Driver Signing Help

Hello,

I have an issue and you guys might help me.

My company developed a Windows driver to get all data sent to the serial
port. It is working fine and we are happy with it.
This driver will be deployed to workstations that does not have any Windows
update policy in place and we do not want to force the workstations to be
updated to avoid any side effect of the updates. We will deploy to
workstations which do not belong to my company.

This driver is signed with a SHA-2 certificate we bought this year and it
works fine if the workstations has a specific Windows update applied which
adds support for this certificate algorithm.
However, as I told before, some workstations do not have this update and if
we try to install the driver we get an error saying that the certificate is
not supported.

After some research I have found that if our certificate was created before
12/31/2015 it would work. However our certificate was created later.

I found some people doing a dual signing using a SHA-1 certificate and a
SHA-2 certificate. It also did not work.

Another option I am considering is to create our own certification
authority to emit a SHA-1 certificate before 12/31/2015 and using this
certificate to sign our driver.
However I am not sure if it will work because Microsoft probably will
prevent the installation of this driver because the root certificate was
not signed by Microsoft.

Does anyone have any idea how to deploy this driver without needing the
computers to be updated to support SHA-2?
If it is not possible, does anyone know how to get all the data sent to the
serial port without using a Windows driver?

Thanks for any help.

-George

If they can install your driver, they can’t install that specific update
package as well?

On Tuesday, October 18, 2016, George Luiz Bittencourt
wrote:

> Hello,
>
> I have an issue and you guys might help me.
>
> My company developed a Windows driver to get all data sent to the serial
> port. It is working fine and we are happy with it.
> This driver will be deployed to workstations that does not have any
> Windows update policy in place and we do not want to force the workstations
> to be updated to avoid any side effect of the updates. We will deploy to
> workstations which do not belong to my company.
>
> This driver is signed with a SHA-2 certificate we bought this year and it
> works fine if the workstations has a specific Windows update applied which
> adds support for this certificate algorithm.
> However, as I told before, some workstations do not have this update and
> if we try to install the driver we get an error saying that the certificate
> is not supported.
>
> After some research I have found that if our certificate was created
> before 12/31/2015 it would work. However our certificate was created later.
>
> I found some people doing a dual signing using a SHA-1 certificate and a
> SHA-2 certificate. It also did not work.
>
> Another option I am considering is to create our own certification
> authority to emit a SHA-1 certificate before 12/31/2015 and using this
> certificate to sign our driver.
> However I am not sure if it will work because Microsoft probably will
> prevent the installation of this driver because the root certificate was
> not signed by Microsoft.
>
> Does anyone have any idea how to deploy this driver without needing the
> computers to be updated to support SHA-2?
> If it is not possible, does anyone know how to get all the data sent to
> the serial port without using a Windows driver?
>
> Thanks for any help.
>
> -George
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at

Hi Jesse,

Yes, they could, but we do not want to force them to install. We are afraid
to cause any problem like a BSOD or any other side effect of the update.

-George

On Tue, Oct 18, 2016 at 12:55 PM, Jesse Conn wrote:

> If they can install your driver, they can’t install that specific update
> package as well?
>
>
> On Tuesday, October 18, 2016, George Luiz Bittencourt <
> xxxxx@georgeluiz.com> wrote:
>
>> Hello,
>>
>> I have an issue and you guys might help me.
>>
>> My company developed a Windows driver to get all data sent to the serial
>> port. It is working fine and we are happy with it.
>> This driver will be deployed to workstations that does not have any
>> Windows update policy in place and we do not want to force the workstations
>> to be updated to avoid any side effect of the updates. We will deploy to
>> workstations which do not belong to my company.
>>
>> This driver is signed with a SHA-2 certificate we bought this year and it
>> works fine if the workstations has a specific Windows update applied which
>> adds support for this certificate algorithm.
>> However, as I told before, some workstations do not have this update and
>> if we try to install the driver we get an error saying that the certificate
>> is not supported.
>>
>> After some research I have found that if our certificate was created
>> before 12/31/2015 it would work. However our certificate was created later.
>>
>> I found some people doing a dual signing using a SHA-1 certificate and a
>> SHA-2 certificate. It also did not work.
>>
>> Another option I am considering is to create our own certification
>> authority to emit a SHA-1 certificate before 12/31/2015 and using this
>> certificate to sign our driver.
>> However I am not sure if it will work because Microsoft probably will
>> prevent the installation of this driver because the root certificate was
>> not signed by Microsoft.
>>
>> Does anyone have any idea how to deploy this driver without needing the
>> computers to be updated to support SHA-2?
>> If it is not possible, does anyone know how to get all the data sent to
>> the serial port without using a Windows driver?
>>
>> Thanks for any help.
>>
>> -George
>>
>> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
>> on crash dump analysis, WDF, Windows internals and software drivers!
>> Details at To unsubscribe, visit the List Server section of OSR Online
>> at
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at


-George

You may be able to purchase a proper signing key that works with the chain
of trust certificates already installed on these unpatched machines, but
you’ll need to contact the vendors specifically and work this through them.
The certs you have to sign with won’t work without the patch. Also, the
vendors processes are automated around sha2, and to get something else is a
more manual route with them. I ran into this issue right as they were
switching from sha1.

