I just so much want
to not have a different package for Win10, so asking for clarification…

We support Win7 and above, and HCK is not an option for us.

Why?

“As an alternative to HLK and HCK testing, you can cross-sign your
driver yourself and submit it to the dashboard for attestation signing
so that it also works on Windows 10. This is more complicated, but
still a valid option. But it’s important to note that a submission
signed this way will not work on Windows Server 2016. For more
information about how to attestation sign a driver, see Attestation
signing a kernel driver for public release. Important You must still
use Hardware Dev Center (Sysdev) to attestation sign a driver until
driver signing is available through the new Windows Hardware Dev
Center dashboard.”

This makes it sound like a can have a driver with signatures that will
support Win7-Win10.  Is this Microsoft information incorrect or am I
missing something?

The binary files in your package come back with Microsoft’s signature
added to whatever signature was there before.  So, the driver binary
will work on all of the systems.

The problem is that the attestation process throws out your CAT file and
creates a brand new one, and that CAT file only includes Windows 10. 
So, the driver package can only be installed on Win 10.

If your driver does not require an INF file, you’re golden.  Otherwise,
you’ll need two packages.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks for the quick reply Tim.

Our drivers are for USB host controllers and my memory (from years ago) is
that we are not eligible for HCK.

We do have an INF, so I guess we will need 2 packages.

Regards,
Diane

On Wed, Nov 29, 2017 at 1:40 PM xxxxx@probo.com wrote:

> xxxxx@gmail.com wrote:
> > I hate to post another driver signing question. I just so much want
> > to not have a different package for Win10, so asking for clarification…
> >
> > We support Win7 and above, and HCK is not an option for us.
>
> Why?
>
>
> > “As an alternative to HLK and HCK testing, you can cross-sign your
> > driver yourself and submit it to the dashboard for attestation signing
> > so that it also works on Windows 10. This is more complicated, but
> > still a valid option. But it’s important to note that a submission
> > signed this way will not work on Windows Server 2016. For more
> > information about how to attestation sign a driver, see Attestation
> > signing a kernel driver for public release. Important You must still
> > use Hardware Dev Center (Sysdev) to attestation sign a driver until
> > driver signing is available through the new Windows Hardware Dev
> > Center dashboard.”
> >
> > This makes it sound like a can have a driver with signatures that will
> > support Win7-Win10. Is this Microsoft information incorrect or am I
> > missing something?
>
> The binary files in your package come back with Microsoft’s signature
> added to whatever signature was there before. So, the driver binary
> will work on all of the systems.
>
> The problem is that the attestation process throws out your CAT file and
> creates a brand new one, and that CAT file only includes Windows 10.
> So, the driver package can only be installed on Win 10.
>
> If your driver does not require an INF file, you’re golden. Otherwise,
> you’ll need two packages.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>