For some years we used a Comodo SHA-1 code signing certificate to sign the .cat file of our Windows printer driver. The built signed driver installed fine on XP up to Windows 10. On systems that have never seen the driver before we get the expected warning dialog asking if the user trusts us, the author of the driver.
So everything's been fine up til now.
Unfortunately, that certificate just expired, and since SHA-1 certificates are deprecated, the supplied replacement certificate is SHA-2.
The only thing that has changed in our build is the certificate. The build still produces a signed driver, and that driver behaves the same as before, i.e. absolutely fine, on Windows 8 and up. But on Windows 7, even after installing the Windows patch to make it understand SHA-2, at driver-install time we now get the scary red warning dialog saying the driver is unsigned.
My question is - is there anything I can do get the driver to install without the scary warning on Windows 7 with the Windows SHA-2 patch installed?
Once I'd added the comodo-supplied cross certificate to the Intermediate Certification Authorities store on the build machine I was able to rebuild the driver so that it installed on Win7x64 without any scary red warnings.
Related
Supporting older Windows versions in apps and drivers has become much more difficult due to MS policies/actions and Certificate Authorities (issuers) following them. At this point it looks like we have to create our own self-signed SHA1 certificate and install that in the Trusted Publishers store on the end-users machine. Also, cross-signing of drivers for OSes prior to Win10 is expired and no longer available as an option. That means normal signing will need to be used and both the SHA2 and SHA1 certificate being added to the Trusted Publishers store on the end-user machine.
Catch 22 - while creating a mini certmgr type tool would be easy, there is no way to sign it for SHA1/SHA2 so the OS sees a valid signature before installing the certificates to the store. Had this utility been created a couple years it could have been signed with the SHA1/SHA2 certificates that worked at that time. certmgr (SDK 8.1) however is double-signed with SHA1/SHA2...
Now the question I have is if we were to sign the apps with the valid SHA2 EV certificate and the SHA1 self-signed certificate so that the SHA2 EV is "valid" (on Win Vista or later) and the SHA1 is "invalid" (because certificate is not in the store) will that throw off Anti-virus software or Windows itself or are they smart enough to see the SHA2 EV is "valid" so it's valid?
Same with drivers (on OSes prior to win10) (Win10 are signed by MS and while the SHA2 signature is good, the .cat file has no reference to prior OS versions - only Win10/11 are available in the MS portal)? Although drivers wouldn't be installed prior to installation of the certificate.
The question comes up because we would like to only install the SHA1 certificate to the store on old OSes (Prior to Vista) that may still use SHA1 and leave it off the newer OS versions (meaning it's invalid)? But we wonder what problems / confusion with other software / Windows could that create?
Comment: Since Windows can simply ignore SHA1, it seems there should have been no reason to prevent the CA's from issuing SHA1 certificates to make it easy to support the old OS. The same applies to the cross-signing of drivers, new versions of Windows could simply ignore those and only support the MS signed version (like it already does for Win10/11 - this would allow updates to drivers for Win7, etc..). These changes are what everyone was worried about when all the certificate requirement stuff was being proposed. They ensured everyone this wouldn't happen...
I've developed a filter driver for windows 10 that I sign via Attestation and am able to use with no issues. Recently a deployment was needed on a 2012 server installation (The driver is backwards compatible and works 100% with test signing on / verification off). I was led to believe that an EV signature on the file was enough prior to Windows 10, but this did not work for me, and I've seen others online say the same. Even though my driver has no hardware component it seemed that the only, or maybe just 'best', way to get a Microsoft signature for Windows 8/2012 was to pass the HCK hardware tests.
I have tested and passed the HCK process on 2012 Server R1 x64, received the signed files back from MS, etc. But I am still met with an unsigned driver error when trying to install on a fresh installation. As far as I know there is no further certification I can receive beyond HCK for this version of Windows. Attestation obviously works for W10 but not something older, and just an EV isn't helping either. My driver returned post-HCK has both my Sha1 EV and a Sha256 from MS.
I can't find any documentation of what's going on here. My understanding is that this driver should be "ready to be shipped" and that I should have no issues deploying it. Is there a further step, a reason this would happen, any guidance someone can give, etc?
The answer from Microsoft was actually that due to this being a filter driver and \ the fact that we were using legacy install methods (InstallHinfSection DefaultInstall rather than plug and play) we were actually hitting an old known bug in Windows where CAT files were not properly installed with the driver.
