I was under the impression Microsoft was already adding warnings when something with SHA-1 is being used (also on windows 7); The phase 3 mentioned in this article (although it seems more aimed at browsers):
Right, for browsers and applications, not for KMCS.
But you do need the windows 7 update to make SHA-256 work right?
Right. Win 7 SP 2 includes it, so any up-to-date system would be OK.
But for all windows 7 versions (thus also the ones patched with the SHA-256 update) SHA-1 will still work?
Yes.
To rephrase; In principle both a non-pnp software only driver and a PnP package (with a signed CAT) will work on all Windows 7 versions with just SHA-1 signing?
So is it correct to say that a driver that is installed using an inf file returned from attestation signing will no longer install in any version of windows 7, 8, or 8.1 ? The solutions are:
(1) make an additional cat file with one’s code signing certificate for use with pre-windows 10
(2) discontinue use of inf files and install programatically (non-pnp type devices only)
(3) spend weeks trying get a bunch of old, unsupported HCK and WLK monstrosities to work.
Another question: after attestation signing what Windows Server versions (if any) will the driver be able to load on? And does the existence of an INF file matter in this?
So is it correct to say that a driver that is installed using an inf file returned from attestation signing will no longer install in any version of windows 7, 8, or 8.1 ?
The INF is not the key. A driver package with a CAT file returned from
attestation will no longer install prior to Windows 10. The user will
get a “not designed for this version of Windows” error. Remember, that
message is triggered by the CAT file. If you have a [DefaultInstall]
type of INF, that’s really just a special kind of batch file. It
shouldn’t need a CAT.
The solutions are:
(1) make an additional cat file with one’s code signing certificate for use with pre-windows 10
(2) discontinue use of inf files and install programatically (non-pnp type devices only)
(3) spend weeks trying get a bunch of old, unsupported HCK and WLK monstrosities to work.
Unless I’ve missed a meeting somewhere, all you need is one HCK and one
HLK. Run the 8.1 tests, and you should be able to request the older
signatures.
Another question: after attestation signing what Windows Server versions (if any) will the driver be able to load on? And does the existence of an INF file matter in this?
Windows Server 2016 == Windows 10. Same kernel, same policies. Server
2019 is also Windows 10.