@“Peter_Viscarola_(OSR)” said:
- One solution that we know works on Windows 7: Attestation Sign your driver package and binary for Windows 10. The resulting driver package will install on Windows 7 (with KB4474419, which enabled SHA-256 signing installed). Note that this works as long as you DO NOT sign the driver binary with your own signature before you submit it to MSFT for Attestation Signing.
Well now, there’s something I’ll want to go test. What I recall is that the attestation signing process generated a .CAT containing only the platform IDs selected during submission, which are all Windows 10 variants. And that attested installation set was rejected as a signed driver during installation on the Windows 7 platform or any other platforms, because there was effectively “no .CAT file” (valid for those platforms).
But indeed we are signing the binaries prior to attested submission, specifically because our intention is to run on both Windows 10 and pre-Windows 10. Once the dual-signed binaries are received back from Microsoft, we are able to generate a second .INF and .CAT, and sign that .CAT ourselves. In order to have a working “pre-Windows 10” .INF to install with on such platforms, while using the Microsoft-generated .CAT for installing Windows 10 platforms. i.e. Same binaries, two different .INFs and .CATs.
If Microsoft is now including a Windows 7-compatible platform ID in the .CAT created for attested signing – if you didn’t sign the driver binaries ahead of time – indeed that opens up an additional useful option. An option that Microsoft could withdraw at any moment, of course, but how many aspects of this aren’t exactly like that anyway.