Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

HLK Tests and EV certificate

Jhon_DoeJhon_Doe Posts: 4
Hi all,

I currently have the following flow working :
1. Sign my binaries with the organization's certificate (specifically, EV certificate).
2. Run HLK tests on signed binaries
3. Create HLK project with HLK results and signed binaries, sign the package, and submit it to microsoft.
4. Get binaries signed with microsoft

What I would like to know, is whether I can perform the tests, on binaries that are self signed with self created cross certificates (using makecert). And then in step 2, use those HLK results, along with the *Real "organization signed" binaries".

That is, does microsoft only check that the underlining driver is the same between the HLK results and the submitted drivers is the same ? Or do they check that those are the same binaries *exactly* (including the signature).

The reason that I am even asking, is that our signing machine is in a different networks. And in order to get back signed drivers into the network with the HLK it takes another "round" of bringing files back and forth, which I would be happy if we can do without.

Thanks

Comments

  • Tim_RobertsTim_Roberts Posts: 12,620
    On Jun 10, 2018, at 11:36 PM, xxxxx@gmail.com <xxxxx@lists.osr.com> wrote:
    >
    > What I would like to know, is whether I can perform the tests, on binaries that are self signed with self created cross certificates (using makecert). And then in step 2, use those HLK results, along with the *Real "organization signed" binaries".
    >
    > That is, does microsoft only check that the underlining driver is the same between the HLK results and the submitted drivers is the same ? Or do they check that those are the same binaries *exactly* (including the signature).

    In theory, the certificates are not included in the PE file checksum, and I believe that's what HLK uses to validate it is the same driver you tested.

    It is not strictly necessary to sign the binaries you send to the dashboard. You have to sign the HLK results, but WHQL is going to sign your binaries, create a new CAT, and sign that.

    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • What Mr. Robert's said is entirely correct.

    You *only* need the EV cert to prove who you are for your dashboard account. You can then use either that EV cert, or a non-EV cert (that you have ALSO registered with the dashboard) to sign submissions.

    As Mr. Roberts said, you *can* use your EV cert to sign your binaries... and there's really no reason not to.

    Peter
    OSR
    @OSRDrivers

    Peter Viscarola
    OSR
    @OSRDrivers

  • R0b0t1R0b0t1 Posts: 130
    On Mon, Jun 11, 2018 at 11:14 AM, xxxxx@osr.com <xxxxx@lists.osr.com> wrote:
    > What Mr. Robert's said is entirely correct.
    >
    > You *only* need the EV cert to prove who you are for your dashboard account. You can then use either that EV cert, or a non-EV cert (that you have ALSO registered with the dashboard) to sign submissions.
    >
    > As Mr. Roberts said, you *can* use your EV cert to sign your binaries... and there's really no reason not to.
    >

    It's probably easier to revoke your non-EV certificate in the case the
    certificate is compromised.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!