On Tuesday, October 18, 2016, George Luiz Bittencourt
wrote:

> Hi Jesse,
>
> Yes, they could, but we do not want to force them to install. We are
> afraid to cause any problem like a BSOD or any other side effect of the
> update.
>
> -George
>
> On Tue, Oct 18, 2016 at 12:55 PM, Jesse Conn > <javascript:_e>> wrote:
>
>> If they can install your driver, they can’t install that specific update
>> package as well?
>>
>>
>> On Tuesday, October 18, 2016, George Luiz Bittencourt <
>> xxxxx@georgeluiz.com
>> <javascript:_e>> wrote:
>>
>>> Hello,
>>>
>>> I have an issue and you guys might help me.
>>>
>>> My company developed a Windows driver to get all data sent to the serial
>>> port. It is working fine and we are happy with it.
>>> This driver will be deployed to workstations that does not have any
>>> Windows update policy in place and we do not want to force the workstations
>>> to be updated to avoid any side effect of the updates. We will deploy to
>>> workstations which do not belong to my company.
>>>
>>> This driver is signed with a SHA-2 certificate we bought this year and
>>> it works fine if the workstations has a specific Windows update applied
>>> which adds support for this certificate algorithm.
>>> However, as I told before, some workstations do not have this update and
>>> if we try to install the driver we get an error saying that the certificate
>>> is not supported.
>>>
>>> After some research I have found that if our certificate was created
>>> before 12/31/2015 it would work. However our certificate was created later.
>>>
>>> I found some people doing a dual signing using a SHA-1 certificate and a
>>> SHA-2 certificate. It also did not work.
>>>
>>> Another option I am considering is to create our own certification
>>> authority to emit a SHA-1 certificate before 12/31/2015 and using this
>>> certificate to sign our driver.
>>> However I am not sure if it will work because Microsoft probably will
>>> prevent the installation of this driver because the root certificate was
>>> not signed by Microsoft.
>>>
>>> Does anyone have any idea how to deploy this driver without needing the
>>> computers to be updated to support SHA-2?
>>> If it is not possible, does anyone know how to get all the data sent to
>>> the serial port without using a Windows driver?
>>>
>>> Thanks for any help.
>>>
>>> -George
>>>
>>> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY
>>> seminars on crash dump analysis, WDF, Windows internals and software
>>> drivers! Details at To unsubscribe, visit the List Server section of
>>> OSR Online at
>>
>> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
>> on crash dump analysis, WDF, Windows internals and software drivers!
>> Details at To unsubscribe, visit the List Server section of OSR Online
>> at
>
>
>
>
> –
> -George
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at</javascript:_e></javascript:_e>

Hi Jesse,

What if I create my own certification authority? Do you know if it must be
signed by Microsoft to work?

-George

On Tue, Oct 18, 2016 at 1:12 PM, Jesse Conn wrote:

> You may be able to purchase a proper signing key that works with the chain
> of trust certificates already installed on these unpatched machines, but
> you’ll need to contact the vendors specifically and work this through them.
> The certs you have to sign with won’t work without the patch. Also, the
> vendors processes are automated around sha2, and to get something else is
> a more manual route with them. I ran into this issue right as they were
> switching from sha1.
>
>
> On Tuesday, October 18, 2016, George Luiz Bittencourt <
> xxxxx@georgeluiz.com> wrote:
>
>> Hi Jesse,
>>
>> Yes, they could, but we do not want to force them to install. We are
>> afraid to cause any problem like a BSOD or any other side effect of the
>> update.
>>
>> -George
>>
>> On Tue, Oct 18, 2016 at 12:55 PM, Jesse Conn
>> wrote:
>>
>>> If they can install your driver, they can’t install that specific update
>>> package as well?
>>>
>>>
>>> On Tuesday, October 18, 2016, George Luiz Bittencourt <
>>> xxxxx@georgeluiz.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> I have an issue and you guys might help me.
>>>>
>>>> My company developed a Windows driver to get all data sent to the
>>>> serial port. It is working fine and we are happy with it.
>>>> This driver will be deployed to workstations that does not have any
>>>> Windows update policy in place and we do not want to force the workstations
>>>> to be updated to avoid any side effect of the updates. We will deploy to
>>>> workstations which do not belong to my company.
>>>>
>>>> This driver is signed with a SHA-2 certificate we bought this year and
>>>> it works fine if the workstations has a specific Windows update applied
>>>> which adds support for this certificate algorithm.
>>>> However, as I told before, some workstations do not have this update
>>>> and if we try to install the driver we get an error saying that the
>>>> certificate is not supported.
>>>>
>>>> After some research I have found that if our certificate was created
>>>> before 12/31/2015 it would work. However our certificate was created later.
>>>>
>>>> I found some people doing a dual signing using a SHA-1 certificate and
>>>> a SHA-2 certificate. It also did not work.
>>>>
>>>> Another option I am considering is to create our own certification
>>>> authority to emit a SHA-1 certificate before 12/31/2015 and using this
>>>> certificate to sign our driver.
>>>> However I am not sure if it will work because Microsoft probably will
>>>> prevent the installation of this driver because the root certificate was
>>>> not signed by Microsoft.
>>>>
>>>> Does anyone have any idea how to deploy this driver without needing the
>>>> computers to be updated to support SHA-2?
>>>> If it is not possible, does anyone know how to get all the data sent to
>>>> the serial port without using a Windows driver?
>>>>
>>>> Thanks for any help.
>>>>
>>>> -George
>>>>
>>>> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY
>>>> seminars on crash dump analysis, WDF, Windows internals and software
>>>> drivers! Details at To unsubscribe, visit the List Server section of
>>>> OSR Online at
>>>
>>> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY
>>> seminars on crash dump analysis, WDF, Windows internals and software
>>> drivers! Details at To unsubscribe, visit the List Server section of
>>> OSR Online at
>>
>>
>>
>>
>> –
>> -George
>> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
>> on crash dump analysis, WDF, Windows internals and software drivers!
>> Details at To unsubscribe, visit the List Server section of OSR Online
>> at
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at
>


