Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Driver Signing options for an independent developer

rumble06rumble06 Member Posts: 21

Probably this shouldn't be in this category as the question is not really related to problems in developing the driver, but rather in releasing it.
So I'm an individual developer (with not so much experience, especially in kernel-development; I'm just a 20yo) which wants to release an app that takes advantage of my own keyboard filter driver. The driver is almost done and what will remain to be developed is the app. I need to sign it so users can install it without putting their system in testsigning mode. The driver will be installed by the application's installer that will take advantage of it (like VirtualBox installs their drivers when you install VirtualBox). Reading other topics and driver signing guides from this forum, I understood that I need to sign my driver with an EV code signing certificate as any other certificate won't work for a kernel driver. Are there any alternatives to the expensive 300$ EV certificates? Both the driver and the app would be launched as open-source so I wouldn't make any profit for them and I do not really want to spend much money for this project. I would spend 100-150$ for a certificate if I have no other options, but 300$+ seems too much for me. Certum has a cheap certificate for open-source projects(50EUR for the cloud version), but I do not think that's gonna work for a driver. I see that GoDaddy has a ~180$ "Driver Signing Certificate", but in the description it says "Required for all Microsoft® hardware drivers on Windows Vista® and Windows 7" and nothing about Windows 10, is it gonna work for a windows 10 driver too? Are there any other affordable alternatives for an independent developer that wants to launch an open-source project?

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,605

    No, there is no alternative. You are correct that the GoDaddy certificate will not work for Windows 10. For Windows 10, your driver must be signed by Microsoft itself. In order to do that, you have to create a Hardware Dashboard account. To do THAT, you need an EV certificate. To do THAT, you have to be a corporation. Individuals cannot get one.

    An open source driver would usually be released in source form. That doesn't need a certificate, of course. The people who want to build and use your driver would either need their own certificate, or to put their system in "test" mode.

    Microsoft is not interested in hobbyist drivers. Drivers significantly impact system stability and security. They want drivers done by professionals.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 191

    FYI last time libusb-win32 and libusbk developer Travis Robinson was able to get a 3-year DigiCert High Assurance EV SHA1 cert in 2014 to sign the driver. Money was donated by the community (through libusb-win32 mailing list and libusb mailing list). Now it may be more difficult.

    Since we have no new release of libusb0.sys (last release was in 2012) and libusbk.sys (last release was in 2014), we are not worried about kernel driver signing now (the cert expired in 2017). We are now encouraging users to move to WinUSB even though there are still users who want to use the two drivers.
    Ref: https://github.com/libusb/libusb/issues/741

    Since the two drivers (libusb0.sys and libusbk.sys) are signed with valid certificate before Windows 10 release, they are still working fine in Windows 10. For driver package (with inf) installation, there is a work-around. You can use libwdi/Zadig to install the driver packages.
    Ref: https://github.com/pbatard/libwdi/wiki/FAQ#What_are_these_USBVID_PID_MI__Autogenerated_certificates_that_libwdi_installs_in_the_Trusted_certificate_stores

  • Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 191
    edited September 7

    Other options:
    1) Find another developer who has the valid certificate who is willing to help to sign the driver for you.
    2) Register as a company and buy the EV certificate. For money you can try to collect through donation. Back in 2014, we got enough donation to buy a 3-year DigiCert EV certification for US$535.

  • rumble06rumble06 Member Posts: 21
    edited September 7

    @Tim_Roberts said:
    An open source driver would usually be released in source form. That doesn't need a certificate, of course. The people who want to build and use your driver would either need their own certificate, or to put their system in "test" mode.

    Target user of the app wouldn't only be developers and tech savvy users so the app install experience should be the classic "next, next, install, finish".

