Hi,
I have a driver that gets loaded in our Recovery mode(windows PE). It was signed long back in 2011 with my company’s SHA1 certificate. Till date it was working fine and loading fine in my recovery PE environment. I did not get Microsoft sign that driver.
Now for internal reasons I was suppose to sign the driver again. But now when I load the driver with new certificate I get error
“Error 577: Windows cannot verify the digital signature for this file”
The same driver works for 32 bit machine.
How does windows check the authenticity of my driver.
Few questions:
- My previous driver also was not microsoft signed. But it worked. Now the new driver is not loading. Does the date at which the driver is signed matters?
- To overcome it should I get it microsoft signed? If so how to run the suit for winPE environment.
Regards,
Vidhya
Yes, the date it was signed matters, and yes, 64-bit system requirements are different from 32-bit systems. If Microsoft suddenly rendered all old drivers inoperable, there would be a revolt.
Assuming there are no HLK tests for a PE driver, you will need to use “attestation signing”, where you submit a driver package and attest that you have done good-faith testing of the driver. Does your PE driver have an INF file? If not, then you’ll need to create a fake INF file, which you can discard after the binary is signed.
https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release
https://www.osr.com/blog/2017/07/06/attestation-signing-mystery/
Thanks Tim for the Info. I see the following statement in Microsoft site.
“An attestation signed driver will only work for Windows 10. It will not work for other versions of Windows, such as Windows 8.1, Windows 7, or versions of Windows Server later than Windows Server 2016”
My product supports windows 8.1 , windows 8 and 2019 kernel.
Is there a way to load my driver in these win PE versions.
Regards,
Vidhya
Their comment is misleading. If your driver needs a full driver package, with an INF and a CAT file, then the comment is true. Attestation signing creates a CAT file that only names Windows 10 (and, by extension, Windows 2016 and 2019).
But if your driver doesn’t need an INF or CAT, then the comment is untrue. The attestation signing process not only creates a CAT, it also signs all of the binaries in the package, and THAT signature works on every Windows version from Win 7 on. So, you can create a fake INF file that refers to your .SYS, submit it, fetch the signed package, and throw out everything you don’t need.
Thanks Tim for the update. I will try for attestation signing and check