Why does my attestation-signed legacy driver load on Windows 7?

We accidentally installed a cross-signed and then attestation-signed legacy driver on (a fully updated) Windows 7 … and to our surprise it loaded! It was cross-signed first and then attestation-signed. I expected the attestation signature to invalidate the cross signature, thus rendering the driver unusable on Windows 7.

Why did this work?

Fran Litterio
Principal Software Engineer
IntervalZero Inc

xxxxx@gmail.com wrote:

We accidentally installed a cross-signed and then attestation-signed legacy driver on (a fully updated) Windows 7 … and to our surprise it loaded! It was cross-signed first and then attestation-signed. I expected the attestation signature to invalidate the cross signature, thus rendering the driver unusable on Windows 7.

Why did this work?

The “Windows 10 only” limitation with attestation signing is only in the
CAT file.  If you have a legacy driver, then you aren’t doing a PnP
install, so the CAT file is not used.  The actual attestation signature
uses the same Microsoft certificate you get from WHQL.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> We accidentally installed a cross-signed and then attestation-signed

legacy driver on (a fully updated) Windows 7 … and to our surprise
it loaded! It was cross-signed first and then attestation-signed.
I expected the attestation signature to invalidate the cross signature,
thus rendering the driver unusable on Windows 7.

As Mr. Roberts already clarified, its expected the driver LOADED
successfully on Windows 7. The binary itself does have an embedded
signature, which is what Windows 7 is looking for at load time.

In your case the binary file is expected to have TWO signatures: your
cross-signed signature, and now also Microsoft’s certificate
signature. Binary files that already have a signature prior to being
submitted for attested signing will have the Microsoft signature added
to the binary files IN ADDITION to the signature already there.

(You should be able to see that there are two separate signatures in
the “Digital Signatures” tab in the properties of the binary files you
received back.)

You may or may not be using an .INF-based installation method to
install your legacy driver. If you are using an .INF, then I would
have expected the SETUPAPI-based installation process to complain that
the driver was “not signed”. Because as Mr. Roberts indicated, the
.CAT file produced by attested signing only works for Windows 10.

(It’s not that “the signature on the .CAT” is specific to Windows 10;
it’s the contents of the .CAT file itself that indicate “this .CAT
file is only intended for Windows 10.” The .CAT file was created from
scratch by the attested signing process, and will ONLY have a
Microsoft signature on it, regardless of any .CAT or .CAT file
signature you submitted in your attested signing .CAB package.)

But since you didn’t report such an issue, we’re assuming you’re using
a non-.INF installation method to register the driver with Windows.

Alan Adams
Client for Open Enterprise Server
Micro Focus
xxxxx@microfocus.com

Thanks, Tim and Alan. Your replies clarify the situation for me.

Fran Litterio
Principal Software Engineer
IntervalZero Inc.