Problems with Win7 Signing

Anything in the Windows Application or System event logs? The CodeIntegrity log?

Just to make sure: No INF or CAT file, correct? If you look at the Digital Signatures under properties for the .sys file, is there anything interesting? Does this sys file have any other dependencies that may not have been signed properly?

The system log just says that it failed to load a driver with the error 577
the app log does nto show anything
the code integrity log says event 3002 integrity couldn’t be verifyed
yes no cat no inf

Digital Signatures under properties for the .sys file
There is the msft signature and it says valid,
strangely there is still also the test signing signature as well.

the driver does nto have any dependencies other than ntdll.dll

Win7 has to have the updates installed to support sha-2, you did that,
right?

Mark Roddy

@Mark_Roddy said:
Win7 has to have the updates installed to support sha-2, you did that,
right?

Mark Roddy

Yes and I double checked that its on, and i can see the sha246 cert in the file properties, IIRC without that update it wouldn’t show them only the sha1 once

@DavidXanatos said:
There is the msft signature and it says valid,
strangely there is still also the test signing signature as well.

Is the test signature listed first? I suspect that Win7 is finding the test signature first in the list, trying it, and failing because you aren’t in test signing mode. Try signing it with a production signature (or, better, no signature at all) and resubmitting for the Microsoft signature.

@Gabe_Jones said:

@DavidXanatos said:
There is the msft signature and it says valid,
strangely there is still also the test signing signature as well.

Is the test signature listed first? I suspect that Win7 is finding the test signature first in the list, trying it, and failing because you aren’t in test signing mode. Try signing it with a production signature (or, better, no signature at all) and resubmitting for the Microsoft signature.

Yes that may in deed be a problem although on 10 it it wasn’t one, can I remove the test signature or will that than break the MSFT one?

Can I remove the signature from the original sys and submit it without running all the tests?
Do I need to rerun all the tests to submit the driver without the test sig? I mean I cant run tests it without a test sig so it should be possible to get the test signed driver after testing strip the test sig ans submit it right?

Where do I find the attestation signign option? There is a checkbox called so when I normally upload the hlk results but i thought attestation is without any testing so there should be an option to just upload the sys?

I have released the driver for windows 10 only: https://github.com/sandboxie-plus/Sandboxie/releases/tag/v0.5.0
but no solution for windows 7,
does anyone here actually managed to get a windows 7 driver using the WHQL route instead of crisscrossing?

I think what Mr. Jones said earlier is right:

I think you’d be better served figuring out why the Microsoft-signed driver that passed the HCK does not load on Windows 7.

This can’t just “not work.” Drivers passed WHQL and were signed and loaded properly… even after the release of Win7.

If you passed the HCK for Win7, and the driver is signed by WHQL for Win 7, and the driver does not load on Win 7… that’s the problem for you to figure out. At the very least you coild open a case with WDK support.

Peter

At the very least you coild open a case with WDK support.

Peter

And how do I do that?
I tried emailing whlkhelp@microsoft.com but that email seams not longer valid.
Do I need to open a busyness support ticket? Ist that free of charge?

https://docs.microsoft.com/en-us/windows-hardware/test/hlk/user/windows-hlk-support

Peter

@“Peter_Viscarola_(OSR)” said:
https://docs.microsoft.com/en-us/windows-hardware/test/hlk/user/windows-hlk-support

Peter

That page sends me to a page that sends me no were where I could reach a human being at MSFT.
What options should I select to get my issue seen by a real person at MSFT?

It sends me to “Support for Business” which will eventually get you to the WDK Support Group… which is who you need to deal with.

I mean… what are you expecting? You want somebody you can call on the phone who’ll listen to you and walk you through possible solutions? I’m thinkiin’ that’s not likely… unless your company has Premier Support, in which case you can call your TAM who’s basically paid to listen to your problems, empathize, and perhaps even route an email to the appropriate support team.

Peter

@“Peter_Viscarola_(OSR)” said:
I mean… what are you expecting?

Peter

An email address or contact form that is read directly by the WDK Support Group would be appropriate.

I don’t even know what to select in this “Support for Business” form,
developer tools don’t sem right,
Windows when I select windows 7 tels me no support without an ESU,
And when I select partner center I don’t get anything that even remotely looks likeit may lead to the WDK Support.

I’m having the same issue on Win7. My driver passed all the hck tests, then merged into the hlk package and submitted to whql. Passed and it installs on 8.1 and 10. On 7 it initially says the driver is signed when I select it via dev manager but get the same driver not signed error.
I opened a support ticket through the hlk support portal. It’s been almost a month now with no real status update.
When QA first reported it asking them to make sure all updates were applied was the first thing I tried.

Interesting. Keep us posted, please.

Peter

https://community.osr.com/discussion/292466/microsoft-no-more-updates-allowed-for-drivers-on-win-7-win-8-win-8-1/

Is there any update on this? is the decision final? if so, Is Microsoft actively trying to push companies towards Linux or …?

The battle continues…

Peter

After tons of tries I have figure out that Windows cannot verify driver with 2 signatures: first - EV certficate chain and 2nd - microsoft cert chain. So my solution is after passing all the HCK tests, I submit driver without a signature (this is the same version of the driver that passed all the HCK tests but without the EV certificate signature). Driver with one signature (the one that Microsoft adds) succesfully installs on Windows 7.

This is, in fact, exactly what we have observed and suggested, multiple times.

Glad you found the key…. Sorry you had to find it yourself.

Peter