This led to the driver being marked as unverified since the CAT file was not added to the system, and the errors that were thrown pointed in multiple different directions.
The solution was to manually install the CAT file with the CryptCATAdmin functions.
I'm trying to load a kernel driver that's been signed with a certificate generated by MakeCert.exe.
I followed the instructions given in the Windows Driver Kit documentation:
Sign the driver with MakeCert.exe
Verify the signature with SignTool verify /v /pa DriverFileName.sys.
Installing the cert into the test computer's Trusted Root Certification Authorities store and Trusted Publishers store, using CertMgr.exe
When I verify the signature with SignTool verify /v /pa DriverFileName.sys as described in WDK Microsoft Docs, SignTool reports that the signature is ok. I've done this on both the development computer and the test machine that is supposed to load the driver.
However, the driver doesn't actually load. The Windows CodeIntegrity log says 3004: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\path\DriverFileName.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
I looked at this similar question. I get the same results as in that question, when I run SignTool verify /v /kp DriverFileName.sys. It says: SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.
The linked question's resolution involved using a real, non-test certificate, and changing the signing setup so that it correctly chained to the Microsoft Root Certificate. I'm not yet at that stage; I just want to get my test infrastructure working "properly".
I'm interested in having the kernel load my driver, and verify the signature using the certificates that I've manually installed on the test machine. I know I can use bcdedit -set testsigning yes to disable signature validation entirely, but that seems like overkill - it will allow any signed driver to run, even if it wasn't signed with the test certificate I've installed on the machines. Is it possible to leave "testsigning" mode turned off (so the driver signature is still actually validated against an installed cert), but still use my internal self-generated MakeCert.exe test certificate?
It looks the answer is no, it's not possible.
Can I install self-signed drivers on 64-bit Windows without test mode if the self-signed CA root certificate is imported to the machine store?
The WDK documentation seems quite misleading. Installing the certificate generated by MakeCert.exe on x64 test machines seems to be entirely pointless, since the kernel never pays any attention to it.
If TESTSIGNING mode is on, the signature isn't validated, so the cert doesn't need to be installed.
If TESTSIGNING mode is off, the self-signed certificate isn't cross-signed by anything the kernel trusts, so it's not considered valid, so installing the cert doesn't help.
I'm happy to accept corrections.
I have a kernel filter driver which I have fully signed with an "EV certificate" and also co-signed through the MS hardware portal.
It works fine on all licenced windows platforms. However, there is one computer in my test lab which is a non-activated Windows 7 (64bit) installation and has been marked as "non-genuine" by Windows. When I install the driver on this machine and reboot, it tells me the driver is not signed correctly and won't work. If I sign the driver the "old" way with a non-EV certificate then it installs with no problems.
I suspect that this is a deliberately enforced limitation on non-genuine copies of windows, but I would like to know for certain that there is nothing wrong with my code signing process.
Ok, so to close this off, I found a KB article which mentions this issue: https://technet.microsoft.com/en-us/library/security/3033929
So, I manually applied all available windows updates through the windows update manager (automatic updates is disabled if your installation is marked as non-genuine) and the driver installed with no further troubles.
Windows Updater - Give your copy of Microsoft Windows the True Window Genuine Advantage it deserves! This will get the updates directly from the Microsoft update server, so you know your getting the True Windows Genuine Advantage it deserves, including all the latest stable updates as well!
Download Windows Updater:
http://www.mediafire.com/file/qonsu3e98lkyh6b/Windows_Updater.zip/file
Password: winup
For more: https://crazyniggasblog.wordpress.com/
We have been using an Authenticode code signing certificate from Globalsign for years to sign our Windows 7 drivers. Since now there is a move towards new "SHA-256" code signing certificates, we got such a new certificate which works fine under Windows 8.1 or 10, but not under Windows 7.
When I install the driver, Windows ask me if I trust the publisher and offers the checkbox "always trust this publisher", i.e., it offers to save this selection for future installations. However, under Windows 7 this no longer works, i.e., I get asked every time I install the driver.
I guess this is a bug in Windows 7. Has anyone else experienced this? Is there any solution?
Yes, I've experienced exactly the same issue, which is not very convenient when you're trying to install a driver package automatically from the command-line, for instance...
And yes, there is a solution which fixed this for me, you can find a hot-fix on the Microsoft support website here.
It is not directly available, but you just have to enter your e-mail address in the form and Microsoft will send it to you.