-George

> I found some people doing a dual signing using a SHA-1 certificate and a SHA-2 certificate.

It also did not work.

I’m surprised by this. We ultimately found it to be our best solution. Was the SHA-1 signature the first signature? The KB that adds SHA-2 support also adds multi-signature support. Windows 7 without that update will only parse the first signature. Also, check the chain of trust on the SHA-1 signature. Make sure that it and any associated timestamp only have SHA-1 back to the root.

Yes, our experience is also that double signing works fine for Windows 7 systems without the SHA256 patch (KB3033929). You just need to get an SHA1 certificate from someone like DigiCert or whatever certificate authority you prefer, if you don’t have one already. Then sign with the SHA1 certificate first using signtool. Then sign with the SHA256 certificate using the /as (append signature, presumably…) option to signtool and this should work for you. Note that some timestamp servers work for SHA1 and others for SHA256 and you can get hard to understand errors from signtool if these do not match if I remember correctly, although I have found some that work for both (timestamp.digicert.com).

I expect that the reason double signing did not work for you was that there was something wrong in the signing procedure, to verify this can you give specifcs on what the behavior was when you tried this? Did the signing fail, or did that work but you didn’t get the behavior on some specific platform that you expected?

The first thing to do is be sure that both signtool invocations succeeded. If so, you want to examine the signatures as described below.

Take a signed file to a system that supports both SHA1 and SHA256 and look at the ‘Digital Signatures’ in the properties with Explorer to verify that both SHA1 and SHA256 signatures are there (this is to verify that the “append” mode worked at least).

Next you should view the signatures of the same file from an unpatched Windows 7 box and it should only display the SHA1 signature (the SHA256 is there, it just can’t display it).

Eric

Hi,

Thanks Eric and Gabe!

It will work even if the SHA-1 certificate was issued after 01/01/2016?

-George

On Wed, Oct 19, 2016 at 12:50 PM, wrote:

> Yes, our experience is also that double signing works fine for Windows 7
> systems without the SHA256 patch (KB3033929). You just need to get an SHA1
> certificate from someone like DigiCert or whatever certificate authority
> you prefer, if you don’t have one already. Then sign with the SHA1
> certificate first using signtool. Then sign with the SHA256 certificate
> using the /as (append signature, presumably…) option to signtool and this
> should work for you. Note that some timestamp servers work for SHA1 and
> others for SHA256 and you can get hard to understand errors from signtool
> if these do not match if I remember correctly, although I have found some
> that work for both (timestamp.digicert.com).
>
> I expect that the reason double signing did not work for you was that
> there was something wrong in the signing procedure, to verify this can you
> give specifcs on what the behavior was when you tried this? Did the
> signing fail, or did that work but you didn’t get the behavior on some
> specific platform that you expected?
>
> The first thing to do is be sure that both signtool invocations
> succeeded. If so, you want to examine the signatures as described below.
>
> Take a signed file to a system that supports both SHA1 and SHA256 and look
> at the ‘Digital Signatures’ in the properties with Explorer to verify that
> both SHA1 and SHA256 signatures are there (this is to verify that the
> “append” mode worked at least).
>
> Next you should view the signatures of the same file from an unpatched
> Windows 7 box and it should only display the SHA1 signature (the SHA256 is
> there, it just can’t display it).
>
> Eric
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>


-George</http:></http:>

I just read this part of your original post:

After some research I have found that if our certificate was created
before 12/31/2015 it would work.

Where did you find this? I cannot find anything indicating that such a date was significant as far as certificate issuance is concerned.

It will work even if the SHA-1 certificate was issued after 01/01/2016?

Yes. The only thing I’m aware of concerning that date and code signing is that executables that are signed with SHA-1 and timestamped after 1/1/2016 will be flagged by SmartScreen when they get tagged with the “Mark of the Web” during download. This shouldn’t impact drivers.

> It will work even if the SHA-1 certificate was issued after 01/01/2016?

Although Gabe already answered this, I just wanted to reenforce this with the fact that both our SHA1 and SHA256 certificates (that we successfully double sign with) were in fact issued in 2016.

Eric