As of July 25th, for drivers that target Windows 7/Server 2008 R2 or lower, Microsoft will now be dual signing the binaries with both SHA1 and SHA2 to ensure it works on lower as well as higher versions of the OS.
Related Articles
When Microsoft signs with SHA1, the Existing Signatures will be stripped out since we do not append SHA1 to existing signatures. This is done due to a Microsoft restriction for better security of the certificate chain. Due to this dual signing process, you will find that your organization’s certificates have been stripped out for drivers which target Windows 7/Server 2008 R2 or lower. This change also means we no longer have a restriction that downlevel OS binaries signed by you, contain only SHA1 before we can process them.
You can append your signatures on the driver after it has been signed by Microsoft (for e.g. using signtool /as ) so that both your signatures and Microsoft signatures are present on the final signed driver.
Please note that this behavior is only for drivers which target Windows 7/Server 2008 R2 and below. If you driver targets only Windows 8 and above, Microsoft will only sign the drivers with SHA2 and that process will not strip out existing signatures.
The following table outlines how your signed binaries and catalog file will be returned by Dev Center:
Catalog (.CAT) file
| Windows 7/Server 2008 R2 and lower | Windows 8/8.1 | Windows 10 |
|---|---|---|
| SHA-1 only | SHA-2 only | SHA-2 only |
Binaries
| Windows 7/Server 2008 R2 and lower | Windows 8/8.1 | Windows 10 |
|---|---|---|
| *NEW* Dual signed SHA-1/SHA-2 *NEW* Existing certificates are stripped |
SHA-2 only | SHA-2 only |
Under what circumstances will my existing certificate be stripped?
It’s important to understand what we mean when we talk about “Targeting Windows 7/Server 2018 R2 and below”. This targeting can be both a customer selectable option and a HLK/HCK/WLK package contents action. For instance:
- If your HLKx package contains test results for Windows 7/Server 2008 R2 or lower, we will strip your signatures so we can add our SHA1 certificate.
- If you check any of the “Request additional certificates” boxes for XP, Vista, etc boxes, then we will strip your signatures so we can add our SHA1 certificate. This is done regardless of the HLKx results.
- All WLK submissions will have their binary signatures striped so we can sign with SHA1.
When will they not be stripped?
- If the HLKx package only contains Windows 8 and above results and you do not request any additional signatures for down-level.
- All Attestation Submissions are for Win10+ and will not have their signatures stripped.
What else changed as part of this process?
Since we are stripping your existing signatures for down-level requests, we removed the following SHA1 requirement and subsequent error message:
"We found that your submission contained binaries embedded with a SHA-256 signature. However, you requested that your submission be signed such that it is compatible with Operating Systems which require a SHA-1 catalog. Please remove the SHA-2 signatures from your binaries, or remove the SHA-1 target operating systems (Windows 7 and below) and resubmit."
This post first appeared on MSDN Blogs | Get The Latest Information, Insights, Announcements, And News From Microsoft Experts And Developers In The MSDN Blogs., please read the originial post: here
