Why is signing drivers such a mess?

At least for the hobbyist, are there alternatives to the $400/year VeriSign
ID? I’d pay $50/year (the cost of some alternative certificate authorities)
but for the 0.1 drivers per year I write these days, I cannot justify the
high costs of the VeriSign certificate.

There was some talk at earlier driver conferences about alternate
certificate authorities being approved, but I have not heard anything about
whether this went through.
joe

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@osr.com
Sent: Monday, January 04, 2010 2:52 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Why is signing drivers such a mess?

NOT for a hobby developer, who would the main target of such an
enterprise… and for whom the idea of “if one piece of software is
determined to be malware the signature winds up on the CRL” isn’t such a big
deal.

His customers, each having paid zero to a few dollars for the software, come
back to him and say “your stuff doesn’t work” – to which he answers “oh,
darn! You’re right. Sorry. Disable driver signature enforcement and
reboot” or whatever, until he gets his NEXT signature from SigsRus.com

Peter
OSR


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

> OT for a hobby developer, who would the main target of such an enterprise…

I just wonder if the company that signs his code will be forced to assume liability for it …

Let’s face it - the vast majority of malware in existence is produced exactly by developers of the type you have mentioned, and if someone who signs his code is not forced to assume liability for it, the very idea of code signing loses any practical meaning…

His customers, each having paid zero to a few dollars for the software,

Well, I think the vast majority of his “customers” would not mind paying more than few dollars to ensure that his “production” never gets installed on their PCs…

Anton Bassov

“forced” by whom? Stalin’s been dead a long time, dude…

As far as *I* know, the only thing that could happen to the company signing the driver is that MSFT will revoke the cert. Oh well!

Whatever. But the vast majority of companies that would want this service don’t produce malware. They produce drivers for tiny markets, in their spare time, for the sheer joy of assisting the community of which they are a part. Or something.

The company doing the signing will probably WANT to do some minimal amount of due diligence, just to avoid having to keep getting new certs. But, whatever.

Nobody HAS to install a driver signed by “WeSignUrShitForTenEuros.com” – It’s entirely up to the user. Like I said… whatever.

It’d be a damn-sight better than hobby devs not be able to have people use their stuff AT ALL without disabling driver signing completely.

Peter
OSR

> “forced” by whom?

By the court, apparently…

Look -the very idea behind code signing is to make it possible to trace code originator in case if it turns out to be malicious. Therefore, if you sign a piece of software with your key and then it turns out that this particular piece of software, say, steals credit card numbers, it will be you who gets summoned to court, because it is signed with your key, and, hence, for the time being you are treated as its originator. What I meant in my previous post is whether you will be kept liable for everything that code signed with your key does, or whether you will be allowed just to shrug it off like “I don’t know anything - I sign anything for anyone who pays me few dollars for it”. In the latter case the whole idea of code signing does not seem to be particularly meaningful, don’t you think…

Stalin’s been dead a long time, dude…

Where is Mr. Kyler - I bet he is going to love it…

Nobody HAS to install a driver signed by “WeSignUrShitForTenEuros.com

IIRC, malware never had a reputation of asking users whether they want to install it…

Anton Bassov

Joseph M. Newcomer wrote:

At least for the hobbyist, are there alternatives to the $400/year VeriSign
ID? I’d pay $50/year (the cost of some alternative certificate authorities)
but for the 0.1 drivers per year I write these days, I cannot justify the
high costs of the VeriSign certificate.

There was some talk at earlier driver conferences about alternate
certificate authorities being approved, but I have not heard anything about
whether this went through.

I just renewed my GlobalSign certificate, $400 for 3 years. It has
worked fine for me for the past two years. There are about 8
certificate authorities with valid cross-certificates available,
although because of mergers and acquisitions, that’s down to 3 different
corporations.

http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

No. I think there’s room for a legitimate middle ground.

Let’s say you and I start a web-based company, “A&P, LLC”, that signs drivers for people at… I don’t know… US$50/driver.

Here’s how we do it: Company X sends us a request to sign their driver package. We:

a) Execute an NDA with Company X, that includes a “hold harmless” clause saying A&P LLC won’t be responsible for any crap we sign for Company X.

b) Have Company X send us their driver, in source code form, with build instructions.

c) We examine the driver (handwave, handwave), and if we don’t see anything we hate, we build it per the instructions.

d) We sign the .SYS file and the package.

e) We return this package to Company X and they can distribute it to their users.

