Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


EV code sign certificate

zviveredzvivered Member Posts: 57

Hello,

Currently I'm using Digicert's dongle to sign a win10 driver.
After this stage, driver is signed again by microsoft by uploading the cab file to Azure account.

I heard that starting from 2021, digicert (or any other 3rd party) will not be part of this process.

Can you confirm this ?

Thank you,
Zvika

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,886

    That’s news to me. That does not sound correct.... but anything is possible these days with driver signing.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,346
    via Email
    The only part any cert providers will play anymore is to sell you an EV
    cert. What has changed is that MSFT is dropping support for third party
    root certs, so digicert won't be able to sell you a standard (non-EV)
    kernel mode code signing cert, as it won't work.

    Mark Roddy
  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 315
    via Email
    It can sell them, but NEITHER will work for signing drivers directly from
    a certain Win10 build.

    If EV cert RENEWALs are required, they would only be a bloody expense!


    There is ZERO real checking done to verify an entity.
    I have personally been involved in getting EVs for several companies. It
    is as if I ordered a KitKat and had to wait a few days for it.

    It is plain money grab :(
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,483

    OK, here is what I know.

    Today, you do not need to sign your drivers at all in order to get them attestation signed. You must sign the cabinet file, in order to prove to Microsoft that you have the authority to submit drivers to that dashboard account. None of that will change. You will still need an EV cert to create your dashboard account, and you will need to sign your package with a cert that matches one in your account.

    Here's what's changing. Today, you can use your EV cert to sign your own drivers, doing cross-signing like we've always done, without involving Microsoft. Such a package works (and, indeed is required) on systems older than Windows 10, and it even works on Windows 10 as long as "secure boot" is turned off in the BIOS. That whole mechanism is supposedly going away.

    I have STILL not heard anyone say how we are supposed to release drivers for older systems. Microsoft might not like it, but WIndows 7 and 8.1 are still very much in the mainstream today. Without cross-signing, it won't be possible to create workable drivers on the older systems. The antitrust implications of that are disturbing, and I honestly thought that's the aspect that would force this to go away.

    And, frankly, I'm not sure how we WOULD learn. I'm not aware of any "official" channel for releasing critical notifications like this.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,346
    via Email
    yup it is really just a development tax.

    Mark Roddy
  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 315
    via Email
    If I understood correctly, the cross-signing will just not work
    starting with some build of Windows 10.
    You can still cross-sign them for earlier versions, but HAVE to at
    least attestation sign them for 2021 build of Windows 10 (whatever
    that build gets called/numbered).

    That still won't run on Secure Boot, I think? I.e. attestation signed
    drivers don't work on Secure Boot systems already, right?

    > I have STILL not heard anyone say how we are supposed to release drivers for
    > older systems. Microsoft might not like it, but WIndows 7 and 8.1 are still
    > very much in the mainstream today. Without cross-signing, it won't be
    > possible to create workable drivers on the older systems. The antitrust
    > implications of that are disturbing, and I honestly thought that's the
    > aspect that would force this to go away.
    >
    > And, frankly, I'm not sure how we WOULD learn. I'm not aware of any
    > "official" channel for releasing critical notifications like this.
  • zviveredzvivered Member Posts: 57

    Hi All,
    Thank you very much !
    Zvika

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,346
    via Email
    What digicert told me is that cross signing certs will start expiring in
    2021 and will not be renewed. I have no idea how drivers will get signed
    outside of WHQL for win7/8/8.1.

    Mark Roddy
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,886

    @Dejan_Maksimovic ... yes, attestation signing works on secure boot.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,483

    Dejan, what the announcement said is they are shutting down the entire infrastructure for doing cross-signing. Not just that Windows won't accept the drivers, but that it will be impossible to DO the signing. That's a big problem.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 315
    via Email
    That'll teach me to "remember"...
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA