Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Attestation signing - Is this accurate?

Erik_DabrowskyErik_Dabrowsky Member - All Emails Posts: 11

Hi,

I'm about 60 days out from having to renew our Symantec (Verisign) non-EV code signing certificate.
I'm considering switching to an EV cert so I can do attestation signing for our driver.
The driver is WDM, software only, with no associated physical hardware.
It does have an inf and cat file (which we also sign).

99% of our installs are on the windows server platform.

According to this Microsoft web page:
https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release

It says:
An attestation signed driver will only work for Windows 10. It will not work for other versions of Windows, such as Windows 8.1, Windows 7, or any Windows Server versions.
(emphasis mine)

Is that accurate?
Will an attestation signed driver work on Windows Server 2012R2 through 2019 (1809) ?
Or do I have to submit this "software only" driver through some sort of Microsoft testing?

Thanks,
Erik

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,138

    Is that accurate?

    No. Not now, and never has actually been implemented. This policy was announced, then rescinded. I theorize that MSFT doesn’t a actively and aggressively chase down those outdated references because they’d like as many folks as possible to get their drivers to pass the HLKs. Even if they do so because they mistakenly believe it’s required.

    I filed a bug with a buddy of mine who’s one of th doc writers to have that language removed from the msdn doc page. In doing he checked with program management.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 12,914
    via Email
    Peter_Viscarola_(OSR) wrote:
    >> Is that accurate?
    > No. Not now, and never has actually been implemented. This policy was announced, then rescinded.

    Well, hang on.  It is PARTLY correct.  What you're referring to is the
    proposed policy to require HLK testing for Windows Server 2016 and 2019,
    and there I agree with you.  Attestation signing works there just like
    Windows 10, since both are essentially Windows 10.

    However, the part about the OLDER systems (Windows 7, 8, 8.1, Server
    2012, 2012R2) is correct.  Attestation signing will NOT work for desktop
    or server systems older than Windows 10.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,138

    Thank you, Mr. Roberts. In my zest to be helpful (and answer for the umpteen-millionth time the “drivers won’t load on server if thy haven’t passed the HLKs” question) I was less clear than I should have been.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Erik_DabrowskyErik_Dabrowsky Member - All Emails Posts: 11

    Thanks for the clarification on that.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 25 Feb 2019 OSR Seminar Space
Developing Minifilters 8 April 2019 OSR Seminar Space