Driver Signing Practical Info

I have some practical questions about the Windows 10 driver signing
thing, for those of you who have already been through it.

The requirement is that the package be submitted to the Windows Hardware
Dev Center Dashboard portal for signing. That is the same place where
one submits packages for WHQL, right? Is the new portal submission
thing separate from WHQL, or will all of these submissions have to have
HCK test logs?

In the past, just logging in to the WHDC Dashboard required a genuine
Verisign certificate (although not necessarily a code-signing
certificate). Is that required for these driver submissions? So, if I
choose a different vendor for the EV Code Signing cert, will I also need
a Verisign cert to log in?

Have any of you already been through this process? Can you briefly
describe what the steps look like? What’s the turnaround time?

The web descriptions IMPLY that requirement is not enforced when
/testsigning is enabled. Is that so? Do most of you run with
/testsigning on all of the time? I have always resisted that, because I
want my test environment to match my clients’ environment as closely as
possible, and THEY aren’t going to run /testsigning. If the portal
submission adds 5 minutes to every build, it may no longer be practical
for me to do that.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Was that EV you were talking about ? When karma is at work, stop worrying,
just eat the popcorn and watch the show.

//Daniel

Yes, it’s the same place.

The two submissions are different… you use “File Signing Services” and select “Driver Signing Submission” – To be eligible for this, you must sign an “attestation agreement” saying you’ve tested your driver, it’s compatible with Windows, and that you’ll monitor the telemetry on sysdev and you agree to support the driver (for some value of “support”).

We do 95% of our testing with a kernel debugger connected (for release AND debug builds). So, signing isn’t an issue. We only run our final tests on the final executable that has been signed with our “real” signing certificate once we have what we think is a “final” version.

You can log into sysdev and check it out… You can submit things for Win10 signing right now… without even needing an EV Cert. Yet.

Peter
OSR
@OSRDrivers

Does anyone know if it will be possible to automate the driver submission process to Microsoft, or must it be done manually each time a driver needs to be signed?

Yes… An API for this was indeed discussed.

Peter
OSR
@OSRDrivers

“You can log into sysdev and check it out… You can submit things for
Win10 signing right now… without even needing an EV Cert. Yet”

That’s what they are saying. On the blog they also wrote

“starting 90 days after the release of Windows 10, the portal will only
accept driver submissions, including both kernel and user mode driver
submissions, that have a valid Extended Validation (“EV”) Code Signing
Certificate.”

However to be able to even sign up for a sysdev account, as a requirement
you need to sign a winqual.exe file with a Symantec Class 3 certificate
($795/year). If signed using a standard KMCS procedures, the application is
rejected .

All this appears much contradictory to me.

//Daniel

But… hasn’t that been the requirement forever? Not ANY class 3 Code Signing Cert, but a particular Symantec one? That’s why there was the special $100 offer for that cert that folks (including OSR) used for years.

And, yes… I agree it IS more confusing than it should be. And, it goes without saying that the cost of the EV Certificates is ridiculous to the point that it is scandalous.

Peter
OSR
@OSRDrivers

Discussed? Was it decided and delivered? I know it was requested but I have not yet found it.

Cheers
Dave Cattley

Sent from my Windows Phone


From: xxxxx@osr.commailto:xxxxx
Sent: ‎7/‎15/‎2015 10:08 PM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: RE:[ntdev] Driver Signing Practical Info

Yes… An API for this was indeed discussed.

Peter
OSR
@OSRDrivers


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

xxxxx@osr.com wrote:

But… hasn’t that been the requirement forever? Not ANY class 3 Code Signing Cert, but a particular Symantec one? That’s why there was the special $100 offer for that cert that folks (including OSR) used for years.

This is actually one of the primary reasons I asked my recent question.

Yes, creating a winqual account has always required a Symantec
certificate, although not necessarily a Symantec code-signing
certificate. Thus, you could either get a “Symantec plain” plus an
“affordable Class 3”, or you could get a gold-plated “Symantec Class 3”.

