Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Digicert revoking kernel code signing certs with expiration after June 30, 2021

Gabe_JonesGabe_Jones Member Posts: 75

We just received an e-mail from Digicert, a portion of which I'll quote here:

Microsoft recently notified us that one or more of the code signing certificates your organization uses to sign kernel-mode driver packages expires after June 30, 2021. According to Microsoft's guidelines, certificates used to sign kernel-mode driver packages must expire before this date. You can find more information about Microsoft's guidelines on the Microsoft docs site.
Starting on August 10, 2020, Microsoft will require that we revoke any code signing certificates that expire after June 30, 2021 and that are used to sign kernel-mode driver packages.

They further go on to say that they'll replace our certificate with one that expires on April 15, 2021, the same day as the updated cross-certificate expiration.

We've previously been aware that the cross-certificates would expire early next year (the one we use was slated to go poof on Feb. 22, 2021). The Microsoft doc they reference mentions this, and it further stresses that certificates that expire after that will continue to work, just not for KMCS purposes. Nowhere do I see anything about a June 30 date or anything about revocation. Has anyone heard this information previously?

They also mentioned nothing about any compensation we may receive for losing over half of the duration of our 3-year certificate.

What are the impacts of the certificate being revoked? Is this comparable to an early expiration (e.g., new signatures will not work, but older code countersigned with a timestamp will continue to operate), or will even older code signed with this certificate now fail to load?

Comments

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,367
    via Email
    it just means that the cert can't sign anything after the expiration date.
    Before that all your signed stuff is good forever.

    I personally hate this, as it will make our dev and test process subsist on
    test signed drivers. For small companies and independent developers it
    imposes the additional whql burden, or attestation signing which is easy
    but useless for older os versions. We have to whql everything anyway so the
    only burden is adding test mode to our test systems.

    Mark Roddy
  • Gabe_JonesGabe_Jones Member Posts: 75

    Thanks for the clarification.

    I wish Microsoft would announce that they are extending attestation signing to work for Windows 7 & 8.1. We don't have to WHQL most things, and the thought of having to do so just to drag along Windows 8.1 (7 will be gone soon enough) is not the least bit appealing.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,605

    I think they will HAVE to do that. There are many classes of drivers that do not have a WHQL category. Without attestation signing, you would have to instruct all of your users on how to add your certificate to their root store. Since most users are morons, that will simply never work.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 335
    via Email
    Win7 will outlive W8. It always had bigger market share and happy user base.

    OT: As soon as I can no longer use W7 I am out of Windows arena, and into
    *nix.
  • Gabe_JonesGabe_Jones Member Posts: 75

    @Dejan_Maksimovic said:
    Win7 will outlive W8. It always had bigger market share and happy user base.

    In general, I agree. In my specific case, though, we tend to sunset OS support within a year or two after Microsoft does so. Win7 will be gone for me before this time next year. I wish Win8.1 would go at the same time, and then I wouldn't have to care about the "will attested signing work for backlevel OSes or not" question.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,050

    I am actively trying to get an updated, definitive, answer to what the precise plan is for driver signing for Windows OS versions prior to Win10. I think this is a very important issue.

    I’ll let you all know when/if I hear anything definitive.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Gabe_JonesGabe_Jones Member Posts: 75

    @Peter_Viscarola_(OSR) said:
    I am actively trying to get an updated, definitive, answer to what the precise plan is for driver signing for Windows OS versions prior to Win10. I think this is a very important issue.

    I’ll let you all know when/if I hear anything definitive.

    Thank you, Peter. As always, you are on top of things.

  • KiersteinKierstein Member Posts: 3

    DigiCert has replaced our certificate with one expiring on April 15th, 2021. Support has been great to work with. However, when signing the driver I work on with the new certificate, put it through the HLK process, and submit it to Microsoft, it doesn't seem to work. It may be this recent event or another problem. Get the error "A certificate was explicitly revoked by its issuer". when starting the driver with NET START. I have the SignTool command, SignTool verification output before and after submitting the driver to the Microsoft portal if that helps.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,605

    Are you saying the HLK process did work? I was going to remind you that, if you have a new certificate, you have to register it with your dashboard account, but if the process worked and it's the returned driver that doesn't, then I'm all wet.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • KiersteinKierstein Member Posts: 3

    Tim,
    Yes, did register the new certificate with the Microsoft Partner portal, and removed the old one so that the portal only showed the valid certificate. Thanks for the double-check.
    I am including the SignTool command and verification output for both the pre and post portal process. If anyone sees something amiss, please say so, and many thanks!
    Barry

    ======== Signing the catalog file before Microsoft Portal submission ========

    Sign kit with this command - use with the new certificate from DigiCert for Microsoft changes for certificates

    SignTool sign /v /tr http://timestamp.digicert.com ^
    /td sha256 /fd sha256 ^
    /ac DigiCert_High_Assurance_EV_Root_CA.crt ^
    /sha1 044270294D3D56BC942163859C4180D074E67626 ^
    AmNdis60.cat

    C:\Users\VSISigning\Desktop\AM E32-1 driver and test submission 3 - no initial certificate\AM_E32-1_Driver_Package2\AM_E32_Driver_Package2> SignTool sign /v /tr http://timestamp.digicert.com
    More? /td sha256 /fd sha256 ^
    More? /ac DigiCert_High_Assurance_EV_Root_CA.crt ^
    More? /sha1 044270294D3D56BC942163859C4180D074E67626 ^
    More? AmNdis60.cat
    The following certificate was selected:
    Issued to: VMS Software, Inc.
    Issued by: DigiCert EV Code Signing CA (SHA2)
    Expires: Thu Apr 15 08:00:00 2021
    SHA1 hash: 044270294D3D56BC942163859C4180D074E67626

    Cross certificate chain (using machine store):
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires: Sat Nov 01 09:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: DigiCert High Assurance EV Root CA
        Issued by: Microsoft Code Verification Root
        Expires:   Thu Apr 15 15:55:33 2021
        SHA1 hash: 2F2513AF3992DB0A3F79709FF8143B3F7BD2D143
    
            Issued to: DigiCert EV Code Signing CA (SHA2)
            Issued by: DigiCert High Assurance EV Root CA
            Expires:   Sun Apr 18 08:00:00 2027
            SHA1 hash: 60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3
    
                Issued to: VMS Software, Inc.
                Issued by: DigiCert EV Code Signing CA (SHA2)
                Expires:   Thu Apr 15 08:00:00 2021
                SHA1 hash: 044270294D3D56BC942163859C4180D074E67626
    

    Done Adding Additional Store
    Successfully signed: amndis60.cat

    Number of files successfully Signed: 1
    Number of warnings: 0
    Number of errors: 0

    C:\Users\VSISigning\Desktop\AM E32-1 driver and test submission 3 - no initial certificate\AM_E32-1_Driver_Package3_Signed_CAT\AM_E32_Driver_Package2>SignTool verify /v /pa AmNdis60.cat

    Verifying: amndis60.cat

    Signature Index: 0 (Primary Signature)
    Hash of file (sha256): D50C4EBC2382F1CAA125CA86FA14402E767264CA130E11E47C5E0CBA1B55A839

    Signing Certificate Chain:
    Issued to: DigiCert High Assurance EV Root CA
    Issued by: DigiCert High Assurance EV Root CA
    Expires: Sun Nov 09 20:00:00 2031
    SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25

        Issued to: DigiCert EV Code Signing CA (SHA2)
        Issued by: DigiCert High Assurance EV Root CA
        Expires:   Sun Apr 18 08:00:00 2027
        SHA1 hash: 60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3
    
            Issued to: VMS Software, Inc.
            Issued by: DigiCert EV Code Signing CA (SHA2)
            Expires:   Thu Apr 15 08:00:00 2021
            SHA1 hash: 044270294D3D56BC942163859C4180D074E67626
    

    The signature is timestamped: Thu Aug 06 18:23:03 2020
    Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires: Sun Nov 09 20:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert SHA2 Assured ID Timestamping CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Tue Jan 07 08:00:00 2031
        SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297
    
            Issued to: TIMESTAMP-SHA256-2019-10-15
            Issued by: DigiCert SHA2 Assured ID Timestamping CA
            Expires:   Wed Oct 16 20:00:00 2030
            SHA1 hash: 0325BD505EDA96302DC22F4FA01E4C28BE2834C5
    

    Successfully verified: amndis60.cat

    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0

    ======= Driver file signatures after Microsoft Portal submission =======

    C:\Users\VSISigning\Desktop\AM E32-1 driver and test submission 3 - no initial certificate\Signed_1152921505690983398\drivers\7de375ef-c700-4aa6-b8b5-79daca58e9b2>SignTool verify /v /pa AmNdis60.sys

    Verifying: AmNdis60.sys

    Signature Index: 0 (Primary Signature)
    Hash of file (sha256): FA29D8CD0C2F1F59367E5FF66DC1AD9C92333540436F2C1690BD0ED5C51C9035

    Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires: Sat Jun 23 18:04:01 2035
    SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

