2

I recently took on a task to update our filter driver from building with Visual Studio 2015 -> 2019. I also moved to the latest SDK + WDK 22000 (Which is the new Windows 11 one).

Everything seemed to work except that on Win 7 x64 (with secure boot) boxes the driver no longer loads.. It get's:

Load failed with error: 0x80070241
Windows cannot verify the digital signature for this file. A recent hardware or
software change might have installed a file that is signed incorrectly or damaged,
or that might be malicious software from an unknown source.

Our driver was/is attestation signed by Microsoft via the MS Hardware portal and so it's joint signed by both our company and Microsoft with a SHA-2 signature each. Windows 7 doesn't support SHA-2 certs out of the box however, it was previously working provided:

Windows6.1-KB3033929-x64

Was installed. Something seems to have changed though and Windows 7 x64 boxes can't load the new driver even with the latest updates. They load the 2015 built driver just fine even though the certificates on both look identical. The new driver loads just fine on Windows 10 machines.

Is anyone aware of any other changes which might make this combination fail to load?

Benj
  • 31,668
  • 17
  • 78
  • 127

1 Answers1

1

I had a similar issue a few months ago, when we decided to switch our certificate provider. I'll share my knowledge to you, hope that going to help.

A while ago, Microsoft used cross-certificates to validate trusted certificate authorities (CA), so the only thing you needed to sign a driver is a proper certificate bought from a trusted CA. But recently validating process had changed and starting from Windows 10 20H2 you are forced to sign your driver through Microsoft Partner Center and all the cross-certificates was deprecated. However, you still need to use cross sign process for all your drivers prior to Windows 10, actually cross signed driver will work up to Windows 10 20H1 if to be correct.

Now back to the Visual Studio. To properly sign driver, you had to set up production certificate to field Properties -> Driver Signing -> General -> Production Certificate, that causes Visual Studio to use signtool utility to sign driver after the build done. As I presume, Visual Studio 2019 process do not use cross-certificate and looks something like:

signtool sign /v <trusted_certificate> /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a <sys_driver_filepath>

But Visual Studio 2013 actually must use cross-certificate and the command it uses is:

signtool sign /v /ac <microsoft_cross_certificate> /tr http://timestamp.digicert.com /a <sys_driver_filepath>

So what is cross-certificate is? It's a special trusted Microsoft certificate that tied to certified CA. List of all the cross-certificates available can be found here https://learn.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing#cross-certificate-list. To take the correct one you need to check your company certificate first. Take a look into root of certification path of your cert, open View Properties -> Details and find Issuer, that's your CA. Now you need to find exact match on cross-certificate list and download it. Note the thumbprint doesn't need to match (revealed in related issue). After all use a proper signtool command to sign your file.

P.S. If your certificate issuer not present on the list, that means your CA inappropriate and you need to get/buy another certificate.

Liastre
  • 1,281
  • 11
  • 29
  • Thanks for this. It's very helpful. May I ask, when was the last time you actually bought a new certificate? Because, digicert are telling us that because Microsoft have deprecated cross-signing, they'll no longer sell us a certificate which supports it and neither will anyone else. I'm wondering how on earth we now support Windows 7... – Benj Sep 09 '21 at 15:34
  • See this page: https://learn.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates . This page seems to suggest that a cross-signed driver should no longer required however as far as I can see it is. My driver will not load on Win 7 unless I cross sign it. Even if it has also been signed via the MS signing portal. – Benj Sep 09 '21 at 15:41
  • @Benj You misread what they say. Cross-signing is not "no longer required", it's deprecated as a procedure. As in, people are not allowed to sign drivers by themselves anymore. But for the driver to be loaded, its signature's certificate chain must still end up in a Microsoft trusted root. But now the only way to do that is to send the drivers to Microsoft (Attestation or HLK signing). Even more, even if you still have a valid cross-certificate, they forbid you to use it. – Konstantin Vlasov Sep 10 '21 at 14:18
  • @KonstantinVlasov - Yes, I got that. The issue is that attestation signing is no longer supported for Windows 7 either. Strictly, it's Windows 10 only. In the end I found the solution with the help of the OSR guys. My minifilter had to be Windows 10 attestation signed with no signature at all added prior and that actually works on Windows 7. The same is not true of PnP drivers though. See here: https://www.osr.com/blog/2021/04/08/lost-cause-no-driver-updates-allowed-except-for-win-10/ – Benj Sep 21 '21 at 12:18
  • @Benj Yes, I've been following the discussions on OSR for a while myself, and tried some of those workarounds. Although they don't cover all the use-cases, and can hardly be recommended for production use, it's at least something suitable for personal use, when WHQL is not an option (for whatever reason). – Konstantin Vlasov Sep 21 '21 at 17:24
  • @Benj back to your question, we had order MS certificate on 26 Jan 2021 and it states valid from 02 Feb 2021 to 02 Feb 2022. Unfortunately, I'm not the one who purchased it, but I'm sure it was not requested as "supporting cross-signing", just an EV Code Signing cert. Besides I see the ability to renew it, so I doubt we gonna have some problems with it, at least until cross-signing is working. – Liastre Sep 21 '21 at 19:56