What changed in the driver signature requirements for Windows 8?

15
votes

I've got a passthrough NDIS intermediate driver, consisting of two .inf files (one standard and one miniport) and a .sys file. Because of the Windows 7 driver signing requirements, I had to get a code-signing certificate and sign the .sys file in order for the driver to install on a 64-bit system. This works fine, and I have many successful Windows 7 installs.

However, the same installer fails on the Windows 8 Consumer Preview (64-bit). If I boot with Windows Signature Enforcement turned off, it installs correctly, so it's definitely a signature issue. What new requirements were added between Windows 7 & Windows 8 that I need to follow in order to get my driver to install?

2
c++installationdriverdigital-signaturewindows-8
FWIW: I used to modify my graphics driver's .inf files to make them work with my system. (The versions that work out of the box are from the OEM, and hence older.) It worked fine on Windows XP and Windows 7, both 32-bit and 64-bit, but Windows 8 64-bit tells me that I can't install it due to tampering, even though I've turned off signature enforcement. :( I have no idea what they did, but it's pretty darn annoying...user541686
FWIW: I had to create a .cat file for my .inf and then test sign the .cat file to get it to install on Windows 8 Customer Preview X64. That leads me to believe that the only way to deploy it for release would require a code signing cert from a Certificate Authority. This .inf is used to install a USB CDC device that uses Microsoft's usbser.sys driver.Louis Davis
If there any official word from Microsoft on whether all INF files need to be signed in the final release of Windows 8? Before I go through the trouble of signing all our drivers I would like to know.David Grayson

2 Answers

5
votes

Regenerate your cat file(s) so that they comply with the signing requirements for the new Window OS.

For example, in my build script I had to add 8_X86,8_X64 to my inf2cat command:

inf2cat /driver:"%CD%" /os:XP_X86,XP_X64,Vista_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64

For Windows 8.1, you will need the inf2cat included in Windows Driver Kit (WDK) 8.1 and depending on your target(s) add 6_3_X64, 6_3_X86, or 6_3_ARM to the /os:WindowsVersionList.

Reference, Inf2Cat

4
votes

I had the same problem. I use makecat to generate the .cat file and I never included the "<HASH>" at the beginning of the .cdf file lines that list the filenames. That worked with Windows 7, but no longer with Windows 8.

See the makecat website here: http://msdn.microsoft.com/en-us/library/windows/desktop/aa386967%28v=vs.85%29.aspx?ppud=4

I had a .cdf file like this:

[CatalogHeader]
Name=xxx.cat
[CatalogFiles]
xxx.sys=xxx.sys

This worked with Windows 7, but not with Windows 8.

The following works with Windows 8 as well, plus it gives a nicer dialog when installing, even under Windows 7:

[CatalogHeader]
Name=xxx.cat
[CatalogFiles]
<hash>xxx.sys=xxx.sys

To make it clear, you have to add the text "<hash>" (sans quotes). That is not a placeholder for anything, but really the literal text. makecat will later replace it with the hash of the file in the .cat file.

To make it even clearer, "xxx" has to be be replaced with the proper names of your .cat file and driver, of course. :)