I have a driver software I compiled for windows 7. I have used DigiCert Code signing certificate (CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1) to sign the installation package. With the previous version of this driver I used Verisign certificate (VeriSign Class 3 Code Signing 2010 CA).
The new Digicert one is using SHA256 signature alg and Verisign had SHA1 alg. When I installed the previous version of driver (verisign signed), I never had a windows security warning screen pops up asking "Would you like to install this device software". But with new Digicert I have that warning pops up. I'm trying to avoid this warning as my software is usually installed in an unattended environments. Things I have tried so far
Updated my windows 7 with below updates to support SHA2 code signing
KB4474419 and KB4490628
Tried adding the certificate manually under Trusted Publishers list using certutil
I don't think cross signing by Microsoft is not a solution becuase this is Windows 7 and I read in another forum someone having the same problem and Cross signing didn't help.
Any help with this is highly appreciated.
I'm guessing you've been out of touch for a while.
Cross-signing is no longer possible. The whole framework has been shut down. All packages have to be signed BY MICROSOFT, either through WHQL or through "attestation signing" through the same portal where you submit for WHQL.
The trusted certificate thing should work, assuming you control these machines administratively. I know people here have reported success. It's not always obvious which store to use, but my guess is your success will come from there.
Cross signing required a certificate from Microsoft that matched the certificate authority (CA) that issued your certificate. Windows 7 has been end of support for several years and cross certificates have not been issued for current CAs. I do not believe there is a way to properly sign a Windows 7 driver anymore.
Many years ago I did the trick of adding to Trusted Publishers for unattended installs but I believe that only worked to suppress the "nice" dialog which had the checkbox to "Always Trust".
You generally (these days) only sign using a test cert. Your EV cert is basically only used to authenticate you to the WHQL portal. You can only avoid the security popups by putting the test system into test signing mode.
Oh really? Only sign with a test very? Even the driver that I will sign through WHQL and eventually distribute to customers?
WHQL process will strip my test cert? Or I have to make a nice test cert?
Right, I used the EV cert to sign that file from the portal to validate my EV cert private key. You're saying afterwards I don't need to use it anymore?
That's great because I can't use my EV cert in Visual studio because I've got the private key on a FiOS yubikey only and VS wants access to the privkey file. I could use signtool to sign the .cat manually though.
WHQL does not use your CAT file. It throws it away and builds a new one from scratch. You don't have to sign it.
WHQL does not care if your own binaries are signed. All it cares about is that the cabinet or zip file use upload is signed. If your SYS file is signed, it will add the Microsoft signature to the end, and there are reasons why you might want that.
Your EV cert is used to validate your access to the portal. It's not necessarily part of your driver package.