signing a driver for Windows 7 64-bits with SHA256 certificate RRS feed

  • Question

  • Recently I've renewed my digital certificat to sign my device drivers thanks to Symantec Web Site. 

    This new certificat is SHA256, and before it was SHA1.

    I succeed to add numerical signature to my WDF driver etep.sys thanks to the commands in Windows Free X64 Build Environment:
    build -cef -amd64
    copy /Y C:\WinDDK\7600.16385.1\redist\wdf\amd64\WdfCoInstaller01009.dll Install
    copy /Y objfre_win7_amd64\amd64\*.sys Install
    copy /Y objfre_win7_amd64\amd64\*.inf Install
    signtool sign /v /ac "Install\MSCV-VSClass3.cer" /f Install\CertificatETEP2016.pfx /p 12345678 /n "etep" /t "Install\WDFetep617.sys"
    del Install\*.cat
    Inf2Cat /driver:Install /os:7_X64
    signtool sign /v /ac "Install\MSCV-VSClass3.cer" /f Install\CertificatETEP2016.pfx /p 12345678 /n "etep" /t "Install\"
    copy /Y objfre_win7_amd64\amd64\WDFetep*.pdb Install
    But when I want to update my device driver in the target computer with 64-bits Windows 7 PRO, Windows does'n recognized the code signing and refuse to install the new driver:
    Invalid signature !!!

    Have you a solution ?Whith SHA1 certificat, I haven't any problem... And now, I cann't no more modify my driver !

    Delphine GARRO

    Monday, November 9, 2015 1:34 PM


All replies

  • Have you installed update 3033929?
    • Edited by Pavel A Monday, November 9, 2015 2:55 PM
    • Marked as answer by GARRO Delphine Tuesday, November 10, 2015 8:50 AM
    Monday, November 9, 2015 2:55 PM
  • Hello Pavel,

    I've installed the lastest Windows Updates and the driver succeeds in installing.
    You have find the good solution.

    Thank you !

    Delphine GARRO

    Delphine GARRO

    Tuesday, November 10, 2015 8:50 AM
  • You're welcome!    --pa
    Tuesday, November 10, 2015 9:21 AM
  • It looks like you accepted the "apply a fix/patch/update" Answer. So perhaps my comment is moot. But applying a patch to Windows 7 is something you now have to rely on each of your customers doing.

    I wonder if signing your driver twice -- once with SHA1 (primary) and once with SHA2(56) (appended) signatures -- might work for OSes that don't support SHA2(56) AND for those that do (and/or require it). This would mean you weren't placing a requirement on each of you customers to admin their systems in a particular way, and/or you going through this same issue with each of them.

    Tuesday, November 10, 2015 5:08 PM