Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Question regarding Deprecation of Software Publisher Certificates?

2

Comments

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 450
    via Email
    You cannot cross sign a driver with an OV certificate and have it load on
    Win10.
    At least it never worked for me, unless the driver was signed before ~June
    2015.
  • CaptainFlintCaptainFlint Member Posts: 73

    @Dejan_Maksimovic said:
    You cannot cross sign a driver with an OV certificate and have it load on Win10.
    At least it never worked for me, unless the driver was signed before ~June 2015.

    Same with EV. They have no difference in this respect.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,769
    edited March 2

    OK... I've moved my post to a new thread so it'll be more visible to those who haven't been following this topic:

    New thread here.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,769

    @john_smith1978

    Since mid-2015 all SHA-2 code signing certificates are issued from our OVCS or EVCS issuing CAs. These issuing CAs are subordinate to Our G2 CA cert. G2 was also cross-certified by Microsoft...

    If "subordinary to" technically means "chain-up to" (which would be reasonable) then such a cert **should **be usable with the G2 cross-cert to cross-sign drivers, and let them load on down-level versions of Windows. The only catch is if MSFT decides to revoke the root cert to which the cross-cert chains up. That doesn't seem realistic, though. Everything that chains-up to that cert would be invalidated.

    I wish Entrust would make it easier to buy a Code Signing Cert from them... OV would be sufficient for this purpose.

    I hope somebody gets one of these, cross-signed, and posts the cert chain so we'll all know for sure.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • CaptainFlintCaptainFlint Member Posts: 73

    @Peter_Viscarola_(OSR) said:
    I wish Entrust would make it easier to buy a Code Signing Cert from them... OV would be sufficient for this purpose.
    I hope somebody gets one of these, cross-signed, and posts the cert chain so we'll all know for sure.

    We are working on getting the Entrust EV. It will take a while, but as soon as I lay my hands on it, I'm going to check the chain (unless someone else manages to get it sooner).

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,769

    @CaptainFlint

    Thanks, Captain. We'll be grateful for whatever info you can provide.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • henrik_meidahenrik_meida Member Posts: 101

    @CaptainFlint said:

    @Peter_Viscarola_(OSR) said:
    I wish Entrust would make it easier to buy a Code Signing Cert from them... OV would be sufficient for this purpose.
    I hope somebody gets one of these, cross-signed, and posts the cert chain so we'll all know for sure.

    We are working on getting the Entrust EV. It will take a while, but as soon as I lay my hands on it, I'm going to check the chain (unless someone else manages to get it sooner).

    Hi Flint,

    Any update on that Entrust cert? did you get it? If so, can you please post the cert chain for us, so we can see if it in fact chains up to G2 CA?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,769

    You did see that MSFT said they would revoke the cert for anyone who used it after 1 July 2020 for cross-signing drivers for down level OS versions, right?

    Not sayin’ this makes your question invalid... just wanted to be sure you saw MSFT’s most recent position on this.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • CaptainFlintCaptainFlint Member Posts: 73

    @henrik_meida said:
    Any update on that Entrust cert? did you get it? If so, can you please post the cert chain for us, so we can see if it in fact chains up to G2 CA?

    Unfortunately we met with some difficulties during the company verification stage, which have never occurred before. My colleagues are still fighting it... :(

  • henrik_meidahenrik_meida Member Posts: 101
    edited April 5

    @Peter_Viscarola_(OSR) said:
    You did see that MSFT said they would revoke the cert for anyone who used it after 1 July 2020 for cross-signing drivers for down level OS versions, right?

    Not sayin’ this makes your question invalid... just wanted to be sure you saw MSFT’s most recent position on this.

    Peter

    Yes i saw that, but we might have a shot at asking Microsoft for permission of cross signing with that cert only for supporting older operating systems like 7, i know its unlikely for them to accept but worth the shot. and we would obviously tell them why we can't pass the WHQL test for some of our drivers.

  • henrik_meidahenrik_meida Member Posts: 101

    @CaptainFlint said:

    @henrik_meida said:
    Any update on that Entrust cert? did you get it? If so, can you please post the cert chain for us, so we can see if it in fact chains up to G2 CA?

