Signed INF driver works on the computer where it was signed, not others

As of 9/27/2012, GoDaddy Driver Signing Certificate will not work with Windows Vista or Windows 7. It will only work with Windows 8. The GoDaddy certificate is only available with SHA256.

We ended up getting one from GlobalSign (MS Authenticode).

From http://msdn.microsoft.com/en-us/library/windows/hardware/hh967734%28v=vs.85%29.aspx :

Signing a driver package with two signatures

In some cases, you might want to sign a driver package with two different signatures. For example, suppose you want your driver to run on Windows 7 and Windows 8. Windows 8 supports signatures created with the SHA256 hashing algorithm, but Windows 7 does not. For Windows 7, you need a signature created with the SHA1 hashing algorithm.

2012-09-28 Update: The GlobalSign worked. I let Firefox 15 download the GlobalSign provided link (protected by a Pickup Password). Ended up with Firefox holding the signed certificate, and downloading 3 other GlobalSign certs. The signed certificate was exported from Firefox into a .p12 file. All four files were then double clicked to import them into the MS Certificate Store using automatic defaults. Driver and package were signed and tested in a Windows 7 Ultimate x64 without any driver signing errors. The driver BSoD'd but that's a different issue. ;)

GoDaddy will only give you website credit minus $15 and only if you revoke within 30 days of purchase.

2016-01-13 Update:https://technet.microsoft.com/en-us/library/security/3033929Microsoft Security Advisory 3033929Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2Published: March 10, 2015...Basically, you need to install the security update in the links provided by Microsoft which is usually done automatically by Windows Update.

We are now using EV Code Signing Certificates from GlobalSign. Warning: SafeSign does not work with Windows services (e.g., buildbot slave).

Due to lack of reputation I cannot up-vote rcpao's answer, but I wanted to post in agreement. I recently went thru a similar process attempting to sign a Windows 7 driver package with a driver signing certificate from GoDaddy. In short, Win7 x64 would not take the drivers--most certainly due to the SHA-2 hashing used in the GoDaddy certificate.

While there are articles stating that Windows 7 is compatible with SHA-2 signing I don't think that applies to driver signatures. Definitely there are some ambiguous texts available that makes the issue less clear.

My company ended up purchasing a DigiCert code signing certificate that includes kernel-mode signing for drivers. It worked as expected, and the cost was comparable to GoDaddy.

Answering my own question:

I ended up getting a Code Signing Certificate from Go Daddy and keying it to be SHA-2 (the other option is SHA-1), because I wanted the possibility of some day signing driver packages that contain .sys files and GoDaddy's SHA-2 option lets you do that. Now I sign our .cat files using that certificate along with the Go Daddy G1 to G2 Cross Certificate (gdroot-g2_cross.crt), so the chain of trust looks like:

1. Go Daddy Class 2 Certification Authority ( 27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4 ) (will be a trusted root CA on your user's computer)
2. Go Daddy Root Certificate Authority - G2 ( 84 1d 4a 9f c9 d3 b2 f0 ca 5f ab 95 52 5a b2 06 6a cf 83 22 ) (supposed to be a trusted root CA, but it depends on Windows Update working reliably)
3. Go Daddy Secure Certificate Authority - G2 ( 27 ac 93 69 fa f2 52 07 bb 26 27 ce fa cc be 4e f9 c3 19 b8 )
4. Our company

This has been working great for our needs, but unfortunately, that plan does not allow us to sign driver packages that contain Kernel-Mode .sys files, because the chain of trust is not rooted in the Microsoft Code Verification Root. Based on my reading of kmsigning.doc, the correct way to sign your .cat file if you have kernel-mode driver files is to use the Microsoft to Go Daddy G2 Cross Certificate (mscvr-cross-gdroot-g2.crt). I haven't actually gotten that to work yet, but that will be another discussion.

SHA 2

I have to respectfully disagree with rcpao and kris. As far as I can tell, there is problem with SHA256 on Windows Vista or Windows 7, at least for the purpose of driver package installation. For loading a .sys file into the kernel, there might be a different story, and especially because I'm having trouble with .sys signing now I will have to look into that.

DefaultInstall

The MSDN documentation of the INF DefaultInstall Section is just wrong. There seems to be no incompatibility between DefaultInstall and driver signing and I see now reason why there should be.