    @Xiaofan_Chen said:
    For driver package (with inf) installation, there is a work-around. You can use libwdi/Zadig to install the driver packages.
    Ref: https://github.com/pbatard/libwdi/wiki/FAQ#What_are_these_USBVID_PID_MI__Autogenerated_certificates_that_libwdi_installs_in_the_Trusted_certificate_stores

    But would microsoft see it as trusted for kernel-mode? I thought the "extended validation" meaning from the 'EV' certificate means that it has a second step to validate (which a standard certificate, like a self-signed one or a normal code signing certificate wouldn't pass it). My driver would be installed as a upperfilter class driver, which from what I saw on this forum isn't really possible with an .inf file because .inf can't edit a REG_MULTI_SZ record (a workaround I can think of tho is to install the driver with .inf and then have the app installer modify the registry). If this method works (adding the self-signed certificate in the trusted certificates list by the installer), I'm down to go with this one.

    @Xiaofan_Chen said:
    Other options:
    1) Find another developer who has the valid certificate who is willing to help to sign the driver for you.

    Taking in the account what I said below(registering a company myself)

    2) Register as a company and buy the EV certificate. For money you can try to collect through donation. Back in 2014, we got enough donation to buy a 3-year DigiCert EV certification for US$535.

    Even ignoring the extra-cost for registering a company, I would have to make sure that the company is within the law in (eg. in profit-reporting; I'm not even sure if I can register a company in IT, as in my country you need to be a professional in the domain you want to open the company and I'm still a student, I haven't finish my bachelor's degree yet) which would probably require to pay a lawyer/accountant at least once per year to make sure everything is ok. This is the least option I would like to go with.

  • Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 191

    I understand it is not easy to get an EV certificate. And as Tim mentioned that Microsoft is not interested in hobbyist drivers. So you can always leave it in the source format if it is difficult for you to go through the hassle.

    I think for the libwdi method to work, the driver file (.sys) needs to be properly signed first with an EV certificate. So it does not apply to your case as you do need an inf file and your driver (.sys file) is not yet signed.

  • Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 191
    edited September 7

    libwdi still works under latest version of Windows 10.
    Ref for old discussion: https://community.osr.com/discussion/271918/libwdi-and-windows-10

    You can try the methodology as well by generating a test certificate on the fly. My take is that it may not work if your .sys driver is not signed. But no harm trying.

  • rumble06rumble06 Member Posts: 21

    @Xiaofan_Chen said:
    I understand it is not easy to get an EV certificate. And as Tim mentioned that Microsoft is not interested in hobbyist drivers. So you can always leave it in the source format if it is difficult for you to go through the hassle.

    I think for the libwdi method to work, the driver file (.sys) needs to be properly signed first with an EV certificate. So it does not apply to your case as you do need an inf file and your driver (.sys file) is not yet signed.

    Tried to add the test-signed certificate generated by VS to the Root and Trusted Publishers directory and yes indeed, the driver failed to start because of an invalid certificate. As I said, publishing the driver source code or an unsigned version of it wouldn't be an option as the user would have to put his computer on testsigning mode. Creating a company just for this and pay a lot of money not only for the EV certificate but also for creating the company isn't worth it.
    I think I'll go with: first, finishing the driver and the app so they are ready for production; second, when they're ready for production I'm gonna try to find someone with an EV certificate that would like to sign my driver with his certificate (for a fee) either try to find someone with a business which would want to buy the certificate for me and I'm gonna pay for it.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,605

    ... try to find someone with a business which would want to buy the certificate for me and I'm gonna pay for it.

    As a young and idealistic student ;), I don't think you appreciate what you're asking here. There are legal implications that would make such a tactic extremely unwise.

    An EV certificate is a legal statement by a certificate provider saying "I have verified through multiple mechanisms that the company named in this certificate is who they say they are, and that the holder of this certificate is authorized to act on behalf of the company." I don't think you'll find a company who is willing to authorize you to act on their behalf.

    As I mentioned, you use that certificate to open a hardware dashboard account with Microsoft. Opening that account requires you to sign a number of legal documents on behalf of the company, such as a codes of conduct and authorizations. Unless you are an employee, you could not in good faith sign most of those documents.

    It's an ugly situation, and it makes Linux look more and more appealing.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 335
    via Email
    Any ideas how easy it is to register a company remotely?
    A good bunch of companies get EVs that way.
  • Martin_DrábMartin_Dráb Member - All Emails Posts: 82

    Creating a company just for this and pay a lot of money not only for the EV certificate but also for creating the company isn't worth it.

