After having been away from Windows drivers since 2000 I find myself being asked to look at getting a driver signed. To say I’m thoroughly confused by the recent flux in signing policies is an understatement and hope some of you can help with what I’m sure are basic questions.
We produce a USB device which has a companion application which talks to the device via WinUSB (the application uses libusb if that’s relevant). There’s an .inf for the USB device whose primary purpose in life is to make WinUSB its function driver. We would like the driver to install on x86 and x64, from Win 7 up to current Windows 10 clients.
So the questions…
Specifically for Windows 10 do we need to submit the package to the Microsoft hardware portal for signing (and if so is attestation signing sufficient)? I’ve seen stated in various places that user-mode drivers do not need to be Microsoft-signed, but also that with Win 10 Anniversary Edition and later user mode drivers are under the same restrictions as kernel mode drivers.
For pre-Win10 should we produce a separate diver package with a cross-signed cab? Or is it possible (and relatively painless) to create a single single package supporting Win 7 - 10? (We have an EV cert from SSL.com for which there appears to be no cross-certificate, so I assume we would need to obtain another cert from a Microsoft CA partner such as Digicert?)
On May 8, 2019, at 5:43 PM, mm650 wrote: > > We produce a USB device which has a companion application which talks to the device via WinUSB (the application uses libusb if that’s relevant). There’s an .inf for the USB device whose primary purpose in life is to make WinUSB its function driver. We would like the driver to install on x86 and x64, from Win 7 up to current Windows 10 clients.
Are you aware that it’s possible to create custom string descriptors that will cause Windows to automatically load WinUSB, with no driver package at all?
> * Specifically for Windows 10 do we need to submit the package to the Microsoft hardware portal for signing (and if so is attestation signing sufficient)? I’ve seen stated in various places that user-mode drivers do not need to be Microsoft-signed, but also that with Win 10 Anniversary Edition and later user mode drivers are under the same restrictions as kernel mode drivers.
WinUSB is not a user-mode driver. Unless you use the Microsoft OS Descriptors, you need a PnP driver package, and that requires a Microsoft signature.
> * For pre-Win10 should we produce a separate diver package with a cross-signed cab? Or is it possible (and relatively painless) to create a single single package supporting Win 7 - 10? (We have an EV cert from SSL.com for which there appears to be no cross-certificate, so I assume we would need to obtain another cert from a Microsoft CA partner such as Digicert?)
Because you have a PnP driver package (and not just a binary), you will need two packages. The issue is that the attestation signing process throws out your CAT file and creates a new one (WHQL does the same), and the new CAT file created by attestation is only marked for Win 10. And yes, the pre-10 package will need to be signed with a certificate that has a known cross-certificate. — Tim Roberts, timr@probo.com Providenza & Boekelheide, Inc.
Are you aware that it’s possible to create custom string descriptors that will cause Windows to automatically load WinUSB, with no driver package at all?
Unfortunately the horse has left the barn so to speak so it’s not possible to change the descriptors. Otherwise I agree that would be a preferable solution.
WinUSB is not a user-mode driver. Unless you use the Microsoft OS Descriptors, you need a PnP driver package, and that requires a Microsoft signature.
Thanks for the clarification. I was unsure about that as the devs I’m working with keep saying we need to sign a user mode driver.
Because you have a PnP driver package (and not just a binary), you will need two packages.
Once again thinks for clarifying things. I think I know what we need to do.