Signed INF driver works on the computer where it was signed, not others

Question

My company purchased a Driver Signing Certificate from Go Daddy. I used it to sign a simple INF file that is a driver for some of our USB devices that use Microsoft\'s usbs

Answer 1

As of 9/27/2012, GoDaddy Driver Signing Certificate will not work with Windows Vista or Windows 7. It will only work with Windows 8. The GoDaddy certificate is only available with SHA256.

We ended up getting one from GlobalSign (MS Authenticode).

From http://msdn.microsoft.com/en-us/library/windows/hardware/hh967734%28v=vs.85%29.aspx :

Signing a driver package with two signatures

In some cases, you might want to sign a driver package with two different signatures. For example, suppose you want your driver to run on Windows 7 and Windows 8. Windows 8 supports signatures created with the SHA256 hashing algorithm, but Windows 7 does not. For Windows 7, you need a signature created with the SHA1 hashing algorithm.

2012-09-28 Update: The GlobalSign worked. I let Firefox 15 download the GlobalSign provided link (protected by a Pickup Password). Ended up with Firefox holding the signed certificate, and downloading 3 other GlobalSign certs. The signed certificate was exported from Firefox into a .p12 file. All four files were then double clicked to import them into the MS Certificate Store using automatic defaults. Driver and package were signed and tested in a Windows 7 Ultimate x64 without any driver signing errors. The driver BSoD'd but that's a different issue. ;)

GoDaddy will only give you website credit minus $15 and only if you revoke within 30 days of purchase.

2016-01-13 Update: https://technet.microsoft.com/en-us/library/security/3033929 Microsoft Security Advisory 3033929 Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2 Published: March 10, 2015 ... Basically, you need to install the security update in the links provided by Microsoft which is usually done automatically by Windows Update.

We are now using EV Code Signing Certificates from GlobalSign. Warning: SafeSign does not work with Windows services (e.g., buildbot slave).