Since I don’t actually distribute any of the drivers I write, and the
winqual account has to belong to the submitting company, I’ve never had
a winqual account, so I’ve never had the Symantec certificate. Hence,
my question. In order to reproduce my client’s environment, am I now
going to be REQUIRED to get a genuine Symantec certificate in order to
create the account through which I make these submissions?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

On 07/16/2015 01:45 AM, xxxxx@resplendence.com wrote:

However to be able to even sign up for a sysdev account, as a
requirement you need to sign a winqual.exe file with a Symantec Class
3 certificate ($795/year). If signed using a standard KMCS procedures,
the application is rejected .

The least-expensive EV code signing certificate I could find is via this
link: https://www.digicert.com/friends/sysdev/

If I could use that same certificate to sign winqual.exe, that would be
a great help. The drivers I sign under my own name tend to be pro bono
efforts (e.g. to keep old hardware working on newer versions of
Windows). It’s painful to be periodically shaken down for hundreds of
dollars for the privilege of releasing work I’m giving away for free.

Over the last decade, the requirements have become decidedly unfriendly
to lone developers taking up this craft. GlobalSign used to offer
special pricing to individuals, but they declined my most recent renewal
and told me that code signing certificates are now available only to
corporations.

Mark Fontana

When driver signing was originally implemented for x64, I spent a great deal of time arguing with the MSFT architects that it would screw hobby/community developers. I cited several examples of why this was not good for Windows. I couldn’t get one person to express any interest, or to seriously attempt to address this issue.

It will be VERY hard and almost prohibitively expensive for these devs to acquire EV cents (I read the guidelines, and I think it’s technically possible, but the dev will have to have an actual business with an address).

I think it’s a real shame, and bad for Windows, to force hobby and community devs out of the marketplace.

Perhaps somebody will form a .org to sign these kinds of projects. But that’d be a tricky business in today’s world.

Peter
OSR
@OSRDrivers

I don’t understand. If you want to release sign drivers for testing, which I think it a bad idea but whatever, you’re going to need an EV Cert. OR you’re going to have to get your client to get an EV Cert and give you access to their sysdev account (this is actually very practical… The primary sysdev account holder can create other accounts for the same company and control a fairly fine grained set of permissions associated with each account) and THEIR EV Cert. This second option is what we do now when we have clients that want the Logo and want to pay us to run the Logo tests and submit for them. It works out quite well.

Peter
OSR
@OSRDrivers

xxxxx@osr.com wrote:

I don’t understand. If you want to release sign drivers for testing, which I think it a bad idea but whatever,…

I’m curious to know why you think it is a bad idea. I’m bothered by the
idea of requiring my clients – some of whom are not as technically
sophisticated as they need to be – to run their machines in
/testsigning mode.

you’re going to need an EV Cert. OR you’re going to have to get your client to get an EV Cert and give you access to their sysdev account (this is actually very practical… The primary sysdev account holder can create other accounts for the same company and control a fairly fine grained set of permissions associated with each account) and THEIR EV Cert. This second option is what we do now when we have clients that want the Logo and want to pay us to run the Logo tests and submit for them. It works out quite well.

That’s certainly what I have done for logo submissions in the past. I
did finally go out to the WHDC web site, and it looks like you can now
use a certificate from either Symantec ($800) or Digicert ($225) to open
a sysdev account, so there does appear to be another option now.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

xxxxx@resplendence.com wrote:

However to be able to even sign up for a sysdev account, as a requirement
you need to sign a winqual.exe file with a Symantec Class 3 certificate
($795/year).

The WHDC web site now says you can use a Digicert certificate as well,
which is $225/year. That’s good news, relatively speaking.
https://msdn.microsoft.com/en-us/library/windows/hardware/hh801887.aspx


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

No deep thinking involved, really. I’m just concerned about pre-releases (my beta releases to clients or whatever) somehow getting out into the wild. If they’re not “release signed” accidentally releasing them won’t matter.

