Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Driver signing changes coming next year

Jason_T.Jason_T. Member Posts: 72

Hello,

Last week I came across this link:

https://knowledge.digicert.com/alerts/Kernel-Mode.html

It suggests that as of April 2021 the notion of cross-signing certs will no longer be supported. Instead, all signing will be performed by Microsoft. As we all know, currently, the process involves signing a binary locally with our own cert, then uploading the file to Microsoft's portal where it gets a second signature from Microsoft. During the initial portal setup, we have to sign a test binary with our local cert, but that local cert is never directly given to Microsoft.

Does anyone know how all of this will work after April 2021? I recently renewed my cert for 3 years but was able to get the cert provider to issue a partial refund for 2 years worth. They told me "Microsoft has not yet disclosed how this will work, but it won't involve a cert from us". Is that true?

-JT

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,403

    Microsoft announced this last summer, and we raised a hue and cry in this forum. I ASSUME the policy will be rescinded based on negative industry feedback, but I have not heard a followup. Unless they change the attestation process so that it signs for older operating systems, the policy they have announced is unworkable. It would prevent us from releasing binaries for systems prior to Windows 10.

    Technically speaking, you don't have to sign your binary before submitting it to Microsoft. You don't get a second signature -- they replace yours with theirs. You DO have to sign the cabinet that you submit, and that certificate has to be one that is registered with your dashboard account. And, of course, you need an EV cert to create and maintain your dashboard account. So, you will still require an EV certificate, even if this goes into place.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Jason_T.Jason_T. Member Posts: 72

    Thanks for responding, Tim.

    I'm not clear on what you mean by "you don't get a second signature - they replaces yours with theirs". I see that happening on the .cat file since it is a non-PE file which can only contain a single signature. But on the .sys, the version I download after the attestation signing completes has both my signature and Microsoft's. Did I misunderstand your comment?

    -JT

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,403

    The CAT file can handle multiple chains, but they throw away your CAT file and build a brand new one. You don't actually have to include one in your package, just like you don't have to sign the binaries. I didn't remember that they left the binary signatures either, but perhaps I misremembered.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA