I'm dual-signing a windows .sys and .cat files for a driver using a certificate purchased from Symantec with the following command lines (the sys and cat files are both signed with the same options):
signtool.exe sign /v /ph /n "MyCorp" /ac "C:\Signing\VeriSign Class 3 Public Primary Certification Authority - G5.cer" /i "VeriSign Class 3 Code Signing 2010 CA" /t "http://timestamp.verisign.com/scripts/timstamp.dll" "MyDriver.cat"
signtool.exe sign /v /ph /n "MyCorp" /ac "C:\Signing\VeriSign Class 3 Public Primary Certification Authority - G5.cer" /i "Symantec Class 3 SHA256 Code Signing CA" /tr "http://timestamp.geotrust.com/tsa" /as /fd sha256 /td sha256 "MyDriver.cat"
Signtool.exe reports success when it exits. When I view the signatures by right clicking the signed files, choosing Properties, go to Digital Signatures tab, then I see the two signatures. The sha1 signature seems fine. When I view the details of the sha256 certificate on the .sys file, everything looks good. But, when I view the details of the sha256 certificate on the .cat file, I see the following error:
The driver won't install on a Window7 box that I configured to believe SHA1 was deprecated on 1st January 2015 (rather than the real date when they expire which is 1st Jan 2016).
I saw a note on this msdn page saying:
Note that only .sys files can be dual signed because they are PE files.
Is that quote trying to say in a roundabout way that .cat files cannot be dual signed?
How should cat files be signed so that they will install on all versions of windows?
It does seem that .cat files cannot be dual signed. My solution was to sign the .cat file using a SHA256 certificate, but with signtool command line options to create a SHA1 signature. The .sys file associated with the driver I was still able to dual sign. This seems to be working in all the scenarios I need.
Is this only a visual/cosmetic issue or does your driver installation fail ?
A probably better and more solid alternative to dual-signing is an installer that includes both sha1- and sha2-signed binaries which installs the correct set depending on the os version. Since the major parts of the binaries are identical the compressed installer size also won't increase too much.
cat files shall be double signed using the following procedure:
inf2cat.exe /driver:__Path__ /os:__WindowsVersions__
signtool.exe sign /v /ac __RootCert__ /t __TimeStampLink__ /sha1 __Sha1ThumbPrint__ __CatFile__
signtool.exe sign /v /ac __RootCert__ /tr __TimeStampLink__ /td sha256 /fd sha256 /as /sha1 __Sha2ThumbPrint__ __CatFile__
Use the signing tools from windows kit v10.x (or above) to perform this.
来源:https://stackoverflow.com/questions/33542406/dual-sign-cat-file-has-error-no-signature-was-present-in-the-subject