    Unfortunately we met with some difficulties during the company verification stage, which have never occurred before. My colleagues are still fighting it... :(

    Would you mind telling us what exactly they did for verification? and what were these difficulties? I thought the EV verification process is pretty straight forward?!

  • CaptainFlintCaptainFlint Member Posts: 73

    @henrik_meida said:
    Would you mind telling us what exactly they did for verification? and what were these difficulties? I thought the EV verification process is pretty straight forward?!

    I'm not sure how much I'm allowed to disclose, it may be considered sensitive information. But basically, it now requires some third-party independent sources to confirm the information we provide. And some of the required data were not available via any of the sources, which the verification service considered trusted. So we are arranging legal confirmations that would satisfy Entrust, but it takes time.

  • henrik_meidahenrik_meida Member Posts: 101
    edited April 6

    @CaptainFlint said:

    @henrik_meida said:
    Would you mind telling us what exactly they did for verification? and what were these difficulties? I thought the EV verification process is pretty straight forward?!

    I'm not sure how much I'm allowed to disclose, it may be considered sensitive information. But basically, it now requires some third-party independent sources to confirm the information we provide. And some of the required data were not available via any of the sources, which the verification service considered trusted. So we are arranging legal confirmations that would satisfy Entrust, but it takes time.

    So I'm assuming you didn't have a DUNS number, correct? because based on what i heard, having one will conclude the verification process.

    We are in the process of getting one, and after that we'll try Entrust. But please do update us when you finally got your certificate.

  • CaptainFlintCaptainFlint Member Posts: 73

    @henrik_meida said:
    So I'm assuming you didn't have a DUNS number, correct? because based on what i heard, having one will conclude the verification process.

    No, it's not the DUNS that caused problems. As I said, we have already been buying EV certificates before, and never had any issues.

    But please do update us when you finally got your certificate.

    I certainly will. :+1:

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,769

    we might have a shot at asking Microsoft for permission of cross signing with that cert only for supporting older operating systems like 7

    You might note that this is precisely the circumstance for which they are threatening to revoke your cert. not any other situation. I’ve personally advocated, asked, pleased, and explained. And the last reply I got was “see this new section of this document”... which was the threat to revoke the cert.

    They’re not going to help us. Period. Full stop.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • henrik_meidahenrik_meida Member Posts: 101

    @Peter_Viscarola_(OSR) said:

    we might have a shot at asking Microsoft for permission of cross signing with that cert only for supporting older operating systems like 7

    You might note that this is precisely the circumstance for which they are threatening to revoke your cert. not any other situation. I’ve personally advocated, asked, pleased, and explained. And the last reply I got was “see this new section of this document”... which was the threat to revoke the cert.

    They’re not going to help us. Period. Full stop.

    Peter

    Well we know that it will likely not work, but still worth the shot.

    @CaptainFlint said:

    @henrik_meida said:
    So I'm assuming you didn't have a DUNS number, correct? because based on what i heard, having one will conclude the verification process.

    No, it's not the DUNS that caused problems. As I said, we have already been buying EV certificates before, and never had any issues.

    But please do update us when you finally got your certificate.

    I certainly will. :+1:

    One thing i forgot to ask, do you think that if we get a DUNs number that will count as our verification, and basically complete the whole verification process with Entrust? because currently we are in the process of getting one, and we are not sure if we should wait until we get it, then proceed with the purchase or not, any thoughts ?

  • CaptainFlintCaptainFlint Member Posts: 73

    @henrik_meida said:
    One thing i forgot to ask, do you think that if we get a DUNs number that will count as our verification, and basically complete the whole verification process with Entrust? because currently we are in the process of getting one, and we are not sure if we should wait until we get it, then proceed with the purchase or not, any thoughts ?

    Unfortunately, I don't know all the details, I've caught just a few glimpses. I'm not been involved in the process of either buying the certificate, or verifying the company. My taks is a purely technical one, to make certain our tools work with the certificate when we finally get it.

    I recommend you contact Entrust and check with them. From what I've seen in our internal emails, they are quite helpful.

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,466
    via Email
    Having just gone through this with entrust, all I needed was 1) a
    registered corporation of any sort (e.g. a LLC) 2) a registered domain that
    could be verified as owned by said LLC.

