I have a USB device and corresponding x86 and x64 Windows applications. The USB driver is built using UMDF1 in 2018. I went through the Microsoft Hardware certification in 2018 (I think it was WHQL then) and it has a Microsoft counter signature. Everything works fine on Windows 7,8,10,11.
For Windows on ARM I need a ARM64 USB driver. I created a driver using UMDF2 in both x64 and arm64. The x64 driver works on Windows 10 without any security warnings when I install it, but I did have to sign the driver (cat etc). It is not counter signed by Microsoft. My understanding is that this behavior is as expected because user mode drivers do not need signing on Windows 10 and above.
The arm64 driver works on Windows on ARM if I disable driver signing enforcement. But under normal Windows operation the driver will not install.
If the driver is not signed at all I get “The third part INF does not contain digital signature information”.
If the driver is signed by myself but not Microsoft I get “The published of an Authenticode™ signed catalog has not yet been established as trusted”
So it seems that user mode USB divers for arm64 still need to be signed.
And the next question would be if that is so, then would attestation signing work? Don’t really want to spend $980 and several weeks to find out.
It’s a very simple driver (USB bulk) and I could use winusb … but the winusb inf seems to require a cross signed cat so I am no better off.
I want to clarify a misconception: driver package signing requirements are for a driver PACKAGE, there is no (and has never been a) distinction between the mode of the driver (user or kernel). In short, driver package signing policies, enforcements, and behaviors are the same for all driver package types.
I believe your comment applies to my last sentence about the winusb inf. I understand that now.
On that subject, I tried adding the descriptors to the USB strings to automatically load winusb, but failed. In any case that is not a valid option because it obviously doesn’t help existing devices.
Don’t really want to spend $980 and several weeks to find out.
Is that $980 for an EV certificate? Attestation signing requires a Microsoft Hardware Dashboard account, and setting that up requires an EV certificate. It’s the same portal where you do WHQL submissions.
My cursory search showed one for 3 years at $700 plus $200 for the hardware key if you wanted to avoid a monthly charge for online signing. But for a simple driver I would not need 3 years, and I need to shop around more. So I’m guessing the EV cert would be more like $400.
But these are distractions from my question - why was user mode signing different for arm64 and x64?