Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Question regarding Deprecation of Software Publisher Certificates?
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Writing WDF Drivers | 12 September 2022 | Live, Online |
| Internals & Software Drivers | 23 October 2022 | Live, Online |
| Kernel Debugging | 14 November 2022 | Live, Online |
| Developing Minifilters | 5 December 2022 | Live, Online |
Comments
Thread drift.
You submit a “driver package” which includes the. .sys file — It takes 20 minutes or so, assuming the package is properly formatted, first time and every time.
Peter
Peter Viscarola
OSR
@OSRDrivers
I have not experienced this 1-2 days processing. However, it's been a while since I started working with it. I don't remember much of those days, and I'm not sure if I was the first in our company to send an attestation submission. Besides, back then even the Dashboard was completely different. As for the non-first submissions, I can only confirm what Peter said: indeed, it takes about 20 minutes (at least for the packages that I've dealed with so far). It's fully automatic.
accepting the cert does not guarantee it is an EV cert. But if it is the
only valid one, then it does.
Regards, Dejan.
Well, you need an EV cert to create and maintain the account, but you can register other certs (EV or non-EV) in your dashboard account. Your submissions have to be signed with any one of the registered certs.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
I have been out of the driver world for a long while until now. Our code signing certificate is about to expire and I read all about the new process. I work for a company where I cannot just upload a driver package to be signed at the Hardware Dev Center. Anyone in the same situation? Are there exceptions?
I’ve never seen an exception made, except for drivers at Microsoft that are part of the build, of course. Never.
ETA: And you’re necroposting.
Peter
Peter Viscarola
OSR
@OSRDrivers
@Rony
The official position of Microsoft is simple: the only way to load the newly built drivers on Windows (apart from test signing mode, or disabling signature enforcing on boot) is to make it signed by Microsoft. Full stop.
Although I've seen some companies still releasing cross-signed drivers; but I have no idea if they are unknownly (or maybe deliberately) violating the MS regulations, or they've been granted an exclusive deal.
SOMEBODY must have the keys to that closet. If you're doing drivers, you ought to be able to access that person. Indeed, it's easy on the Hardware Dev Center for your administrator to create a sub-account for your use, that won't interfere with other users.
Well, nothing on that web site is easy, but it's possible.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Okay thanks everyone I guess I need to find who can help me here
.
Was I not using the correct thread? Seemed applicable.
Well, this is a community philosophy thing. Your question was a new question. It did not add anything to nor answer any questions in the existing dead thread. Thus, it should have been asked AS a new question, and not by resurrecting the old thread.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Except for the fact that you're breaking the rules by necroposting, I don't think it matters.
There's nobody here who can grant you special dispensation to NOT require an EV cert. In fact, I personally do not believe that there is anybody who can grant you a Dashboard account without an EV Cert AT ALL.
You just need to find the right guy at your company who'll sign-off on the docs, get the Cert issued, sign-up for the dashboard account, and be done with it. If defense contractors and enormous multi-national corporations can figure this out, and small consultancies world-wide can figure this out, then I'm sure you can figure it out as well.
Peter
Peter Viscarola
OSR
@OSRDrivers
@Tim_Roberts and @Peter_Viscarola_(OSR) thanks for your input.
Just to clarify for next time. I did a search, found this thread and posted. Where do you check that the thread is closed?
Mark Roddy
employers/comtractees.
If you can pay, out of your pocket, to get a new cert, and a whole new
account - do it!!!!!!! Honestly. An hour or so, most of which is waiting.
Sorting existing access, if the Azure admin in the company/org does not
know the ins and outs already, can take weeks! Actual work weeks, as in man
hours!
And we had pretty expensive MS support to help on the way
Kind regards, Dejan.
https://www.alfasp.com
SOMEBODY must have the keys to that closet. If you're doing drivers, you
In the corporate world, such a path is fraught with danger. When you create an account, you are certifying that you are authorized to enter into contracts on behalf of your employer. Most cubicle-dwellers do not have that kind of power.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
You read the guidelines and rules… the ones that say “Read Before Posting”… and a note that it specifically says not to post follow-ups when the last post is more than a month old.
It’s not hard,
Peter
Peter Viscarola
OSR
@OSRDrivers
authorization to get a new certificate, or anything similar.
The (new) Dashboard account can be made by the company/org\'s Azure admin,
controlled by them, etc. The FOB or the HSM server would also be controlled
by the proper folks.
What I meant is that it would cost you less to pay for that yourself (in
terms of lost nerves, you are obviously paid for your time, even if that
time is weeks, I hope?), than to bother trying to figure existing setup, if
that setup is not publicly listed and easily found.
The company I mentioned still has one dashboard account they are not aware
of (and MS is not telling even the Admin, nor the listed contact, which
account that is - no name, no contact details). It was good that the
certificate used on that account expired, so at least the cost of the cert
wasn't wasted.
But getting them to order a new EV cert (most big companies have several
active ones, anyway, and from different issuers, to minimize any downtime I
guess), getting the admin to create a new dashboard account and set it up
again was WAY easier than figuring existing setup!
Granted, this is not a company that deals with drivers a lot, but still 200
submissions a year... I've seen problems with companies that make nothing
other than drivers (so 1000+ submissions a year are normal) in the same
branch
Hopefully, I got the right message across. No unauthorized stuff, all
legal, but "make new from scratch, don't try to fix existing holes"
Kind regards, Dejan Maksimovic.
FS Lead: http://www.alfasp.com