Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

Automating EV Signing (Windows Attestation)

It is clear to me that currently Microsoft does not have a way to automatically upload/download packages for attestation signing. But, I was curious how much anyone has automated up to that point. Specifically around EV signing. What I've found so far is the smart card (dongle) disables remote and automated keyboard input. So one has to type the password physically into the keyboard.

I'm personally okay with the extra security and validation around EV signing. Frankly, for me at least, driver releases don't happen extremely frequently throughout the year. So having to manually do this every once and a while isn't a big deal. In any event I'm curious what others have done.

Comments

  • I have had success using AutoIT to fill in the credentials for the pop-up
    challenge that occurs during EV code signing with a gemalto USB token and
    the SafeNet client software.

    In my environments, the AutoIT script needs to
    "run as Administrator" in order to see and input to the pop-up challenge.
  • Mark_RoddyMark_Roddy Posts: 4,265
    That - using autoIT - is a good idea, but really the provided functionality
    is not ready for automated build systems and instead people have to hack
    around this misfortune.

    Mark Roddy

    On Fri, Apr 21, 2017 at 8:35 AM, wrote:

    > I have had success using AutoIT to fill in the credentials for the pop-up
    > challenge that occurs during EV code signing with a gemalto USB token and
    > the SafeNet client software.
    >
    > In my environments, the AutoIT script needs to
    > "run as Administrator" in order to see and input to the pop-up challenge.
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: showlists.cfm?list=ntdev>
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Keep in mind that you do not need to use your EV certificate for signing, you just need an EV certificate and the non-EV certificate you sign with registered through the Microsoft portal.

    See the following for Microsoft's statement when they dropped this requirement:

    https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/10/07/update-to-ev-certificate-requirement-per-submission/

    Thus everything can be automated (and I've done this myself) other than, as you say, the upload of the CAB file and the download of the drivers to be signed and the download of the zip file with the Microsoft-signed files.

    Eric
  • Last time I tired uploading a package without the EV cert it didn't take it. I'll have to try it again. It is possible that the nature of the driver I produce requires it be signed with the EV cert.
  • <quote>
    just need an EV certificate and the non-EV certificate you sign with registered
    through the Microsoft portal.
    </quote>

    This is correct. We at OSR, together with support from several OEM/IHV types, worked *really* hard to get the policymrequiring EV signing of every submission reversed. MSFT was willing to listen to our arguments, and we were ultimately successful.

    Peter
    OSR
    @OSRDrivers

    Peter Viscarola
    OSR
    @OSRDrivers

  • They only allow us to have one certificate registered at a time.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!