    Well, personally I am more afraid of the extra paperwork and burrecracy required to manage such a company. Actually, I did not created a company exactly for these reasons yet. I need to study the subject more.

    as in my country you need to be a professional in the domain you want to open the company and I'm still a student

    It depends how "being a professional in the domain" is defined. In certain domains, you definitely need to pass some "examination" but there are pleny of domains (most of IT stuff included) where you just pay a fee and become a professional (for the law at least). The fact that you are a student is not a problem. At least, in my country.

    In 2011, as young and idealistic student, I acquired my code signing certificate (from Symantec). Since I knew nothing about notarized letters at international level at that time, I had really hard time to go through the verification process (which was quite rigorous although I was just an Individual -- I have never experienced something like that when requesting a non-EV code signing certificate from other CAs). IIRC I succeeded on my second attempt...

    To sum it up, money was just a minor issue :-).

    Martin Dráb

  • Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 191
    via Email
    On Mon, Sep 7, 2020 at 8:15 PM rumble06
    wrote:
    > I think I'll go with: first, finishing the driver and the app so they are ready for production; second, when they're ready for production I'm gonna try to find someone with an EV certificate that would like to sign my driver with his certificate (for a fee) either try to find someone with a business which would want to buy the certificate for me and I'm gonna pay for it.

    Yes it is more important to finish the driver first.
    As for finding someone with an EV Certificate to sign your driver, it
    will depend on how useful your driver is and how you interact with the
    community. No harm trying.

    Create a github repo, set up a mailing list, build up the community,
    and then probably there will be someone who has interests in the
    driver and then help signing the driver. For example, the initial
    signed libusb-win32 kernel driver libusb0.sys is not signed by the
    developer (Travis) but from another developer who trusted us. Later
    Travis got a GlobalSign signing certificate when it was still open to
    personal developers to sign the final release of libusb0.sys (back in
    2012).

    Last time, there were a few organizations who would help on signing
    open source windows drivers for free (they would get the source, build
    the binary themselves, and then sign the driver). But it seems to me
    those efforts have disappeared after the Windows 10 requirements.

    Ref:
    1) Driver Signing by ReactOS Foundation
    https://reactos.org/wiki/Driver_Signing
    2) signed-drivers project
    https://sourceforge.net/projects/signed-drivers/
  • rumble06rumble06 Member Posts: 21

    @Tim_Roberts said:

    ... try to find someone with a business which would want to buy the certificate for me and I'm gonna pay for it.

    As a young and idealistic student ;), I don't think you appreciate what you're asking here. There are legal implications that would make such a tactic extremely unwise.

    An EV certificate is a legal statement by a certificate provider saying "I have verified through multiple mechanisms that the company named in this certificate is who they say they are, and that the holder of this certificate is authorized to act on behalf of the company." I don't think you'll find a company who is willing to authorize you to act on their behalf.

    As I mentioned, you use that certificate to open a hardware dashboard account with Microsoft. Opening that account requires you to sign a number of legal documents on behalf of the company, such as a codes of conduct and authorizations. Unless you are an employee, you could not in good faith sign most of those documents.

    It's an ugly situation, and it makes Linux look more and more appealing.

    I know it won't be easy, and my idea wasn't for me to register the microsoft account or me having access to the certificate. My idea was that the company would buy it, take the source code of my driver, build it themselves and release it/give the signed file to me so I can release it. But you're right, even that would probably be hard.

    @Martin_Dráb said:

    Well, personally I am more afraid of the extra paperwork and burrecracy required to manage such a company. Actually, I did not created a company exactly for these reasons yet. I need to study the subject more.

    I'm in the same situation, even if I can wait 2-3 months until I have enough money for both the certificate and registering a company, I know nothing about companies and bureaucracy.

    It depends how "being a professional in the domain" is defined. In certain domains, you definitely need to pass some "examination" but there are pleny of domains (most of IT stuff included) where you just pay a fee and become a professional (for the law at least). The fact that you are a student is not a problem. At least, in my country.

