Hi,
On Win 7 x64 testing the installing of driver, I get the subject message. The .sys file is signed with both sha1 and sha2 (cross signed with MSCV-VSClass3.cer), there is no .cat file.
What triggers the message? (no .cat file? I thought that was optional? if not, can I use inf2cat and sign the .cat and everything is good?) . I don’t think the MS signing for Win10 supports Vista?
TIA!!
David_F. wrote:
On Win 7 x64 testing the installing of driver, I get the subject message. The .sys file is signed with both sha1 and sha2 (cross signed with MSCV-VSClass3.cer), there is no .cat file.
What triggers the message? (no .cat file? I thought that was optional?
CAT files were optional up through Vista. They are now required for PnP
driver packages.
if not, can I use inf2cat and sign the .cat and everything is good?) . I don’t think the MS signing for Win10 supports Vista?
Yes. Build the package, call inf2cat specifying the versions you need
to support, and sign the CAT file. Remember that the CAT file includes
checksums of all of the files mentioned in the INF. If any file changes,
the CAT file is invalid.
Attestation signing only supports Windows 10. WHQL signing will go WAY
back.
So it appears you can’t have a single signed driver for Vista, Win7, WIn8, Win10? I signed the .sys with a SHA1 and SHA256 before MS signed with another SHA256. The Cat was only signed again with a SHA256 since it has to be done afterwards and you can’t append SHA1, but anyway, Win7 didn’t like it, thinks invalid signature so it must not look at all the signatures but only the last one?
On Mar 1, 2019, at 10:11 PM, David_F. wrote:
>
> So it appears you can’t have a single signed driver for Vista, Win7, WIn8, Win10?
Sure you can, but the only way to do it is to go through HCK and HLK testing and submit for a WHQL signature.
> I signed the .sys with a SHA1 and SHA256 before MS signed with another SHA256. The Cat was only signed again with a SHA256 since it has to be done afterwards and you can’t append SHA1,
If you submitted for attestation signing, the problem is not the signature. The problem is that the CAT file is marked valid only for Win 10. If you are using attestation signing, then yes, you must create one package for Win 10 (using attestation) and one package for the older systems (self-signed with the cross-certificate).
—
Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.
The problem is that the CAT file is marked valid only for Win 10.
Ugh! You mean you actually have to specific on the inf2cat every single OS to support using the version of inf2cat that came with Windows 8.1? (Since older versions wouldn’t know about newer OSes) ?
On Mar 2, 2019, at 9:41 AM, David_F. wrote:
>
>> The problem is that the CAT file is marked valid only for Win 10.
>
> Ugh! You mean you actually have to specific on the inf2cat every single OS to support using the version of inf2cat that came with Windows 8.1? (Since older versions wouldn’t know about newer OSes) ?
I’m sorry, I couldn’t parse that sentence. Remember that when you submit your package to Microsoft, either for WHQL for for attestation, they promptly throw away any CAT file you might have included with the package and create a new one from scratch. You don’t even have to include one. For WHQL, they add every operating system you requested in your submission. For attestation, they only tick Windows 10.
There is a grandfather clause; if you signed a package with the 8.1 tools prior to the release of Windows 10, it will be accepted on Windows 10. They use the certified timestamp, so you can’t fake it.
—
Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.