Driver signing for versions older than Windows 10

Category: windows hardware wdk and driver development

Question

AstI205 on Tue, 27 Mar 2018 07:14:32


Hello everybody,

since Win10 requires every x64 driver to be signed by Microsoft since the Update 1709, I want to sign my drivers for all Windows versions from Win7 to Win10.

It works all fine for Win10, but when I want to install the drivers on a PC with an older OS (like Win7), I get a warning that the driver publisher is not trusted and I feel kind of insulted by this ^^

I am able to install the drivers anyway, but the problem is that Win7 (and probs Win8) doesn't recognize the driver signature. Also when I show the properties of the driver file itself in Win7 I can see no signature. When I show driver properties in Win10, I can see our own signature and the Microsoft signature, but just in Win10.

Appearently the option "expanding operating systems for driver
distribution" is applicable only if you want to share the driver or if
you want to publish it via Win Update, that's why I tried this.

I cross-signed the driver files using a GlobalSign EV certificate (so I
did not run HLK/HCK tests) and created a *.cab-file which I uploaded on the Hardware Dev Dashboard.

Within the submission process for a new driver, I can only choose from a
variety of requested signatures for Windows 10, but I cannot choose Win7
or Win8, which is a problem.

I assume, it is necessary to publish the drivers via the Dashboard to
also sign them for older Win versions (as you can choose older versions
as on option during the publishing process). Is this true? Or can I also
request signatures for Win7 or Win8 during the signing process itself?

It would be really nice to hear of you!

Ceers,

AstI205

Replies

USS-Voyager on Wed, 04 Apr 2018 03:24:28


You don't need to sign through dev center, if it is not for server products.
Driver signing enforcement is started with Windows 10 version 1607. (RS1/build 14393)
You can sign by your self with your EV cert and you don't need to submit it to dev center.
(MS signature is not required to work before 1607.)

When you submit with .CAB, it calls attestation driver, it will work Windows 10 only.

https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release

Excerpt from above page: "An attestation signed driver will only work for Windows 10 Desktop"

If you want to working MS signature with older OSes like 7/8.1, you need to use HCK. (Hardware Certification Kit)
It is complicated and time consuming process. (You need to build testing environment with Windows Server and you need to clear tests.)
If you want MS sign, that process is needed, but if you don't care MS sign and your purpose is just getting working driver, signing with EV is sufficient.