        Issued to: Microsoft Windows PCA 2010
        Issued by: Microsoft Root Certificate Authority 2010
        Expires:   Sun Jul 06 16:50:23 2025
        SHA1 hash: C01386A907496404F276C3C1853ABF4A5274AF88
    
            Issued to: Microsoft Windows Hardware Compatibility Publisher
            Issued by: Microsoft Windows PCA 2010
            Expires:   Sun Jan 31 15:16:16 2021
            SHA1 hash: F8CB95569B64E7395CA7FA910449D82870C63F3E
    

    The signature is timestamped: Thu Aug 06 21:21:31 2020
    Timestamp Verified by:
    Issued to: Microsoft Root Certificate Authority 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires: Sat Jun 23 18:04:01 2035
    SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

        Issued to: Microsoft Time-Stamp PCA 2010
        Issued by: Microsoft Root Certificate Authority 2010
        Expires:   Tue Jul 01 17:46:55 2025
        SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE
    
            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Time-Stamp PCA 2010
            Expires:   Tue Mar 16 21:15:00 2021
            SHA1 hash: 313D4B1BF280123D17B222FD9FB9B1997D5A7D9B
    

    Successfully verified: AmNdis60.sys

    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0

    C:\Users\VSISigning\Desktop\AM E32-1 driver and test submission 3 - no initial certificate\Signed_1152921505690983398\drivers\7de375ef-c700-4aa6-b8b5-79daca58e9b2>SignTool verify /v /pa /c AmNdis60.ca
    t AmNdis60.sys

    Verifying: AmNdis60.sys
    File is signed in catalog: C:\Users\VSISigning\Desktop\AM E32-1 driver and test submission 3 - no initial certificate\Signed_1152921505690983398\drivers\7de375ef-c700-4aa6-b8b5-79daca58e9b2\amndis60.c
    at
    Hash of file (sha1): B06E8E335E8581A4BA0FC5755F30DA4C1E5E79D1

    Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires: Sat Jun 23 18:04:01 2035
    SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

        Issued to: Microsoft Windows PCA 2010
        Issued by: Microsoft Root Certificate Authority 2010
        Expires:   Sun Jul 06 16:50:23 2025
        SHA1 hash: C01386A907496404F276C3C1853ABF4A5274AF88
    
            Issued to: Microsoft Windows Hardware Compatibility Publisher
            Issued by: Microsoft Windows PCA 2010
            Expires:   Sun Jan 31 15:16:16 2021
            SHA1 hash: F8CB95569B64E7395CA7FA910449D82870C63F3E
    

    The signature is timestamped: Thu Aug 06 21:21:29 2020
    Timestamp Verified by:
    Issued to: Microsoft Root Certificate Authority 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires: Sat Jun 23 18:04:01 2035
    SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

        Issued to: Microsoft Time-Stamp PCA 2010
        Issued by: Microsoft Root Certificate Authority 2010
        Expires:   Tue Jul 01 17:46:55 2025
        SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE
    
            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Time-Stamp PCA 2010
            Expires:   Tue Mar 16 21:15:00 2021
            SHA1 hash: 313D4B1BF280123D17B222FD9FB9B1997D5A7D9B
    

    Successfully verified: AmNdis60.sys

    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0

  • Gabe_JonesGabe_Jones Member Posts: 75
    edited August 11

    We are broken in a different way. We do almost no HLK/HCK testing (so I can't really speak to the situation seen by @Kierstein), but we have an extensive network of VMs and OS images that we use for automated driver testing. The root cert that our new DigiCert certificate chains back to is not present on these images. Of course, this yields the nice red "Do you want to trust this vendor anyway?" popup during driver install, which breaks unattended installations, so we now need to go update and resave all of our images. Fun.

    I still don't understand why this was necessary. The cross-certificate already expired early next year. I've not found any documented reference to revocation requirements or the June 2021 date. I assume this was some bulletin that only CAs were privy to. :/

  • KiersteinKierstein Member Posts: 3

    FYI - got the driver signed correctly and working with the new certificate. Used reissued certificate from DigiCert, downloaded and used the cross-certificate for DigiCert from the Microsoft site, normal HLK testing to create the test package, and then submitting to the Microsoft portal.

    Kudos to the DigiCert support people that helped connect the dots.

  • Gabe_JonesGabe_Jones Member Posts: 75

    @Kierstein said:
    downloaded and used the cross-certificate for DigiCert from the Microsoft site

    Was that the missing piece?

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 30 Nov 2020 LIVE ONLINE
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Developing Minifilters Early 2021 LIVE ONLINE