因為工作需要寫了一個Windows IO/Memory driver 但是測試時發現怎樣都用不了, 透過Debug 發現GetLastError(), Always report ERROR_INVALID_IMAGE_HASH (0x00000241) 這個, 但是用FileExpoloer 看確實有簽章過, 就開始了這個Debug 的過程, 最後終於確認確實是 簽章問題, 起因是 Windows 10 從 1607開始引入了更進一步的簽章要求, 要求所有driver 需要提交到 Hardware Deverloper Partner Dashboard 由微軟進行二次簽章, 改由 “Microsoft Windows Hardware Compatibility Publisher", 那自己測試除了 用Test sign 外還有啥方法呢
from Windows Hardware Certification blog 上的這篇文章提到下面幾項可以讓系統仍然用EV Cross signed driver
Update the article move to https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-signing-changes-in-windows-10-version-1607/ba-p/364894
What are the exact exceptions? Are cross-signed drivers still valid?
Enforcement only happens on fresh installations, with Secure Boot on, and only applies to new kernel mode drivers:
- PCs upgrading from a release of Windows prior to Windows 10 Version 1607 will still permit installation of cross-signed drivers.
- PCs with Secure Boot OFF will still permit installation of cross-signed drivers.
- Drivers signed with an end-entity certificate issued prior to July 29th, 2015 that chains to a supported cross-signed CA will continue to be allowed.
- To prevent systems from failing to boot properly, boot drivers will not be blocked, but they will be removed by the Program Compatibility Assistant. Future versions of Windows will block boot drivers.
經過實測關掉開發機上的 SecureBoot 可以從啟動失敗變成可以正常啟動Driver, 而透過Signtool 可以用下面指令驗證簽名的Driver檔案, signtool /v /kp driverfile, /kp 表示用Kernel driver 規則去驗證簽章
願~~ 