Successful Windows 10 driver signing

Thanks for all that posted their information over driver signing and third party EV certificates. I’ve looked over the list for the way forward, and didn’t see a posting as such (may have missed it?). Has anyone successfully gotten a certificate that is recognized by Microsoft, and if so, information found in the process? Much thanks!

Yes. As mentioned here many times, we’ve successfully signed lots of drivers for Win10.

What, specifically, is your question?

Peter

Peter,

Thanks. April of last year, the vendor of our EV certificate warned about Microsoft changing its policy on certificates and driver signing on its web site, and gave us a certificate that expired on 4/15/21. This corresponded with date on the Cross Certificate List on this page - https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing .

Now, a bit over a year later, have seen a number of posts on this site with confusion about signing drivers and Microsoft policy. After contacting Microsoft, you posted a summary that mostly centered around signing Windows 7 and 8 (much thanks!).

So, for Windows 10, just making sure that I just need to get a current EV certificate and can use it to sign the driver I maintain.

Barry

You need an EV Code Signing Cert to get a Dashboard account. You need a dashboard account to allow you to submit drivers for Win10 to MSFT for Attestation Signing.

See the MSFT doc page on Attestation Signing.

Thus, you need an EV Cert.

Peter

On Wed, Jun 16, 2021 at 8:11 PM Peter_Viscarola_(OSR)
wrote:
>
> OSR https://community.osr.com/
>
> Peter_Viscarola_(OSR) commented on Successful Windows 10 driver signing
>
> You need an EV Code Signing Cert to get a Dashboard account. You need a dashboard
> account to allow you to submit drivers for Win10 to MSFT for Attestation Signing.
>
> See the MSFT doc page on Attestation Signing.
>
> This, you need an EV Cert.
>

I understand that one needs an EV certificate.
https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release

However, it is not clear to me how to submit a driver (.sys) file only
without an INF.

Previously we were able to use the code signing certificate to just
sign the .sys file
(libusb0.sys and liusbk.sys). Then users can use the following method to install
the driver packages under Windows 7/8/8.1/10. The method still works now.
https://github.com/pbatard/libwdi/wiki/Zadig
https://github.com/pbatard/libwdi/wiki/FAQ#What_are_these_USBVID_PID_MI__Autogenerated_certificates_that_libwdi_installs_in_the_Trusted_certificate_stores

Now assume we want to upgrade libusbk.sys and we get an EV certificate,
is it possible to just sign the libusbk.sys file? Or we can use a real
inf file and
then submit the inf file and libusbk.sys together for attestation signing, then
it will come back with a signed libusbk.sys driver?

libusbk:
https://github.com/mcuee/libusbk
(Note: we may want to discontinue libusbk.sys and contrate on WinUSB
support if the process is just too troublesome).

You must have an INF, but it can be a fake INF, as long as it is syntactically correct and mentions all the SYS and DLL files you need. Microsoft signs all of the executable files included in the package. You can throw away the CAT file that comes back.

Great. Thanks for the info.