Background information on code signing
Coding signing proves the software came from a particular developer and protects against corruption and manipulation of the driver code. So it helps prevent malware and viruses.
Over the years Microsoft has changed the signing requirements for loading kernel mode device drivers.
- In Windows XP there was no special requirements.
- In Windows Vista 32bit only boot start drivers needed to be code signed
- In Windows Vista 64bit all drivers needed to be code signed
- In Windows 7 64bit SP0 all drivers needed to be signed using the SHA1 hash. SHA256 hashes will not work.
- In Windows 7 SP1 64bit, fully patched, all drivers needed to be signed using either the SHA1 hash or the SHA256 hash
- In Windows 8 all drivers needed to be signed using either the SHA1 hash or the SHA256 hash
- In Windows 10 initial release all drivers needed to be signed using either the SHA1 hash or the SHA256 hash
- In Windows 10 build 1607 all drivers needed to be EV signed (extended validation) using either the SHA1 hash or the SHA256 hash. Further new Win10 installs will not load new drivers unless that have been submitted and passes Microsoft Hardware Dev Center requirements and be signed a 2nd time. If you did an upgrade from Win7 to Win10, then (bizarrely) the rules are different. If you aren't using secure boot, then the rules are different. If you are using a driver from before 29th July 2015, then the rules are different.
- In future windows releases Micorosft, 2020 onwards, will be starting to remove support for SHA1. So only SHA256 will work at some future point.
- As a software developer there are two methods of getting a driver signed with Microsoft’s certificate. Attestation signing & HLK Test and submission. Both are expensive, stupidly complex and time consuming. Attestation signing is the easier of the two, but the result is that you only get a device driver that will work with Win10. The driver that previously worked in Win7 breaks after being signed by Microsoft! No verions of Windows Server are supported either! If you want 64bit and 32bit then multiple submissions are required. Getting the mandatory .INF correct is also a major problem as the error reporting and technical support from Microsoft is non existant. The 2nd HLK method is insanely time consuming and typically invovles setting up around a ten different test machines per driver release if broad compatibility is required.
A more complete description of the
Win10 1607 signing changes can be found here
From OSFMount V2.0 we are signing the driver with a Extended Validation (EV) SHA256 certificate. This means it won't work in a unpatched release of Win7. It also won't work (yet) in Win10 releases that
new and are using secure boot.