Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Dual signing: what happens if one of the cert become invalid?

henrik_meidahenrik_meida Member Posts: 83

Hi,

Let's say i have dual signed a driver, one with sha1 and the other with sha2.

Now assume that the sha1 cert becomes invalid for whatever reason, for example getting expired and me not timestamping it. Now if the sha2 cert that i used to sign the executable is still valid, will the driver still load? or because one of the two cert is invalid it becomes invalid as well?

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,109

    The systems that require SHA2 will still accept it. The systems that require SHA1 will not.

    However, you mentioned loading. Remember there are TWO signature checks. The check that is done when the driver is INSTALLED is more thorough. It follows the certificate chain and the timestamp. The check that is done when the driver is LOADED (64-bit only) is, as far as I know, much more rudimentary. (It has to be, otherwise the impact on performance would be significant.) It only looks for the Microsoft Code Verification Root. It doesn't check revocation lists and it doesn't validate the timestamp.

    As a rule, they don't want to suddenly break a system that was previously operational.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • henrik_meidahenrik_meida Member Posts: 83
    edited September 21

    @Tim_Roberts said:
    The systems that require SHA2 will still accept it. The systems that require SHA1 will not.

    However, you mentioned loading. Remember there are TWO signature checks. The check that is done when the driver is INSTALLED is more thorough. It follows the certificate chain and the timestamp. The check that is done when the driver is LOADED (64-bit only) is, as far as I know, much more rudimentary. (It has to be, otherwise the impact on performance would be significant.) It only looks for the Microsoft Code Verification Root. It doesn't check revocation lists and it doesn't validate the timestamp.

    As a rule, they don't want to suddenly break a system that was previously operational.

    So considering that i only load my drivers and don't install, i can first just sign my driver with an old and expired sha1 certificate (without timestamping, since its expired) to support older systems, and then append my actual new sha256 certificate for newer systems and timestamp that one, right? Because at least based on my experiments, even when i didn't timestamp it and set the date to something like 2040, the driver still loaded.

  • henrik_meidahenrik_meida Member Posts: 83

    Basically my question is this:

    No matter the version of Windows, if i sign my driver using two certificates, first a SHA1 and then a SHA2, and the SHA1 gets expired and i don't timestmap it anymore, can i just sign the driver first with the SHA1 to support older systems, and then sign with a valid SHA2? Will it cause any trouble in loading or installing drivers in newer windows 10/11 versions if i do this? Meaning, will they allow it to install/load, when the first one (SHA1) is expired but the second appended signature (SHA2) is valid?

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,109

    I doubt that anyone here has tried it. It just isn't a productive scenario to test, since timestamping is cheap. Why are you even worried about this? Do you have a package with a non-timestamped SHA1 certificate?

    I would GUESS that a system that does SHA2 will be fine, and a system that insists on SHA1 will no longer allow you to install. However, that only applies to the original release of Windows 7 and earlier.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • henrik_meidahenrik_meida Member Posts: 83
    edited October 7

    @Tim_Roberts said:
    I doubt that anyone here has tried it. It just isn't a productive scenario to test, since timestamping is cheap. Why are you even worried about this? Do you have a package with a non-timestamped SHA1 certificate?

    But i can't timestamp it after the certificate gets expired, can i? And since no CA will issue a SHA1 cert anymore, this seems to be my only option to support non updated windows 7s, other than forcing them to update it.

    and a system that insists on SHA1 will no longer allow you to install. However, that only applies to the original release of Windows 7 and earlier.

    Are you sure? have you seen any windows version, specifically 7, disallow an installation of a driver because of expired and non timestamped cert? because so far in my tests, they don't care about timestamp or expiration, they still allow it to install, but maybe its the specific windows 7s that i am using that are like this, so have you actually seen windows not allowing installation because of this?

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,109

    As I said, no one here has tested this scenario, and the Microsoft advice doesn't apply to edge cases. If you want to know, you'll have to set it up for yourself.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 15 November 2021 Live, Online
Writing WDF Drivers 24 January 2022 Live, Online
Developing Minifilters 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online