Peter
OSR
@OSRDrivers

I’ve been looking into Windows 10 kernel driver signing for a while now and this is what I’ve found so far:

  1. The portal accepts submissions using a Symantec certificate (I haven’t tried digicert, but they claim it’s supported as well)
  2. The signing takes anywhere between 5 - 30 min. But it can apparently take several hours based on server load
  3. The cab that you upload for signing needs to be in a specific format - https://msdn.microsoft.com/en-us/library/windows/hardware/dn962252(v=vs.85).aspx?f=255&MSPPError=-2147217396
  4. The driver (.sys) needs to have a .inf along with it. The portal will not accept .sys files without an accompanying .inf (e.g. some non-PnP drivers)

Open questions:

  1. (this is the biggest open question) The latest preview build of Windows 10 does not enforce this check. My drivers, which are NOT signed by Microsoft, still continue to load fine. When will we start seeing failures? Only after July 29 when Windows 10 releases?
  2. An API is supposed to exist - https://msdn.microsoft.com/en-us/library/windows/hardware/dn800659.aspx?f=255&MSPPError=-2147217396, but the URL it’s using, https://api.sysdev.microsoft.com is not available
  3. Will it be possible to sign .sys files on their own without an inf? I think the workaround until then would be to create a dummy inf (which hasn’t worked for me yet).

You obviously need to change your release management into the at least the 1990s and let your clients know it is BETA. :slight_smile:

We have many Clients that want to come to our facility to test with a “NON DEBUG” version of our software before release in the wild. Our lab is setup like their live system and they run tests. Now they may want 10 different adjustments but want to test them 1 at a time, again NON DEBUG, turn around time is important to our SCM department.

Larry C

All these new signing practices may be useful en valuable , but it kills my current business. I’ve decided not to support Win10 (
although my driver software installs and works perfectly on Win10 Insider preview ) , and I am even thinking about stopping driver
development it all. I pay now yearly for a MSDN membership and a Sha1 certificate. Additionally payments for a Sha2 EV certificate
and a dashboard ( winqual ) account exceeds the yearly income of providing the software. I also worked out a method whereby each
user received a “branded” ( with name , e-mail address , etc ) *.sys file as a sort of license identification. Compilation ,
signing , packaging en sending takes only a few minutes. All this collapses due the time needed when to submit it to the dashboard.
All my customers receive currently updates for free. Now , I will send a note to all of them not to expect updates anymore ( unless
they keep using pre-Win10 versions ) and suggest them to send their complaints about this to Microsoft.

Christiaan

Mr. Clawson: Debug vs non-debug builds don’t have anything at all to do with driver signing.

So, I really don’t know what your talking about. Let them come to your office, and let them run an unsigned copy with the kernel debugger attached, or (as of today) a test signed copy with the signature loaded on the machine.

Release signing is for released code. You start release signing betas, then you have to release sign beta updates, the you have to release sign private builds… All because nobody at your customer can enable test signing or disable signature enforcement? That’s a lot of versions to be kicking around, waiting to escape into the wild accidentally.

Peter
OSR
@OSRDrivers

>1. (this is the biggest open question) The latest preview build of Windows

10 does not enforce this check. My >drivers, which are NOT signed by
Microsoft, still continue to load fine. When will we start seeing failures?
Only >after July 29 when Windows 10 releases?

This is my biggest concern as well. I have to update my software for Windows
10. I don’t know if I can still ship a fixed driver or if I should include
the old buggy driver in there for Windows 10 only ?

It’s pretty bizarre that the information is so contradictory and unclear,
is it too much effort to post a real date or some thing or is that on
purpose ? All this leads me to believe EV isn’t quite ready for it’s prime
time. But still, I don’t like to be playing with dice, it’s nice if we can
keep at least some level of control.

In any case, being a DBA, I’m not going to incorporate (with legal
implications) just to be able to buy a certificate. Just before the
announcement I bought a 5 year nonEV certificate of which I hope it got me
settled and I haven’t quite recovered from the pain of getting that (it
wasn’t the money that hurt).

//Daniel