Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Question regarding Deprecation of Software Publisher Certificates?

13»

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,984

    Thread drift.

    You submit a “driver package” which includes the. .sys file — It takes 20 minutes or so, assuming the package is properly formatted, first time and every time.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • CaptainFlintCaptainFlint Member Posts: 68

    @david_mk85 said:
    I heard that the first submission to account usually takes 1-2 days, but the rest of them will only take 1-2 hours, is this true? because i wonder if they are actually manually analyzing drivers or its all automatic?

    I have not experienced this 1-2 days processing. However, it's been a while since I started working with it. I don't remember much of those days, and I'm not sure if I was the first in our company to send an attestation submission. Besides, back then even the Dashboard was completely different. As for the non-first submissions, I can only confirm what Peter said: indeed, it takes about 20 minutes (at least for the packages that I've dealed with so far). It's fully automatic.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 464
    via Email
    Thanks, I wanted to make sure that you differentiate the dashboard
    accepting the cert does not guarantee it is an EV cert. But if it is the
    only valid one, then it does.

    Regards, Dejan.
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,316

    Well, you need an EV cert to create and maintain the account, but you can register other certs (EV or non-EV) in your dashboard account. Your submissions have to be signed with any one of the registered certs.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 464
    via Email
    Exactly why I asked.
  • RonyRony Member Posts: 21

    I have been out of the driver world for a long while until now. Our code signing certificate is about to expire and I read all about the new process. I work for a company where I cannot just upload a driver package to be signed at the Hardware Dev Center. Anyone in the same situation? Are there exceptions?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,984
    edited February 1

    I’ve never seen an exception made, except for drivers at Microsoft that are part of the build, of course. Never.

    ETA: And you’re necroposting.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • CaptainFlintCaptainFlint Member Posts: 68

    @Rony
    The official position of Microsoft is simple: the only way to load the newly built drivers on Windows (apart from test signing mode, or disabling signature enforcing on boot) is to make it signed by Microsoft. Full stop.

    Although I've seen some companies still releasing cross-signed drivers; but I have no idea if they are unknownly (or maybe deliberately) violating the MS regulations, or they've been granted an exclusive deal.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,316

    I work for a company where I cannot just upload a driver package to be signed at the Hardware Dev Center.

    SOMEBODY must have the keys to that closet. If you're doing drivers, you ought to be able to access that person. Indeed, it's easy on the Hardware Dev Center for your administrator to create a sub-account for your use, that won't interfere with other users.

    Well, nothing on that web site is easy, but it's possible.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • RonyRony Member Posts: 21

    Okay thanks everyone I guess I need to find who can help me here :) .

    Was I not using the correct thread? Seemed applicable.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,316

    Was I not using the correct thread? Seemed applicable.

    Well, this is a community philosophy thing. Your question was a new question. It did not add anything to nor answer any questions in the existing dead thread. Thus, it should have been asked AS a new question, and not by resurrecting the old thread.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,984

    Except for the fact that you're breaking the rules by necroposting, I don't think it matters.

    There's nobody here who can grant you special dispensation to NOT require an EV cert. In fact, I personally do not believe that there is anybody who can grant you a Dashboard account without an EV Cert AT ALL.

    You just need to find the right guy at your company who'll sign-off on the docs, get the Cert issued, sign-up for the dashboard account, and be done with it. If defense contractors and enormous multi-national corporations can figure this out, and small consultancies world-wide can figure this out, then I'm sure you can figure it out as well.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • RonyRony Member Posts: 21

    @Tim_Roberts and @Peter_Viscarola_(OSR) thanks for your input.

    Just to clarify for next time. I did a search, found this thread and posted. Where do you check that the thread is closed?

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,534
    via Email
    You check by posting and having Peter yell at you for necroposting.

    Mark Roddy
  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 464
    via Email
    Huh... I had to organize the Dashboard access for one of my previous
    employers/comtractees.

    If you can pay, out of your pocket, to get a new cert, and a whole new
    account - do it!!!!!!! Honestly. An hour or so, most of which is waiting.
    Sorting existing access, if the Azure admin in the company/org does not
    know the ins and outs already, can take weeks! Actual work weeks, as in man
    hours!

    And we had pretty expensive MS support to help on the way :)

    Kind regards, Dejan.
    https://www.alfasp.com


    SOMEBODY must have the keys to that closet. If you're doing drivers, you
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,316

    If you can pay, out of your pocket, to get a new cert, and a whole new account - do it!!!!!!!

    In the corporate world, such a path is fraught with danger. When you create an account, you are certifying that you are authorized to enter into contracts on behalf of your employer. Most cubicle-dwellers do not have that kind of power.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,984

    Just to clarify for next time. I did a search, found this thread and posted. Where do you check that the thread is closed?

    You read the guidelines and rules… the ones that say “Read Before Posting”… and a note that it specifically says not to post follow-ups when the last post is more than a month old.

    It’s not hard,

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 464
    via Email
    I was not suggesting circumventing access requirements, pretending to have
    authorization to get a new certificate, or anything similar.
    The (new) Dashboard account can be made by the company/org\'s Azure admin,
    controlled by them, etc. The FOB or the HSM server would also be controlled
    by the proper folks.

    What I meant is that it would cost you less to pay for that yourself (in
    terms of lost nerves, you are obviously paid for your time, even if that
    time is weeks, I hope?), than to bother trying to figure existing setup, if
    that setup is not publicly listed and easily found.

    The company I mentioned still has one dashboard account they are not aware
    of (and MS is not telling even the Admin, nor the listed contact, which
    account that is - no name, no contact details). It was good that the
    certificate used on that account expired, so at least the cost of the cert
    wasn't wasted.
    But getting them to order a new EV cert (most big companies have several
    active ones, anyway, and from different issuers, to minimize any downtime I
    guess), getting the admin to create a new dashboard account and set it up
    again was WAY easier than figuring existing setup!
    Granted, this is not a company that deals with drivers a lot, but still 200
    submissions a year... I've seen problems with companies that make nothing
    other than drivers (so 1000+ submissions a year are normal) in the same
    branch :)

    Hopefully, I got the right message across. No unauthorized stuff, all
    legal, but "make new from scratch, don't try to fix existing holes" ;)

    Kind regards, Dejan Maksimovic.
    FS Lead: http://www.alfasp.com
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 12 September 2022 Live, Online
Internals & Software Drivers 23 October 2022 Live, Online
Kernel Debugging 14 November 2022 Live, Online
Developing Minifilters 5 December 2022 Live, Online