Driver fails to install with error 0xE000024B

We have a driver that is built and signed in-house. Recently, we have been having issues installing this on windows 7. Initially it was missing certificates and that was resolved by installing the root and intermediate certificates. Signtool checks are all successful. But now I get this error during installation:

Failed to verify file 'WdfCoInstaller01009.dll' against catalog. Catalog = avp3ioc2.cat, Error = 0xE000024B
!!!  sto:                          Catalog did not contain file hash. File is likely corrupt or a victim of tampering.

I checked the catalog file and verified the thumbprint against that of WdfCoInstaller01009.dll. Everything matches.

What maybe causing this? Could I resolve this without re-signing the drivers (it's a long process)? Any help would be highly appreciated.

P.S. The windows partition has EWF enabled. The driver is installed via DiInstallDriver.

The .cat file contains a checksum of all of the driver files. If you only sign the .cat, then it only covers the original file (like a .sys file). You can't copy and use a new one unless you sign that one too.

There are two different signature checks. One is the install-time check, which applies only to PnP driver packages. This check is done on all of the systems, 32 and 64-bit. In this case, the .cat matters. If the .cat file is WHQL signed, install is silent. If .cat is signed by your own you'll get a warning ("do you trust this ...)" . If your .cat file is unsigned or missing, you get the "unsigned driver" warning. The user can bypass any of those and allow the driver to be installed.

The other one is the kernel-mode code signing, which is done each and every time the driver is loaded, but exclusively on 64-bit systems. For this check, you can sign the .sys driver files, or if you have a driver package, you can sign the .cat files. For this check, you must use a class 3 code-signing certificate and you must use the appropriate cross-certificate from Microsoft to cross into their certificate domain. You can check whether you have done this correctly using "signtool verify /kp /v". If you do not see the "Microsoft Code Verification Root", then you probably did not use a cross-certificate. This is a big pain, I know.

Now that this is cleared up, the answer to your question is YES, you will need to re-sign the driver.