The original Q&A with James Murray (https://www.osr.com/blog/2015/07/24/questions-answers-windows-10-driver-signing/) states regarding the new requirement that all drivers have Microsoft signatures:
“The requirement will be enforced at both install and load times.”
This is consistent with our experience in Insider Preview 14295. I installed the x64 Enterprise edition cleanly with Secure Boot enabled. Our driver installer (containing drivers that were only signed by our current certificate, issued after July 29, 2015, and not signed by MS) failed with the following:
“!!! sig: An unexpected error occurred while validating driver package. Catalog = NIDSA.cat, Error = 0x800B0110
!!! sig: Driver package is considered unsigned, and Code Integrity is enforced.
!!! sig: Driver package failed signature validation. Error = 0xE0000247
sto: {DRIVERSTORE IMPORT VALIDATE: exit(0xe0000247)} 09:22:26.596
!!! sig: Driver package failed signature verification. Error = 0xE0000247
!!! sto: Failed to import driver package into Driver Store. Error = 0xE0000247”
The same installer in the same scenario (clean install of Enterprise version of the OS with Secure Boot on) does not fail on either Insider Preview 14372 or the released Anniversary Update. The relevant snippets:
" sig: {_VERIFY_FILE_SIGNATURE} 02:34:56.800
sig: Key = NIDSAwv.inf
sig: FilePath = C:\WINDOWS\System32\DriverStore\Temp{b1bcfc61-a836-3848-814d-e6562ab944b3}\NIDSAwv.inf
sig: Catalog = C:\WINDOWS\System32\DriverStore\Temp{b1bcfc61-a836-3848-814d-e6562ab944b3}\NIDSA.cat
sig: Success: File is signed in Authenticode™ catalog.
sig: Error 0xe0000241: The INF was signed with an Authenticode™ catalog from a trusted publisher.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000241)} 02:34:56.831
sto: {DRIVERSTORE IMPORT VALIDATE: exit(0x00000000)} 02:34:56.831
sig: Signer Score = 0x0F000000
sig: Signer Name = National Instruments Corporation"
Subsequently attempting to load the drivers does fail with signature verification errors.
Was there any announcement of the removal of this requirement? Was this an intentional change, or is it a bug? This would be very useful for us, as we are currently required to have two catalog files: an attested-signed catalog for Windows 10 and a catalog with our company’s signature for all other OS versions. A single catalog file with only our company’s signature, if possible, would simplify our product & installer build & test processes.