Driver sign for Server 2012

You must NOT sign the DRIVER before you get the MS signature.
MS signature has to be the first one for the driver to load on Srv12.

Regards, Dejan.

Can you please be a bit more clear?

You attestation sign it your driver package. And as Mr. @Dejan_Maksimovic said, don’t sign the driver binary image. Please… read the blog post that’s almost a year old that describes this.

Peter

Hi Peter, Dejan,

First step: “attestation sign” the cab file by upload to the dashboard.
Is there also a second step ?

Thank you,
Zvika

Well, no. The GOAL is attestation signing. The first step is to build a cabinet. You then sign the cabinet. You then upload it. The rest is up to Microsoft.

Did you not read the blog post to which I pointed you? I can tell you, from my perspective as somebody who tries to help folks on this forum all the time, the most frustrating things for me are when somebody either ignores what I post, does not specifically reply to what I post, doesn’t bother to follow my advice but doesn’t bother to tell me why, OR doesn’t do their homework (either before posting at all, or later not bothering to read what I point them to).

Peter

Hi Peter,

I did not ignore the post at all.

The reason I further asked is that I did not understand the phrase:
“The trick to making this work is that you must not sign the driver or CAT before submission. Yes, you will obviously have to sign the CAB file so your submission will be accepted”.
It seems this phrase contains opposite advices.

I apologize for hurting you.

Best regards,
Zvika

Hello,

I uploaded the cab file and got a zip file.
Then I tried to install the driver.

I got:
The software was tested for compliance with Windows Logo requirements on a different version of Windows, and may not be compatible with this version.

The driver should run under Server 2012(64)
So in the project settings:

Target OS Version: Windows 7
Target Platform: Desktop
Inf2Cat->Commandline: /os:“7_x64”

Thank you,
Zvika

Hello,

In the dashboard, I found the following label:

**Leave all checkboxes blank for Attestation Signing **

But if all unchecked, I got:
You must specify at least one operating system.

Thank you,
Zvika

“The trick to making this work is that you must not sign the driver or CAT before submission. Yes, you will obviously have to sign the CAB file so your submission will be accepted".

The sentences are clear. Note the difference between CAT versus CAB. Two different files, right?

Ask specific questions, provide clear background, get the most helpful answers. After all the time you’ve been here, you should know this by now.

I uploaded the cab file and got a zip file

Does this mean “I successfully attestation-signed my driver package?”

In the dashboard, I found the following label:

**Leave all checkboxes blank for Attestation Signing **

We routinely check every (applicable) check box that’s available when we do our Attestation Signing submissions. I don’t know if anything has changed recently…. I haven’t Attestation Signed anything for a few weeks.

What OS are you trying to install this on?

What’s it say in the install log?

Peter

Target OS Version: Windows 7
Target Platform: Desktop
Inf2Cat->Commandline: /os:"7_x64”

If I’m not mistaken, WS2012 corresponds to Windows 8 target version, which might explain the error message you’re receiving.

Dave

We routinely check every (applicable) check box that’s available when we do our Attestation Signing submissions.

Unless they’ve radically redesigned things in the face of the recent changes, attestation signing only has Windows 10 and it’s corresponding Servers. It doesn’t do anything earlier. Attestation won’t work for Windows 7 or 8, or Server 2012. That’s the key flaw in their plan.

Attestation won’t work for Windows 7 or 8, or Server 2012. That’s the key flaw in their plan.

Hmmmm… yes/no – To quote a famous blog post:

For Windows 7 SP1, with a driver package that is Attestation Signed for Win 10:

  • The package can be successfully installed on Windows 7 SP1, even with ONLY KB4474419 (the update for SHA-256 and to add the updated Root CAs).
    Non-PnP drivers (such a File System Minifilters) install without any pop-ups or warnings.

  • PnP drivers that are installed via an INF will install successfully. However, during the install process the user will be treated to a pop-up saying “This driver is not digitally signed!” — However, it let us click “Next” and then we got a scary red popup saying “Windows can’t verify the publisher of this driver software” — We selected “Install this driver software anyway” and the driver was successfully installed.

Hi Peter,

You are right. The sentences in the blog are clear.

I signed the cab file with EV certificate.
Then uploaded the signed cab file to the dashboard.
The OS is: Server 2012 (x64)
I checked all the items that contains …x64

Attached the install log.

Thank you,
Zvika

Server 2012 is Windows 8, right?

Never tested Win 8… but you know from reading the blog post that installing Attestation Signed PnP drivers on Win 8.1 doesn’t work, right?

So…. I’m not surprised. Are you surprised it doesn’t work?

Peter

Hi Peter,

To be honest, yes, I’m surprised, from Microsoft.
I think MS did a mistake by not allowing to sign drivers for Server 2012.

Thank you,
Zvika

This is why we were all so upset at Microsoft’s policy a year ago. But, sadly, not enough community members voiced their displeasure to Microsoft, and now we’re all stuck with a very bad policy. It’s no fun.

Peter

I think MS did a mistake by not allowing to sign drivers for Server 2012.

Oh, you can SIGN them, just not through attestation. You just have to go through WHQL.

The Microsoft-signed .CAT file returned from Attestation Signing is tagged only for whichever Windows 10 platform(s) were selected during Attestation Signing submission. This is why the .CAT you receive back causes a “not for this platform” rebuke from Windows 8.x platforms when trying to install exactly the driver package received back from Attestation Signing.

You can create your own .CAT file which describes the now-Microsoft-signed binary files, with this .CAT tagged for whichever Windows 8.x or even Windows 7.x platforms you want. But this alternate .CAT file will only ever be signed with your own certificate. The only way to get a Microsoft-signed .CAT for non-Windows 10 platforms is to make a full WHQL tested submission, instead of using Attestation Signing.

The message you’re citing in the Partner Portal regarding “Leave all checkboxes blank for Attestation Signing” is referring to the two “test signing”-related checkboxes that this message appears above. You do need to leave those blank / non-selected in order to perform Attestation Signing.

The actual Windows 10 platform support checkboxes are the ones where you must select at minimum the oldest platforms you require. Or as many people do, just select all the available Windows 10 platforms you support. This simply controls/changes which Windows 10 platforms will be tagged in the .CAT file that Microsoft creates and signs as part of Attestation Signing.

Hi All,

Today I tried to install a driver signed by Microsoft on Win7 (x64)
It works OK.

Thank you,
Zvika

Of course, otherwise driver packages for old devices would stop working. Many people advise to sign for the oldest system you need to support. The problem is the other way around. A package signed for Windows 10 (only) will not install on Windows 7 and 8 without trickery.