Question for Attestation Signing

Hello,

This year we are running into an issue in driver attestation signing. I am creating binaries targeting Windows 10 Desktop, and not Universal. As I usually do, I create a CAB archive using CABARC.

I am wondering this is still supported, as there are a lot of errors in the log listed because the INF is not Universal, there are some invalid APIs, etc.

I do not sign the drivers myself, though I do have access to the error log. And consulting past successful logs vs erroneous ones, I see that the same Universal errors are present, but there is a new addition at the end of the file:

Scanning Notes
{"code":"NeoSigningServiceFailedError","details":{"error":"An exception occurred in the NEO Static Signer service 1623.","exception":"Sign operation failed for: "d:\Temp" "c:\esrpcrypt\bin\Signtool\SignTool\signtool.exe" "sign /NPH /fd SHA256 /AS /f \"C:\Signing\P7B\232147_503216_AOC_20241008.p7b\" /kc \"232147_503216_AOC_20241008\" /sha1 \"A5D13378E659DDC05C03EE71B432DD667A302999\" /csp \"nCipher Security World Key Storage Provider\" /du \"Experience the Power of AI with Windows 11 OS, Computers, & Apps | Microsoft Windows" /d \"X Corporation\" /tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\\\" /td sha256 \"[IndividualFilePlaceHolder]\"" "D:\Sign\92109da7-6c7a-4fa5-b858-b8a6b3002575\1b05cdfc-c5bd-42fa-ad99-c13c48fe9a8b\8bc374d4-108a-4e01-a77a-aebb417ccd8b" For RequestId: 92109da7-6c7a-4fa5-b858-b8a6b3002575. Command execution result from the tool: ContainerSigntool Execution Failed: Invalid container file type. Only zip files are supported.\r\n\r\n."},"innerError":null}

Could anyone shed any light on this?

Thank you,
Philip Lukidis

It's not clear what step you're getting an error from: signing the CAB with your own EV certificate, or it's the MS Attestation signing that returns it.

In any case I would suggest trying makecab.exe instead. I'm not sure whether cabarc is fully compatible, and I don't know the CAB format internals, so it's possible that cabarc does something a bit different, and the signing tools treat the resulting archive as invalid. I've been using makecab for many years, and never had any problem with it, with either our certificate's signing, or MS's.

Hello,

Thank you for the reply. I should have followed up on my question, as the very next day, attestation signing started to work just fine, with no changes required. Perhaps there was a momentary outage.

I've been using cabarc for years, but will certainly look into makecab.

Again, thanks for the reply.

Philip Lukidis