Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

regarding driver signing for 3rd party driver in winPE mode

Durgesh_TiwariDurgesh_Tiwari Member Posts: 11

Hi,

I have a driver that gets loaded in our Recovery mode(windows PE). It was signed long back in 2011 with my company's SHA1 certificate. Till date it was working fine and loading fine in my recovery PE environment. I did not get Microsoft sign that driver.
Now for internal reasons I was suppose to sign the driver again. But now when I load the driver with new certificate I get error
"Error 577: Windows cannot verify the digital signature for this file"
The same driver works for 32 bit machine.
How does windows check the authenticity of my driver.
Few questions:
1. My previous driver also was not microsoft signed. But it worked. Now the new driver is not loading. Does the date at which the driver is signed matters?
2. To overcome it should I get it microsoft signed? If so how to run the suit for winPE environment.

Regards,
Vidhya

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,158

    Yes, the date it was signed matters, and yes, 64-bit system requirements are different from 32-bit systems. If Microsoft suddenly rendered all old drivers inoperable, there would be a revolt.

    Assuming there are no HLK tests for a PE driver, you will need to use "attestation signing", where you submit a driver package and attest that you have done good-faith testing of the driver. Does your PE driver have an INF file? If not, then you'll need to create a fake INF file, which you can discard after the binary is signed.

    https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release

    https://www.osr.com/blog/2017/07/06/attestation-signing-mystery/

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Durgesh_TiwariDurgesh_Tiwari Member Posts: 11

    Thanks Tim for the Info. I see the following statement in Microsoft site.
    "An attestation signed driver will only work for Windows 10. It will not work for other versions of Windows, such as Windows 8.1, Windows 7, or versions of Windows Server later than Windows Server 2016"
    My product supports windows 8.1 , windows 8 and 2019 kernel.
    Is there a way to load my driver in these win PE versions.

    Regards,
    Vidhya

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,158

    Their comment is misleading. If your driver needs a full driver package, with an INF and a CAT file, then the comment is true. Attestation signing creates a CAT file that only names Windows 10 (and, by extension, Windows 2016 and 2019).

    But if your driver doesn't need an INF or CAT, then the comment is untrue. The attestation signing process not only creates a CAT, it also signs all of the binaries in the package, and THAT signature works on every Windows version from Win 7 on. So, you can create a fake INF file that refers to your .SYS, submit it, fetch the signed package, and throw out everything you don't need.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Durgesh_TiwariDurgesh_Tiwari Member Posts: 11

    Thanks Tim for the update. I will try for attestation signing and check

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE