Re: Automating EV Signing (Windows Attestation)

Alan_Adams-2 · July 10, 2017, 9:17am

Keep in mind that you do not need to use your EV certificate
for signing, you just need an EV certificate and the non-EV
certificate you sign with registered through the Microsoft portal.

See the following for Microsoft’s statement when they dropped
this requirement:

https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/10/07/update-to-ev-certificate-requirement-per-submission/

Does anyone happen to have a current confirmation of “yes, the
Microsoft Windows Dev Center is currently allowing me to do this.”

Meaning, you have the EV certificate(s) you were required to associate
or create your SysDev / Windows Dev Center account with. But then you
also have a non-EV code signing certificate registered to the account.

And to actually upload Windows 10 attested signing submissions, you
need only sign your .CAB with the non-EV certificate, as per the
October 2016 blog post.

We have been simply “signing everything” with the EV certificate, but
one of our product teams is now in the position where “sign with just
the non-EV certificate” would aid their signing workflow. But even
though we were able to successfully upload and associate the non-EV
certificate with our Windows Dev Center account, the upload of actual
signing submissions seem to be rejected with an EV-specific signature
check message.

Wondering if that’s probably us still doing something wrong because
its working for others here; or whether Microsoft reversed their
reversal on having an EV check for submissions; or maybe the blog post
only applied to .HCK/.HLK submissions and not attested signing; etc.

Thanks.

Alan Adams
Client for Open Enterprise Server
Micro Focus
xxxxx@microfocus.com

Peter_Viscarola_OSR · July 10, 2017, 2:09pm

I can NOT confirm what you’re asking. Like you, we e been “just signing everything with our EV Cert”…

I will be very curious to hear if this is actually not working. That would be bad. Though, to be clear, our ask *was* specific to submitting HLK results. I always *assumed* this also applied to Attestation Signing. Hmmmm…

Peter
OSR
@OSRDrivers

Alan_Adams-2 · July 10, 2017, 3:21pm

%%merge inmail_.HdrFrom_%% xxxxx@lists.osr.com wrote:

I can NOT confirm what you’re asking. Like you,
we e been “just signing everything with our EV Cert”…

I will be very curious to hear if this is actually not working.

Hello, merge inmail_.HdrFrom_.

I am now in a position to confirm it myself. The Microsoft statement
/does/ continue to hold true, and Windows 10 attested signing
submissions /continue/ to be accepted even if the .CAB is only signed
with one of the non-EV certificates associated to the Windows Dev
Center account.

It was a “false alarm”, and the “EV certificate was required for
upload” scenario was actually an attempt to make a UEFI Signing
submission, instead of a Windows 10 attested signing submission.

Alan Adams
Client for Open Enterprise Server
Micro Focus
xxxxx@microfocus.com

Peter_Viscarola_OSR · July 10, 2017, 3:42pm

Thank you, Mr. Adams, for getting back to us to confirm that all is well.

I was concerned that we found a little Catch-22 or something.

Peter
OSR
@OSRDrivers