    Mark Roddy
  • RourkeRourke Member Posts: 69

    @Tim_Roberts said:
    EV is only a requirement for creating a Hardware Dashboard account.

    Are you saying if one has a dashboard account there is no need to buy EV certs anymore because one can submit drivers for attestation using just a cheap, easy to get code signing certificate from then on? Are you absolutely certain of this?

  • CaptainFlintCaptainFlint Member Posts: 73

    @Rourke said:
    Are you saying if one has a dashboard account there is no need to buy EV certs anymore because one can submit drivers for attestation using just a cheap, easy to get code signing certificate from then on? Are you absolutely certain of this?

    You need to have an active EV certificate to keep using the dashboard services. As soon as it expires, you are automatically blocked from sending any submissions, until you attach a new active EV certificate to your account.

    I'm not sure if you can use any other certificate for signing your submission packages (I know you can do it for drivers). But even if you can, it's just a question of convenience (hardware EV token versus PFX files). You cannot save money/effort on that.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,152

    Yes, you need a current EV cert to maintain the dashboard account, as CaptainFlint said. You can use ANY certificate to sign your submissions, as long as you have registered the certificate with the dashboard account.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • henrik_meidahenrik_meida Member Posts: 101

    @Mark_Roddy said:
    Having just gone through this with entrust, all I needed was 1) a
    registered corporation of any sort (e.g. a LLC) 2) a registered domain that
    could be verified as owned by said LLC.

    Mark Roddy

    Hi Mark, thank you for sharing,

    I have two questions and would be grateful if you can answer :

    1. Can you post the cert chain for us when you cross sign a driver with it, so we can see if it in fact chains up to G2 CA (that expires beyond 2022) ? or can you check it yourself and let us know ? (signtool verify /v /kp <mydriver.sys>)

    2. What documents with regards to our company/employees do we need to prepare to send Entrust? we first wanted to get a DUNs number before purchasing the EV but that is too complicated by its own so i think we might go for it before getting A DUNs. The problem is that our company doesn't have a Online present right now (No website or anything), do you think we need to prepare a website and a mail server using our own domain and send them the email with our own domain instead of using gmail for example?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,769

    @henrik_meida Haven’t we had this discussion before? Talk with the CA They are the only ones who can definitively tell you what they’ll accept.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • CaptainFlintCaptainFlint Member Posts: 73

    OK, finally we've managed to get the new certificate. As promised, here are the details.

    First, I was mightily surprised to see that they sent us the cert not on a token, but as a set of private/public key files. I thought EV was supposed to run only from a non-exportable token. Apparently, there is no such requirement. (And, yes, according to the certificate policy OIDs 2.23.140.1.3 and 2.16.840.1.114028.10.1.2, this is an EV; and it was accepted by the MS Dashboard, although I have not sent any submission yet.)

    Second, and more important, the cross-certificate is, indeed, valid and active till 2025. They even attached this cross-certificate file in the archive they've sent us, and it's completely identical to the one we can download from the MS site. I've tried signing some PNP driver and its catalog file, and installed it into Windows 7. Upon installation I've got a red warning about an untrusted signature (apparently, because Entrust wasn't present in my root CA storage), but after confirming, installation finished successfully, and the driver was loaded by the kernel. Just in case, I also tried signing the driver+CAT without a cross-certificate, and, as expected, the kernel refused to load the driver.

    Here is the output of signtool verify /kp /v driver.sys (I edited out our company name and the leaf certificate's thumbprint):

    Signing Certificate Chain:
        Issued to: Entrust Root Certification Authority - G2
        Issued by: Entrust Root Certification Authority - G2
        Expires:   Sat Dec 07 20:55:54 2030
        SHA1 hash: 8CF427FD790C3AD166068DE81E57EFBB932272D4
    
            Issued to: Entrust Extended Validation Code Signing CA - EVCS1
            Issued by: Entrust Root Certification Authority - G2
            Expires:   Sun Nov 10 17:12:49 2030
            SHA1 hash: 64B8F1EDEF40D7D28602B6B9171AFF114E12A646
    
                Issued to: [COMPANY NAME REDACTED]
                Issued by: Entrust Extended Validation Code Signing CA - EVCS1
                Expires:   Tue Apr 23 19:07:18 2024
                SHA1 hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    
    The signature is timestamped: Fri Apr 23 21:11:05 2021
    Timestamp Verified by:
        Issued to: DigiCert Assured ID Root CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Mon Nov 10 03:00:00 2031
        SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
    
            Issued to: DigiCert SHA2 Assured ID Timestamping CA
            Issued by: DigiCert Assured ID Root CA
            Expires:   Tue Jan 07 15:00:00 2031
            SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297
    
                Issued to: DigiCert Timestamp 2021
                Issued by: DigiCert SHA2 Assured ID Timestamping CA
                Expires:   Mon Jan 06 03:00:00 2031
                SHA1 hash: E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3
    
    Cross Certificate Chain:
        Issued to: Microsoft Code Verification Root
        Issued by: Microsoft Code Verification Root
        Expires:   Sat Nov 01 16:54:03 2025
        SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
    
            Issued to: Entrust Root Certification Authority - G2
            Issued by: Microsoft Code Verification Root
            Expires:   Mon Jul 07 23:55:49 2025
            SHA1 hash: D8FC248748585E173EFBFB3075C4B4D60F9D8D08
    
                Issued to: Entrust Extended Validation Code Signing CA - EVCS1
                Issued by: Entrust Root Certification Authority - G2
                Expires:   Sun Nov 10 17:12:49 2030
                SHA1 hash: 64B8F1EDEF40D7D28602B6B9171AFF114E12A646
    
                    Issued to: [COMPANY NAME REDACTED]
                    Issued by: Entrust Extended Validation Code Signing CA - EVCS1
                    Expires:   Tue Apr 23 19:07:18 2024
                    SHA1 hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    

    Of course, by now we know that we cannot use cross-signing after July 1 for public distribution, and that there have been found a few interesting workarounds for loading drivers in the older systems. But still it's good to know that Entrust certificate works fine. At the very least it gives us a couple more months of standard cross-signing.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,769

    THANK you, CaptainFlint.

    I definitely appreciate you taking the time to follow-up and let us know the ultimate outcome of your "certificate journey."

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,152

    Curious; that driver package, with that certificate chain, should NOT have given you the red warning box on Windows 7, assuming you have the SHA2 update. The fact that you have the Microsoft Code Verification Root should have been enough.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • CaptainFlintCaptainFlint Member Posts: 73

    The user-mode installer does not check the cross-certificate chain. All it sees is the Enrust root certificate. And since it's not in the trusted CA store, a warning is displayed. I would say, that's totally expected behavior.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 450
    via Email
    Did you have an EV cert on the dashboard already?

    and it was accepted by the MS Dashboard, although I have not sent any
  • CaptainFlintCaptainFlint Member Posts: 73

    @Dejan_Maksimovic
    We did have a certificate and used it for sending Attestation and WHQL submissions, but it expired a few weeks ago. So during this time there wasn't any valid certificate assigned to our Dashboard account. Now the new Entrust certificate arrived, and I've added it to the account, and it was accepted. I mentioned it just to confirm that Entrust EV certificate is good enough for MS Dashboard. (And also, since my last comment I've already tried submitting a simple HLKX package, and it worked fine too.)

  • david_mk85david_mk85 Member Posts: 35

    @CaptainFlint said:
    @Dejan_Maksimovic
    We did have a certificate and used it for sending Attestation and WHQL submissions, but it expired a few weeks ago. So during this time there wasn't any valid certificate assigned to our Dashboard account. Now the new Entrust certificate arrived, and I've added it to the account, and it was accepted. I mentioned it just to confirm that Entrust EV certificate is good enough for MS Dashboard. (And also, since my last comment I've already tried submitting a simple HLKX package, and it worked fine too.)

    Hi Flint, thank you for sharing

    I have not used the MS dashboard yet, but I'm curious, how long does it usually take for my .sys driver to get attestation signed by Microsoft? can we even submit .sys files?

    I heard that the first submission to account usually takes 1-2 days, but the rest of them will only take 1-2 hours, is this true? because i wonder if they are actually manually analyzing drivers or its all automatic?

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 24 January 2022 Live, Online
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online