Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category, below.

Why does my attestation-signed legacy driver load on Windows 7?

We accidentally installed a cross-signed and then attestation-signed legacy driver on (a fully updated) Windows 7 ... and to our surprise it loaded! It was cross-signed first and then attestation-signed. I expected the attestation signature to invalidate the cross signature, thus rendering the driver unusable on Windows 7.

Why did this work?
--
Fran Litterio
Principal Software Engineer
IntervalZero Inc

Comments

  • Tim_RobertsTim_Roberts Posts: 12,567
    xxxxx@gmail.com wrote:
    > We accidentally installed a cross-signed and then attestation-signed legacy driver on (a fully updated) Windows 7 ... and to our surprise it loaded! It was cross-signed first and then attestation-signed. I expected the attestation signature to invalidate the cross signature, thus rendering the driver unusable on Windows 7.
    >
    > Why did this work?

    The "Windows 10 only" limitation with attestation signing is only in the
    CAT file.  If you have a legacy driver, then you aren't doing a PnP
    install, so the CAT file is not used.  The actual attestation signature
    uses the same Microsoft certificate you get from WHQL.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Alan_Adams-2Alan_Adams-2 Posts: 46
    > We accidentally installed a cross-signed and then attestation-signed
    > legacy driver on (a fully updated) Windows 7 ... and to our surprise
    > it loaded! It was cross-signed first and then attestation-signed.
    > I expected the attestation signature to invalidate the cross signature,
    > thus rendering the driver unusable on Windows 7.

    As Mr. Roberts already clarified, its expected the driver LOADED
    successfully on Windows 7. The binary itself does have an embedded
    signature, which is what Windows 7 is looking for at load time.

    In your case the binary file is expected to have TWO signatures: your
    cross-signed signature, and now also Microsoft's certificate
    signature. Binary files that already have a signature prior to being
    submitted for attested signing will have the Microsoft signature added
    to the binary files IN ADDITION to the signature already there.

    (You should be able to see that there are two separate signatures in
    the "Digital Signatures" tab in the properties of the binary files you
    received back.)

    You may or may not be using an .INF-based installation method to
    install your legacy driver. If you are using an .INF, then I would
    have expected the SETUPAPI-based installation process to complain that
    the driver was "not signed". Because as Mr. Roberts indicated, the
    .CAT file produced by attested signing only works for Windows 10.

    (It's not that "the signature on the .CAT" is specific to Windows 10;
    it's the contents of the .CAT file itself that indicate "this .CAT
    file is only intended for Windows 10." The .CAT file was created from
    scratch by the attested signing process, and will ONLY have a
    Microsoft signature on it, regardless of any .CAT or .CAT file
    signature you submitted in your attested signing .CAB package.)

    But since you didn't report such an issue, we're assuming you're using
    a non-.INF installation method to register the driver with Windows.

    Alan Adams
    Client for Open Enterprise Server
    Micro Focus
    xxxxx@microfocus.com
  • Thanks, Tim and Alan. Your replies clarify the situation for me.
    --
    Fran Litterio
    Principal Software Engineer
    IntervalZero Inc.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!