WHQL Signature for XP? Yup... in 2019.

Peter_Viscarola_OSR · January 30, 2019, 2:00pm

Don’t laugh. Please.

We have a client that has a driver for Windows XP that absolutely must be signed by WHQL (to allow it to be chosen automatically as a “better match” than the in-box driver for a given PnP ID).

Anybody done this recently? Got any guidance other than “This is stupid, forget it”??

TIA,

Peter

Paul_Harrison · February 12, 2019, 3:42pm

Just a thought but you can get attestation signed driver to install on earlier OS’s if you sign them with an additional SHA1 signature. You will probably need to re-sign the cat after submission to Microsoft. This may not address your issue of being a better match, and I don’t see that it can work if you don’t have a valid SHA1 certificate, but it may be worth a try in the absence of anything else if you can try it.

Peter_Viscarola_OSR · February 12, 2019, 4:33pm

Thank you, Mr. Harrrison. Nice of you to try to help somebody out as your first post.

you can get attestation signed driver to install on earlier OS’s if you sign them with an additional SHA1 signature

Yeah… but then (still) the cert that matches (and effects the install) will be the SHA1 cert, and it won’t chain-up to MSFT’s CA, and therefore won’t cause my more-specific-match driver to be chosen over an MSFT-signed less-specific-match driver.

Sigh! I was hoping that somebody has (foolishly) attempted to run the XP WHQL tests in recent memory.

At this point, we’ve pretty much given up this approach and are designing around the problem (a bigger hammer can solve the problem – while we can’t force our driver to be chosen in place of the standard in-box MSFT signed driver, we can certainly be a lower filter of the standard in-box MSFT signed driver. And that’s, well, pretty much as good.

Thanks again, Mr. Harrison, for your help.

Peter

Tim_Roberts · February 12, 2019, 5:58pm

Paul_Harrison wrote:

Just a thought but you can get attestation signed driver to install on earlier OS’s if you sign them with an additional SHA1 signature. You will probably need to re-sign the cat after submission to Microsoft.

I don’t think so. Remember, Microsoft throws away your CAT file and
builds a new one that is marked for Windows 10 only. Even if you added
a signature to the CAT file they sent back, XP should reject it as “not
designed for this version of Windows”.