    Either by having a bachelor's degree in that domain(which I still have to wait 2 more years) or finished a "recognized" lessons program (which they usually cost a lot).

    @Xiaofan_Chen said:
    On Mon, Sep 7, 2020 at 8:15 PM rumble06
    wrote:
    Yes it is more important to finish the driver first.
    As for finding someone with an EV Certificate to sign your driver, it
    will depend on how useful your driver is and how you interact with the
    community. No harm trying.

    Create a github repo, set up a mailing list, build up the community,
    and then probably there will be someone who has interests in the
    driver and then help signing the driver. For example, the initial
    signed libusb-win32 kernel driver libusb0.sys is not signed by the
    developer (Travis) but from another developer who trusted us. Later
    Travis got a GlobalSign signing certificate when it was still open to
    personal developers to sign the final release of libusb0.sys (back in
    2012).

    Last time, there were a few organizations who would help on signing
    open source windows drivers for free (they would get the source, build
    the binary themselves, and then sign the driver). But it seems to me
    those efforts have disappeared after the Windows 10 requirements.

    Ref:
    1) Driver Signing by ReactOS Foundation
    https://reactos.org/wiki/Driver_Signing
    2) signed-drivers project
    https://sourceforge.net/projects/signed-drivers/

    I'm not sure if people would use it or find it as interesting as I find it, but I hope so. Pretty much the driver and the app(or api, if someone wants to build a better app than mine but with the same driver) would allow to setup per-keyboard macros. I tried to do something similar using windows api without going to kernel, but that's not really possible in windows (with raw input you can't cancel or modify inputs but you can see from which keyboard it comes and with the WH_KEYBOARD_LL event you can cancel the key press but you can't see from which keyboard it comes, and the WH_KEYBOARD_LL event comes before the raw input so I can't use both of them to achieve a solution without using kernel). There is already a similar driver on the market (called Interception), but the driver is closed-source and once you have 10 devices plug into computer it would forcefully fail the connection of every device plugged after (my keyboard creates 3 devices alone inside device manager) so that is not an option. My idea is to launch it as open-source as if anyone is interested in it and more experienced than me, can improve it or take advantage of it. Found out about Interception from Taran (a linustechtips employee), he has like 2-3 videos on Linus's channel talking about this problem and how he didn't find a GOOD solution yet and I'm trying to fill this gap and help the community. So I hope it'll be interesting enough that I can get someone to build the project from the source and sign it with their own certificate.

  • Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 191

    Sounds interesting. Based on your description, I think your driver
    will attract some users and someone may get interested to help you.

    Wish you all the best for your driver development journey.

    Windows driver development is a niche. Open Source Windows driver
    development by independent developers is even more of a niche. So I
    think you should be encouraged rather than getting discouraged.

    On Wed, Sep 9, 2020 at 5:41 AM rumble06
    [email protected] wrote:
    >

    I'm not sure if people would use it or find it as interesting as I find it, but I hope so. Pretty much the driver and the app(or api, if someone wants to build a better app than mine but with the same driver) would allow to setup per-keyboard macros. I tried to do something similar using windows api without going to kernel, but that's not really possible in windows (with raw input you can't cancel or modify inputs but you can see from which keyboard it comes and with the WH_KEYBOARD_LL event you can cancel the key press but you can't see from which keyboard it comes, and the WH_KEYBOARD_LL event comes before the raw input so I can't use both of them to achieve a solution without using kernel). There is already a similar driver on the market (called Interception), but the driver is closed-source and once you have 10 devices plug into computer it would forcefully fail the connection of every device plugged after (my keyboard creates 3 devices alone inside device manager) so that is not an option. My idea is to launch it as open-source as if anyone is interested in it and more experienced than me, can improve it or take advantage of it. Found out about Interception from Taran (a linustechtips employee), he has like 2-3 videos in Linus's channel talking about this problem and how he didn't find a GOOD solution yet and I'm trying to fill this gap and help the community. So I hope it'll be interesting enough that I can get someone to build the project from the source and sign it with their own certificate.

    >

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 30 Nov 2020 LIVE ONLINE
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Developing Minifilters Early 2021 LIVE ONLINE