HLK Tests and EV certificate

Hi all,

I currently have the following flow working :

  1. Sign my binaries with the organization’s certificate (specifically, EV certificate).
  2. Run HLK tests on signed binaries
  3. Create HLK project with HLK results and signed binaries, sign the package, and submit it to microsoft.
  4. Get binaries signed with microsoft

What I would like to know, is whether I can perform the tests, on binaries that are self signed with self created cross certificates (using makecert). And then in step 2, use those HLK results, along with the *Real “organization signed” binaries".

That is, does microsoft only check that the underlining driver is the same between the HLK results and the submitted drivers is the same ? Or do they check that those are the same binaries *exactly* (including the signature).

The reason that I am even asking, is that our signing machine is in a different networks. And in order to get back signed drivers into the network with the HLK it takes another “round” of bringing files back and forth, which I would be happy if we can do without.

Thanks

On Jun 10, 2018, at 11:36 PM, xxxxx@gmail.com wrote:
>
> What I would like to know, is whether I can perform the tests, on binaries that are self signed with self created cross certificates (using makecert). And then in step 2, use those HLK results, along with the *Real “organization signed” binaries".
>
> That is, does microsoft only check that the underlining driver is the same between the HLK results and the submitted drivers is the same ? Or do they check that those are the same binaries exactly (including the signature).

In theory, the certificates are not included in the PE file checksum, and I believe that’s what HLK uses to validate it is the same driver you tested.

It is not strictly necessary to sign the binaries you send to the dashboard. You have to sign the HLK results, but WHQL is going to sign your binaries, create a new CAT, and sign that.

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

What Mr. Robert’s said is entirely correct.

You *only* need the EV cert to prove who you are for your dashboard account. You can then use either that EV cert, or a non-EV cert (that you have ALSO registered with the dashboard) to sign submissions.

As Mr. Roberts said, you *can* use your EV cert to sign your binaries… and there’s really no reason not to.

Peter
OSR
@OSRDrivers

On Mon, Jun 11, 2018 at 11:14 AM, xxxxx@osr.com wrote:
> What Mr. Robert’s said is entirely correct.
>
> You only need the EV cert to prove who you are for your dashboard account. You can then use either that EV cert, or a non-EV cert (that you have ALSO registered with the dashboard) to sign submissions.
>
> As Mr. Roberts said, you can use your EV cert to sign your binaries… and there’s really no reason not to.
>

It’s probably easier to revoke your non-EV certificate in the case the
certificate is compromised.

In theory, the certificates are not included in the PE file checksum, and I believe that’s what HLK uses to validate it is the same driver you tested.

Was this theory ever validated? I’m running into more or less the same matter now with a HLK automation situation. EV certificates aren’t even accepted for kernel development any more, and I don’t want to submit test signed drivers to WHQL. So the idea is to run HLK on testsigned drivers, and then run signtool remove /s ... to remove the signatures, and then attach the signature-less driver to the hlkx file for submission to WHQL. The question is whether that final modification – stripping the test signature – will be accepted.

Nice job, following-up with a question to a post that’s 3 years old. You know we prohibit discourage that, right??

EV certificates aren’t even accepted for kernel development any more

How on EARTH did you come to that conclusion?

If you have a question, please… just start a new thread. This old thread is closed. We’ll discuss your issue in the new thread, once you start it.

Peter