Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

HLK Tests and EV certificate

Jhon_DoeJhon_Doe Member Posts: 4
Hi all,

I currently have the following flow working :
1. Sign my binaries with the organization's certificate (specifically, EV certificate).
2. Run HLK tests on signed binaries
3. Create HLK project with HLK results and signed binaries, sign the package, and submit it to microsoft.
4. Get binaries signed with microsoft

What I would like to know, is whether I can perform the tests, on binaries that are self signed with self created cross certificates (using makecert). And then in step 2, use those HLK results, along with the *Real "organization signed" binaries".

That is, does microsoft only check that the underlining driver is the same between the HLK results and the submitted drivers is the same ? Or do they check that those are the same binaries *exactly* (including the signature).

The reason that I am even asking, is that our signing machine is in a different networks. And in order to get back signed drivers into the network with the HLK it takes another "round" of bringing files back and forth, which I would be happy if we can do without.

Thanks

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,093
    On Jun 10, 2018, at 11:36 PM, [email protected] <[email protected]> wrote:
    >
    > What I would like to know, is whether I can perform the tests, on binaries that are self signed with self created cross certificates (using makecert). And then in step 2, use those HLK results, along with the *Real "organization signed" binaries".
    >
    > That is, does microsoft only check that the underlining driver is the same between the HLK results and the submitted drivers is the same ? Or do they check that those are the same binaries *exactly* (including the signature).

    In theory, the certificates are not included in the PE file checksum, and I believe that's what HLK uses to validate it is the same driver you tested.

    It is not strictly necessary to sign the binaries you send to the dashboard. You have to sign the HLK results, but WHQL is going to sign your binaries, create a new CAT, and sign that.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]probo.com
    Providenza & Boekelheide, Inc.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,665
    What Mr. Robert's said is entirely correct.

    You *only* need the EV cert to prove who you are for your dashboard account. You can then use either that EV cert, or a non-EV cert (that you have ALSO registered with the dashboard) to sign submissions.

    As Mr. Roberts said, you *can* use your EV cert to sign your binaries... and there's really no reason not to.

    Peter
    OSR
    @OSRDrivers

    Peter Viscarola
    OSR
    @OSRDrivers

  • Formerly_R0b0t1Formerly_R0b0t1 Unsubscribed Member Posts: 131
    On Mon, Jun 11, 2018 at 11:14 AM, [email protected] <[email protected]> wrote:
    > What Mr. Robert's said is entirely correct.
    >
    > You *only* need the EV cert to prove who you are for your dashboard account. You can then use either that EV cert, or a non-EV cert (that you have ALSO registered with the dashboard) to sign submissions.
    >
    > As Mr. Roberts said, you *can* use your EV cert to sign your binaries... and there's really no reason not to.
    >

    It's probably easier to revoke your non-EV certificate in the case the
    certificate is compromised.
  • zx2c4zx2c4 Member Posts: 14

    In theory, the certificates are not included in the PE file checksum, and I believe that's what HLK uses to validate it is the same driver you tested.

    Was this theory ever validated? I'm running into more or less the same matter now with a HLK automation situation. EV certificates aren't even accepted for kernel development any more, and I don't want to submit test signed drivers to WHQL. So the idea is to run HLK on testsigned drivers, and then run signtool remove /s ... to remove the signatures, and then attach the signature-less driver to the hlkx file for submission to WHQL. The question is whether that final modification -- stripping the test signature -- will be accepted.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,665

    Nice job, following-up with a question to a post that's 3 years old. You know we prohibit discourage that, right??

    EV certificates aren't even accepted for kernel development any more

    How on EARTH did you come to that conclusion?

    If you have a question, please... just start a new thread. This old thread is closed. We'll discuss your issue in the new thread, once you start it.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

This discussion has been closed.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 15 November 2021 Live, Online
Writing WDF Drivers TBD Live, Online
Developing Minifilters 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online