I recently needed to update a driver and the certificate I used to sign it with expired so, in order to make it load on windows 10, with a new EV certificate, I signed it on sysdev portal. All went fine and the driver loads on windows 10 no problem.
However, I can’t get it to load on earlier versions of windows.
I did my due diligence and read everything I could find about it and it looks like I have to append a signature block with my certificate to the driver.
I inspected what I got from the sysdev portal and it looks like the .sys file is signed with both my certificate and microsoft’s while the .cat only with microsoft’s.
So I appended mine to the .cat file using signtool /as (using the one that comes with WDK 8.1) and upon verification I can see both signatures.
Unfortunately it still doesn’t load on windows 7 (64) for example.
As a sanity check, I took a freshly compiled driver, signed it with my EV certificate and that loads on windows 7 no problem (but of course it doesn’t load on windows 10).
I suppose that I’m missing something practical at this point.
I recently needed to update a driver and the certificate I used to sign it with expired so, in order to make it load on windows 10, with a new EV certificate, I signed it on sysdev portal. All went fine and the driver loads on windows 10 no problem.
However, I can’t get it to load on earlier versions of windows.
Right. The CAT file you get from the attestation signing is marked only
for Windows 10.
I did my due diligence and read everything I could find about it and it looks like I have to append a signature block with my certificate to the driver.
I inspected what I got from the sysdev portal and it looks like the .sys file is signed with both my certificate and microsoft’s while the .cat only with microsoft’s.
Right. Microsoft throws away whatever CAT file you supplied in your
package and creates a new one from scratch.
I suppose that I’m missing something practical at this point.
Can anybody point me in the right direction?
No, you’re not missing anything. If you use the attestation signing
option, you must have two driver packages. There is no alternative.
The attestation signing is only needed with the upcoming “anniversary”
update of Windows 10, and then only on clean (non-upgrade) installs on
systems where “secure boot” is set.
If you want one package, you’ll have to go through the full WHQL process.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
> So I appended mine to the .cat file using signtool /as (using the one that comes
with WDK 8.1) and upon verification I can see both signatures.
AFAIK, .cat files cannot be dual signed. Can you click on details on the second signature and make sure it shows up as valid?
Dual-signing is not enough. The attestation-created CAT file is marked
as being valid for Windows 10 only. You can’t alter that without
invalidating the signature.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
On May 26, 2016, at 5:50 PM, Tim Roberts wrote: > > vikram.parthasarathy@ni.com wrote: >>> So I appended mine to the .cat file using signtool /as (using the one that comes >> with WDK 8.1) and upon verification I can see both signatures. >> >> AFAIK, .cat files cannot be dual signed. Can you click on details on the second signature and make sure it shows up as valid? > > Dual-signing is not enough. The attestation-created CAT file is marked > as being valid for Windows 10 only. You can’t alter that without > invalidating the signature. > > – > Tim Roberts, xxxxx@probo.com > Providenza & Boekelheide, Inc. > > > — > NTDEV is sponsored by OSR > > Visit the list online at: http: > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! > Details at http: > > To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>
>AFAIK, .cat files cannot be dual signed. Can you click on details on the second signature and make sure it shows up as valid?
It does look valid but I guess that, as Tim says, the cat file has other information that is not convincing enough for windows 7. Interesting link nonetheless.
I’ll go with 2 different packages and call it a day.
Dual-signing is not enough. The attestation-created CAT file is marked as being valid for Windows 10 only.
Out of curiosity: is there any tool I can use to inspect the flags in the signature of a cat file?
Out of curiosity: is there any tool I can use to inspect the flags in the signature of a cat file?
Good question. I’ve always just poked around with a hex editor. You
can see the list of files, followed by the OS string, followed by the
HWIDs that you match.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
How do I sign a driver so that it is compatible with Vista, Windows 7, Windows
8, Windows 8.1, and Windows 10?
Simple. All you need to do is run the HLK tests for Windows 10, and run the HCK
tests for Windows 8.1 and earlier versions as you have in the past. Then, submit
your driver and the merged HLK/HCK test results to the Windows Hardware
Developer Center Dashboard portal. The portal will sign the driver the right
way so that it will work on all platforms that you indicate the driver is
applicable for.
/windows_hardware_certification/2015/04/01/driver -signing-changes-in-windows-10/ is wrong
when it says:
No, it’s just a restatement of what Tim said earlier in the thread. If you do the full WHQL process (HLK for Windows 10, HCK for pre-Windows 10), you can get a single driver package. If you do attested signing, you will have two packages: The attested signed package for Windows 10, and another package for non-Windows 10.
Not very readable, but there they are: XPX64, Server2003X64, VistaX64, Server2008X64.
How do these differ in use from the OSAttr flags for each file under the “Security Catalog” tab? Is there a way (or a use case) for having different values of OSAttr on different files? I don’t know.
As an aside, if I locally generate a catalog with inf2cat for Windows 10 x64, OS is 10X64 and OSAttr is 6.4. Portal-signed drivers (either HLK or attested), however, have an OS of _v100_x64 and an OSAttr of 10.0. I don’t know if they are treated differently.
> How do I sign a driver so that it is compatible with Vista, Windows 7, Windows
> 8, Windows 8.1, and Windows 10?
>
> Simple. All you need to do is run the HLK tests for Windows 10, and run the HCK
> tests for Windows 8.1 and earlier versions as you have in the past. Then, submit
> your driver and the merged HLK/HCK test results to the Windows Hardware
> Developer Center Dashboard portal. The portal will sign the driver the right
> way so that it will work on all platforms that you indicate the driver is
> applicable for.
NTDEV is sponsored by OSR
Visit the list online at: http: > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! > Details at http: > > To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>