Windows 10 Code signing

Hello,

We have class 3 certificate and use that for driver signing. Recently, we found that that the certificate is not working if Window 10 is booted with secure boot enabled. We contacted our certificate provider and they say that Microsoft has updated their driver signing policy for Windows 10 (effective version 1607, Aug. 2016 release) and require that Kernel mode drivers with Secure Boot turned ON must be signed with a Microsoft Signature via their Windows Hardware Developer Center Dashboard. We’ll need to sign driver with an EV code signing cert and submit it to their dashboard.
Does anyone know whether I’ve to perform WHQL test and send logs as well?

Thanks,
Hakim

xxxxx@yahoo.ca wrote:

We have class 3 certificate and use that for driver signing. Recently, we found that that the certificate is not working if Window 10 is booted with secure boot enabled. We contacted our certificate provider and they say that Microsoft has updated their driver signing policy for Windows 10 (effective version 1607, Aug. 2016 release) and require that Kernel mode drivers with Secure Boot turned ON must be signed with a Microsoft Signature via their Windows Hardware Developer Center Dashboard. We’ll need to sign driver with an EV code signing cert and submit it to their dashboard.

Correct – this has been discussed on this list dozens of times since
the policy was announced two years ago.

Does anyone know whether I’ve to perform WHQL test and send logs as well?

No.  That is certainly one option, and since the WHQL process is free,
it might be the right option for you, but Microsoft has an alternative
process called “attestation signing” where you submit a package that you
have done your own testing on.  They will sign it and send it back.  The
drawback to attestation signing is that the package can ONLY be
installed on Windows 10.  It cannot be installed on earlier systems.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> We’ll need to sign driver with an EV code signing cert

and submit it to their dashboard.

As Tim said, this is correct, although there is a further
clarification to make there. You will need to HAVE an EV certificate,
and you will need to have registered that EV certificate with a
company account you created on the Microsoft Windows Dev Center
portal.

So long as you register your existing Class 3 certificate on the
portal company account too, you can continue performing your actual
/driver signing/, including the submissions of any .CABs, .HLKX and/or
.HCKX files, using the Class 3 certificate you’re using today.

You simply must have an EV certificate registered to “prove”
identity of whom owns the company account you created on the Microsoft
Windows Dev Center portal. But once that trust is established, they
will trust any additional non-EV certificates you upload to your
company account, too.

So an EV certificate is required, but not specifically “to sign every
driver”, nor even to “sign every submission upload.” Its fine if you
/do/ use the EV certificate to perform your actual driver signing
and/or submissions, but that’s not strictly required, if you have
other non-EV certificates registered too.

There do happen to be Windows Dev Center submissions that require
being signed with the EV certificate, but those are things like UEFI
firmware submissions, and not general driver signing.

Alan Adams
Client for Open Enterprise Server
Micro Focus
xxxxx@microfocus.com

See: https://www.osr.com/blog/2017/07/06/attestation-signing-mystery/

and numerous other blog posts on OSR.COM about this topic.

Peter
OSR
@OSRDrivers