Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Windows 10 Code signing

HakimHakim Member Posts: 115
Hello,

We have class 3 certificate and use that for driver signing. Recently, we found that that the certificate is not working if Window 10 is booted with secure boot enabled. We contacted our certificate provider and they say that Microsoft has updated their driver signing policy for Windows 10 (effective version 1607, Aug. 2016 release) and require that Kernel mode drivers with Secure Boot turned ON must be signed with a Microsoft Signature via their Windows Hardware Developer Center Dashboard. We'll need to sign driver with an EV code signing cert and submit it to their dashboard.
Does anyone know whether I've to perform WHQL test and send logs as well?

Thanks,
Hakim

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,299
    [email protected] wrote:
    > We have class 3 certificate and use that for driver signing. Recently, we found that that the certificate is not working if Window 10 is booted with secure boot enabled. We contacted our certificate provider and they say that Microsoft has updated their driver signing policy for Windows 10 (effective version 1607, Aug. 2016 release) and require that Kernel mode drivers with Secure Boot turned ON must be signed with a Microsoft Signature via their Windows Hardware Developer Center Dashboard. We'll need to sign driver with an EV code signing cert and submit it to their dashboard.

    Correct -- this has been discussed on this list dozens of times since
    the policy was announced two years ago.


    > Does anyone know whether I've to perform WHQL test and send logs as well?

    No.  That is certainly one option, and since the WHQL process is free,
    it might be the right option for you, but Microsoft has an alternative
    process called "attestation signing" where you submit a package that you
    have done your own testing on.  They will sign it and send it back.  The
    drawback to attestation signing is that the package can ONLY be
    installed on Windows 10.  It cannot be installed on earlier systems.

    --
    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Alan_Adams-2Alan_Adams-2 Member Posts: 46
    > We'll need to sign driver with an EV code signing cert
    > and submit it to their dashboard.

    As Tim said, this is correct, although there is a further
    clarification to make there. You will need to HAVE an EV certificate,
    and you will need to have registered that EV certificate with a
    company account you created on the Microsoft Windows Dev Center
    portal.

    So long as you register your existing Class 3 certificate on the
    portal company account too, you can continue performing your actual
    /driver signing/, including the submissions of any .CABs, .HLKX and/or
    .HCKX files, using the Class 3 certificate you're using today.

    You simply must _have_ an EV certificate registered to "prove"
    identity of whom owns the company account you created on the Microsoft
    Windows Dev Center portal. But once that trust is established, they
    will trust any additional non-EV certificates you upload to your
    company account, too.

    So an EV certificate is required, but not specifically "to sign every
    driver", nor even to "sign every submission upload." Its fine if you
    /do/ use the EV certificate to perform your actual driver signing
    and/or submissions, but that's not strictly required, if you have
    other non-EV certificates registered too.

    There do happen to be Windows Dev Center submissions that _require_
    being signed with the EV certificate, but those are things like UEFI
    firmware submissions, and not general driver signing.

    Alan Adams
    Client for Open Enterprise Server
    Micro Focus
    [email protected]
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,968
    See: https://www.osr.com/blog/2017/07/06/attestation-signing-mystery/

    and numerous other blog posts on OSR.COM about this topic.

    Peter
    OSR
    @OSRDrivers

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online
Writing WDF Drivers 12 September 2022 Live, Online