As many of you have already experienced, we are having a really hard time figuring out what to do to release a single driver binary for all Windows versions (XP to Windows 10 - until 1607 build which requires HLK)
What I previously read was dual signing a driver with the command below would make it compatible with Windows Vista to Windows 10 (included).
signtool.exe sign /t http://timestamp.digicert.com
/sha1 XXXSHA1THUMBPRINT driver.sys
signtool.exe sign /tr http://timestamp.digicert.com
/td sha256 /fd sha256 /as /sha1 XXXSHA256THUMBPRINT driver.sys
The resulting driver has dual signatures but I am still getting the error "Windows requires a digitally signed driver" on a Windows 7, Windows 8.1 and Windows 10 box.
When I sign the binary using DigiCert's utility by checking "Kernel Mode Code Signing" checkbox, it is signed with a single SHA1 signature and it works as expected in Win 7,8,10.
I understand that Windows 10 - 1607 requires us to pass HLK but what is wrong with the dual signing process? Am I missing something related to date constraints?
As a side note, Microsoft Driver Signing Policy states that SHA2 signature is only required on Windows 10, version 1607+ with Secure Boot on and SHA1 is required all previous versions. See it below:https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later-#signing-requirements-by-version
To summarize, I am totally lost and can not figure out how to proceed.
Any help is appreciated.