none
Using sha256 certificate to sign driver on windows 2008 r2 RRS feed

  • Question

  • Hi,

    Our certificate expired  so we  got new certificate from symantec.

    The new certificate is  SHA2 certificate and the old one was SHA 1.

    We are using the certificate to sign our driver with a cross signing.

    in win 2012 and above we do not see any issue with the new certificate.

    in windows 2008 R2 and windows 7  everytime the user install our driver it will  see the windows that show the  signer details.

    even if the user select to always trust this software , he will see the  message on the next installation.

    I tried to sign the driver with the sha1 switch and the sha2 (/fd sha1 or /fd sha256) in bot case the behavior is the same.

    I've verify that the all update are installed

    https://technet.microsoft.com/en-us/library/security/2949927.aspx?f=255&MSPPError=-2147217396

    https://support.microsoft.com/en-us/kb/3123479

    I ran  the verify command on the driver and it verified that the drivers are signed.

    if i choose to install driver it works without any problem but this problem does not allow unattended installation of the driver.

    the command i'm using to sign our drivers  is 

    "c:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe"  sign /v /ac c:\\BuildWinVPI\\MSCV-VSClass3.cer /s my /n "Mellanox Technologies" /t http://timestamp.verisign.com/scripts/timstamp.dll

    We usually get the Logo certification from microsoft I've checked  their signature and i saw that the latest driver of windows 7 they have certified for use few month ago were signed with sha1  algorithm  but the same driver for windows  8 was signed with the sha256.

    Does  windows 7/2008 R2 does not fully support the sha256 algorithm?

    should we get a sha1 certificate from symantc that should be used for the windows 7 drivers?

    Thank you in advance

    Lior

    Friday, March 11, 2016 8:33 AM