Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Start W10 driver with OV cert

MikhailTopMikhailTop Member Posts: 1
edited March 2021 in NTDEV

Hi there ! I'm kinda new in the driver world which is pretty amazing from my POV. (I've found a lot of help in this forum, wanted to thanks all of you for that).

I'm working on a little project with my printer and now I want to start signing my driver.

I've bought an OV certification from comodoSSL which is issued by Sectigo. (secure boot is disabled)

I've downloaded my PFX file and signed my driver like this :

signtool.exe sign /f C:\Users\ces\Desktop\certificate.pfx /p keyPASSWORD /t http://timestamp.comodoca.com /v D:\new\repos\printerDrv\x64\Release\TekDevicePrinter\TekDevicePrinter.sys

My .sys file is signed and loaded with OSR.

However, when i'm starting my driver windows says : "windows can't verify the publisher of this driver software blablabla"

Any ideas ? Am I doing something wrong ? Thanks a lot ! My secure-boot is disabled.

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,289

    You need to "cross-sign" your driver. That means you need to add an additional certificate (using the /ac parameter) that is issued by Microsoft, that certifies that Microsoft trusts Sectigo. You should be able to get that cross-certificate from here:

    https://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,520

    Also this will stop working as soon as whichever cross sign cert Sectigo uses expires, I don't see Sectigo on the list here: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing so 'sometime soon'.

  • henrik_meidahenrik_meida Member Posts: 32
    edited March 2021

    @Mark_Roddy said:
    Also this will stop working as soon as whichever cross sign cert Sectigo uses expires, I don't see Sectigo on the list here: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing so 'sometime soon'.

    What's interesting is that in the picture provided by OP, the cert expires in the end of 2021, instead of July 1, 2021? (the date Microsoft says that it will no longer support new cross signed drivers)

    Considering that cross signing will embed the certificate inside the driver executable, how can they even stop people from cross signing after that date? in their article they added something :

    No, kernel-mode drivers must be signed with a WHQL signature after July 1st, 2021. You cannot use a certificate that chains to a cross-cert that expires after July 1, 2021 to sign kernel-mode drivers. Using these certificates to sign kernel-mode drivers after this date is a violation of the Microsoft Trusted Root Program (TRP) policy. Certificates in violation of Microsoft TRP policies will be revoked by the CA. Additional certificates may be present on the kernel-mode driver, however Windows ignores those signatures for the purpose of validating the driver.

    But how can they even know if its a newly cross signed driver to revoke it? you don't even need to timestamp it or have any internet connection to sign it.. how on earth can they stop this? this doesn't make any sense..

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,520

    They probably will revoke your cert. So sure you can go ahead and sign after the July 1 date, but if that gets out into the world there may be problems. Also the OP's cert and it's parent cert expiration dates are irrelevant to the expiration date of the cross signing cert. That cert likely expires in a couple of weeks.

  • CaptainFlintCaptainFlint Member Posts: 68

    @henrik_meida said:
    What's interesting is that in the picture provided by OP, the cert expires in the end of 2021, instead of July 1, 2021? (the date Microsoft says that it will no longer support new cross signed drivers)

    There is nothing wrong with the certificate expiring way beyond the July 1, because it can be used for signing user-mode applications and libraries, not just drivers. But as Mark pointed out, you need to also check the cross-certificate expiration date.

    But how can they even know if its a newly cross signed driver to revoke it? you don't even need to timestamp it or have any internet connection to sign it.. how on earth can they stop this? this doesn't make any sense..

    They may not know it. Especially if you don't distribute the signed driver outside. But they may revoke the cross-certificate (if its expiration date is beyond that date). Or they may leave it as it is, and keep that as an "officially illegal" action, which is not regulated by any technical means. (Like, say, signing a malware application or driver is technically possible, but if seen in the wild, it will get you into trouble.)

  • henrik_meidahenrik_meida Member Posts: 32
    edited March 2021

    @CaptainFlint said:

    @henrik_meida said:
    What's interesting is that in the picture provided by OP, the cert expires in the end of 2021, instead of July 1, 2021? (the date Microsoft says that it will no longer support new cross signed drivers)

    There is nothing wrong with the certificate expiring way beyond the July 1, because it can be used for signing user-mode applications and libraries, not just drivers. But as Mark pointed out, you need to also check the cross-certificate expiration date.

    But how can they even know if its a newly cross signed driver to revoke it? you don't even need to timestamp it or have any internet connection to sign it.. how on earth can they stop this? this doesn't make any sense..

    They may not know it. Especially if you don't distribute the signed driver outside. But they may revoke the cross-certificate (if its expiration date is beyond that date). Or they may leave it as it is, and keep that as an "officially illegal" action, which is not regulated by any technical means. (Like, say, signing a malware application or driver is technically possible, but if seen in the wild, it will get you into trouble.)

    So lets say the top most certificate in a chain is "COMODO RSA Certification Authority". based on Microsoft this will expire in 4/11/2021, but when i open the digital signature tab and check the top most certificate which is COMODO RSA Certification Authority, it still says it's valid until 1/19/2038!
    I really don't understand, which expiration date is true then? why is it still 1/19/2038?

    I'm confused because right now i have a certificate which expires in early 2022 and the top most certificate in the chain is COMODO RSA Certification Authority. Can they technically do anything to stop people from cross signing after 4/11/2021? Obviously they can't just stop trusting cross signed drivers after that date, right? and let's say i locally sign my driver without internet connection and without timestamping, and even revert my machine's time back so everything looks that it was signed in early 2021, they literally cannot do anything regarding this, am i wrong? even the compile time would be in early 2021 so technically there is no way for them to stop this, am i wrong? because they can't proof it has been compiled and signed recently in this case, and lets assume its not a very big commercial software either so they probably would not even know it exists to begin with..

    Obviously we would love to do it the "Microsoft way", but we absolutely need to support Windows 7, and some of our drivers cannot pass the WHQL test..

  • CaptainFlintCaptainFlint Member Posts: 68

    @henrik_meida
    If the cross-certificate expires in April, Microsoft does not have to do anything, they just need to not issue another cross-certificate. When you sign a driver, you must specify a cross-certificate via the /ac flag in signtool. If the cross-certificate is expired when you are trying to sign the file, it will not be accepted by signtool, and your driver will not have a certificate chain ending up in the Microsoft root.

    In short, for the driver signature to be valid, all of the: main certificate, CA certificate, cross-certificate, and any other intermediate certificate, if any (like in Globalsign, which have additional R3-R1 step) - must be valid on the date when you perform the signing. This validity is verified by a timestamp signature. If you don't timestamp the file, then it is considered valid only until any of the certificates listed above expires.

  • henrik__meidahenrik__meida Member Posts: 1

    @CaptainFlint said:
    @henrik_meida
    If the cross-certificate expires in April, Microsoft does not have to do anything, they just need to not issue another cross-certificate. When you sign a driver, you must specify a cross-certificate via the /ac flag in signtool. If the cross-certificate is expired when you are trying to sign the file, it will not be accepted by signtool, and your driver will not have a certificate chain ending up in the Microsoft root.

    In short, for the driver signature to be valid, all of the: main certificate, CA certificate, cross-certificate, and any other intermediate certificate, if any (like in Globalsign, which have additional R3-R1 step) - must be valid on the date when you perform the signing. This validity is verified by a timestamp signature. If you don't timestamp the file, then it is considered valid only until any of the certificates listed above expires.

    Sorry seems like if you edit your comment too many times you can't post in the same thread anymore, so i couldn't post the answer anymore

    This is the cross certificate chain of a signed file (used signtool verify /kp /v) :

    File is not timestamped.

    Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires: Sat Nov 09 06:33:03 2025

        Issued to: COMODO RSA Certification Authority
        Issued by: Microsoft Code Verification Root
        Expires:   Sun Apr 11 15:16:20 2021
    
            Issued to: COMODO RSA Extended Validation Code Signing CA
            Issued by: COMODO RSA Certification Authority
            Expires:   Sun Dec 12 13:59:59 2029
    
                ...
    

    So what you're saying is that after Sun Apr 11 15:16:20 2021, non timestamped drivers that are cross signed with this certificate will not load, and after Sun Apr 11 15:16:20 2021 we can't sign with it using timestamp either, because the second one in the chain has expired, correct? if so, then even signing user mode apps would not be possible with this cert, would it?!

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,960

    what you're saying is that after Sun Apr 11 15:16:20 2021, non timestamped drivers that are cross signed with this certificate will not load, and after Sun Apr 11 15:16:20 2021 we can't sign with it using timestamp either, because the second one in the chain has expired, correct?

    That’s certainly the way I understand it to work, yes.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • CaptainFlintCaptainFlint Member Posts: 68

    @henrik__meida said:
    So what you're saying is that after Sun Apr 11 15:16:20 2021, non timestamped drivers that are cross signed with this certificate will not load, and after Sun Apr 11 15:16:20 2021 we can't sign with it using timestamp either, because the second one in the chain has expired, correct?

    Correct. There are some finer aspects to it, but generally this is the idea.

    if so, then even signing user mode apps would not be possible with this cert, would it?!

    You don't need a cross-certificate for signing user-mode applications. Therefore, that will keep working until your company's certificate itself expires.

    P. S. Interesting, that the signtool output from the post above is not shown to me, but when I pressed Quote, it pasted the whole missing output as a part of the quotation. Weird... :/

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,960

    Interesting, that the signtool output from the post above is not shown to me

    Yes... it was input with three back-ticks... but it was missing formatting or something. I don’t know what the problem was, but I edited the post to remove those.

    Peter

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • henrik_meidahenrik_meida Member Posts: 32

    @CaptainFlint said:

    @henrik__meida said:
    So what you're saying is that after Sun Apr 11 15:16:20 2021, non timestamped drivers that are cross signed with this certificate will not load, and after Sun Apr 11 15:16:20 2021 we can't sign with it using timestamp either, because the second one in the chain has expired, correct?

    Correct. There are some finer aspects to it, but generally this is the idea.

    But as i showed in this thread :

    https://community.osr.com/discussion/292796/non-timestamped-cross-signed-driver-still-loads-even-when-i-set-the-date-of-my-machine-to-2099

    Even when i set the time to something like 2100, the driver still loads and i can still register it as a boot driver without any issues, even tho its not timestamped! no test signing, no debugging. can you try it out with a cert that you have to see if you get the same results or not? i feel like I'm going crazy or something lol

    and another weird thing is that the certificate is sha-1! so Windows 10 still supports sha-1 certificates right? because i thought they ended the support for it!

  • CaptainFlintCaptainFlint Member Posts: 68

    @henrik_meida
    Well, that's what I meant by the "finer aspects". :smile:
    SHA-1 support cannot be dropped completely, otherwise old but perfectly working drivers signed with SHA-1 would stop loading. So one way or another, it's still there. The question is, what are the exact limitations that MS introduced. Maybe they just have not covered all the possible installation scenarios. But I just don't know all the details.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online
Writing WDF Drivers 12 September 2022 Live, Online