Our dual signed software is not installing on older windows 7 OS versions.
The install error is:
Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)
Our code signing certificate was recently updated to SHA256.
My research found that I had to dual-sign binaries so the signatures will validate on older versions of Windows that don't support SHA-256.
Thanks to the contributors to this site, I was able to modify all the components of our existing build scripts to successfully dual-sign binaries.
They do install in several Windows 10 OS versions and Windows 7 with the security update for SHA-256 certificates.
They do not install in windows 7 OS without the update.
Our build machine is 32 bit Win 7, so I am using the x86 version of signtool.exe from the 8.1 Windows kit that ships with VS 2015, its version is 6.3.9600.17298
I have found conflicting info about windows 7 and it's ability to install dual signed CAT files.
SO I am searching for a method to get code installed on all version of windows 7 and 10, regardless of the state of their windows updates. (some customers do not regularly update the OS and prefer to keep it that way)
UPDATE: I was able to get our appl and drivers to install to older windows 7 OS versions. Turns out the code signing certificate was not setup correctly to allow for dual signing.
I had to get the certificate re-issued as a SHA256 with SHA1 root for code signing.
After success with last weeks test setup, we made an official build of our entire software suite (that includes USB device drivers).
We tested software install and operation on the following machines:
32 bit Windows 7 Ultimate Version 6.1.7601 Service Pack 1 Build 7601
64 bit Windows 7 Professional Version 6.1.7601 Service Pack 1 Build 7601
Original ISO version, no OS updates
64 bit Windows 7 Professional Version 6.1.7601 Service Pack 1 Build 7601
OS updates including KB3033929 for SHA256 compatibility
64 bit Windows 7 Home Basic Version 6.1.7601 Service Pack 1 Build 7601
64 bit Windows 10 Pro Version 10.0.10586 Build 10586
64 bit Windows 10 Home Version 1607 (OS Build 14393.10)
64 bit Windows 10 Pro Insider Preview Version 1607 (OS Build 14971.1000)
All of those tests produced a successful app and driver installation.
So, the answer was to change the type of code signing certificate installed on the build machine.
The certificate had to be installed as a SHA256 with SHA1 root. CertMgr displays 2 separate certificates, one with hash=SHA1, second with hash=SHA256.
Then the build scripts were modified to create a dual signature. First call to signtool creates the SHA1 sign, second call to signtool appends the SHA2 sign.
(NOTE: Only Windows SDK 8.1 and higher supports dual signing.)
Related
I would like to know what is the impact of dropping SHA1 code signing in favour of SHA256-only code signing as of October 2018. I am currently dual code signing my executables to ensure they will get validated on all versions of Windows starting from Windows 7 / Windows Server 2008 R2. There are many articles online showing code signing requirement matrices, but it's not so clear how many environments in practice won't validate SHA256-only signatures. From what I understood, SHA256 code signing support came in an update in Windows 7, but I don't know if this update is widely installed.
The reason I am asking is because I know it is just a matter of time before SHA256 is supported on all versions of Windows that are not in their end of life, and I am considering using AzureSignTool (https://github.com/vcsjones/AzureSignTool) which doesn't support SHA1 code signing.
it's not so clear how many environments in practice won't validate SHA256-only signatures.
Windows 7 / Windows Server 2008 R2 without KB3033929 will be affected.
Windows 8 or later is OK.
From what I understood, SHA256 code signing support came in an update in Windows 7, but I don't know if this update is widely installed.
I don't know too.
KB3033929 is included automatic Windows Update, but sometimes I get a question about this from Windows7 user (who don't install KB3033929).
I want to update JDK for NetBeans 7.1 and tried JDK 8u65 for windows i586 but a message box appears warning me about the old OS not being supported anymore.
The PC is not mine, is from the job and they don't want to update the OS.
http://java.com/en/download/help/sysreq.xml
Java 7 is the latest version that can run on XP, but it is not supported by Sun
Note: As of April 8, 2014 Microsoft stopped supporting Windows XP and therefore it is no longer an officially supported platform. Users may still continue to use Java 7 updates on Windows XP at their own risk
I have tried to run the NONPNP windows driver code. It installs and when I run the nonpnpapp.exe I get a driver signing error.
"windows requires a digitally signed driver"
I am running this on debug mode and release I am test signing it.
Why am I still getting this error?
I do know that x64 machines needs this, I am on windows7 x64.
So we need to do something else.
Visual studio output says that the sys file is successfully signed.
I trace the code. It copies the sys to system32/drivers after it is signed.
Windows device installation uses digital signatures to verify the integrity of driver packages and to verify the identity of the vendor (software publisher) who provides the driver packages. In addition, the kernel-mode code signing policy for 64-bit versions of Windows Vista and later versions of Windows specifies that a kernel-mode driver must be signed for the driver to load.+
Note Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows Server 2016 kernel-mode drivers must be signed by the Windows Hardware Dev Center Dashboard, which requires an EV certificate. For details, see Driver Signing Changes in Windows 10. https://learn.microsoft.com/en-us/windows-hardware/drivers/install/driver-signing
Two options there;
1) allow test signing
2) disable driver signature enforcement
If you are using a dedicated test machine, I recommend the second option since I think it's more error proof.
I downloaded antlrworks2 from the tunnel vision labs website and tried to install it by running the antlrworks2.exe but getting the error "antlrworks2.exe is not a valid win32 application". I tried it on Win server 2003 as well as Win 7 32 bit but I got the same error.
I am using VS 2008 for development as the target language would be C#.
Is that the right way to install antlrworks? I believe antlrworks is a stand alone application or do I also need to install antlr? Has it got any dependency?
I know of an issue where the problem you describe appears on Windows XP, but haven’t heard of this on Windows Vista or later. The problem will be fixed for ANTLRWorks 2.0.1.
#7 Support running ANTLRWorks 2 on Windows XP
ANTLRWorks 2 requires you to install Java before running it. I am not sure whether or not it will work with just the JRE (runtime only) installed, so to be on the safe side I recommend installing the JDK (development kit). I recommend Java 7 for its performance advantages; the current release is 7u13.
Java SE Development Kit 7 Downloads
I'm trying to install the Windows 8 SDK. As requested by the installer, I uninstalled the Windows 7 SDK and than started the installation. The installer exits with an error:
You must uninstall the Windows Software Development Kit before you can install the latest version of the kit.
What components do I need to uninstall except the Windows 7 SDK?
If you have not found the answer to this yet, the MSDN article Windows Software Development Kit (SDK) for Windows 8 may help.
I ran into a similar problem. When the install of the Windows 8 SDK fails there will be a "Show log files" link visible. Click on that and then open the most recent log file. Search for the error you're seeing. There should be something in the log which says which component it found. (For me it was App Verifier.) Then go to Add/Remove Programs and uninstall that program. You should now be able to install the Windows 8 SDK.
I have Uninstall the current Windows Software Development Kit using Add/Remove Programs and then download the latest version from the MSDN site:
http://msdn.microsoft.com/en-us/windows/hardware/hh852363.aspx
and manage to install the Win SDK with no errors