Total time invested: 10 minutes.

Service to the community: Priceless.

I don’t expect A&P LLC would be liable for the driver if it didn’t work, failed to meet its specs, or if it did anything malicious. We didn’t MAKE it. We just signed the package.

So, somewhere between “We’re fully responsible” and “We sign anything”…

To me, that would work nicely.

Peter
OSR

Tim,

How dare you miss IBM?:slight_smile:

Actually, most of time, OEMs get the signed drivers from IHVs (ATi, Broadcom, Emulex, Intel, Nvidia, Qlogic etc…) who provide chips or adapters (video, network, storage) for their platforms. IHVs will have to signed their drivers. We do sign a lot of drivers. Fortunately, I don’t have to worry about it nor do I want to know what VeriSign, class 3 are. The only thing about verisign that I know is it would appear in my browser when I log into my bank or 401k accounts. All I have to do is providing a test CAT for our PQA just to be good enough to get rid of the “press F8 thingy”.

Calvin

Paying big bucks to someone who only cares about the money does not
ensure quality or liability. Try this for a laugh - try and connect
more than one model of HP printer to any PC. The drivers fight over
“who is the real messiah” and you end up with a different mess every
time you boot. Complain to HP and they say “don’t do that”. Complain
to Verisign and it becomes blame-relay.

This is real, in this room. I have a scanner, a laser printer, and a
photo printer.

Solution? Well use more computers…

brucee

On 1/5/10, xxxxx@yahoo.ca wrote:
> [quote]
> The onesy-twosy
> shops are not the important people. The important people are the Dells
> and HPs of the world, who submit dozens or hundreds of driver packages
> throughout the year.
> [/quote]
>
> Tim,
>
> How dare you miss IBM?:slight_smile:
>
> Actually, most of time, OEMs get the signed drivers from IHVs (ATi, Broadcom, Emulex, Intel, Nvidia, Qlogic etc…) who provide chips or adapters (video, network, storage) for their platforms. IHVs will have to signed their drivers. We do sign a lot of drivers. Fortunately, I don’t have to worry about it nor do I want to know what VeriSign, class 3 are. The only thing about verisign that I know is it would appear in my browser when I log into my bank or 401k accounts. All I have to do is providing a test CAT for our PQA just to be good enough to get rid of the “press F8 thingy”.
>
> Calvin
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

Bruce Ellis wrote:

Paying big bucks to someone who only cares about the money does not
ensure quality or liability. Try this for a laugh - try and connect
more than one model of HP printer to any PC. The drivers fight over
“who is the real messiah” and you end up with a different mess every
time you boot.

HP has become one of the worst. Their hardware is good, but their
driver people should be hung at dawn. When I install a printer, ALL I
WANT is a driver that turns GDI calls into dots on paper. I don’t want
600 megabytes of download, 39 DLLs, 22 full-time processes, 18 injected
hooks, 15 desktop icons, 13 unrelated utilities, 9 RSS subscriptions, 7
IE toolbars, a cheerful audio-driven help system and a partridge in a
pear tree. I did not buy my computer for the sole purpose of talking to
that printer.

It drives me nuts. That’s why I bought an Epson last time. They aren’t
nearly as bad.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

>I don’t expect A&P LLC would be liable for the driver if it didn’t
work, failed to meet its specs, or if it did anything malicious. We
didn’t MAKE it. >We just signed the package.

So, somewhere between “We’re fully responsible” and “We sign
anything”…
To me, that would work nicely.

So what happens to the customer ? what does he do in case his system
crashes at home.? Who should he contact ? does the package installation
or the signing framework have enough information to tell the customer
that A&P LLC can only be trusted for delivery of package and not for
it’s quality ?

Harish

-----Original Message-----
From: xxxxx@osr.com [mailto:xxxxx@osr.com]
Sent: Monday, January 04, 2010 1:44 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Why is signing drivers such a mess?

No. I think there’s room for a legitimate middle ground.

Let’s say you and I start a web-based company, “A&P, LLC”, that signs
drivers for people at… I don’t know… US$50/driver.

Here’s how we do it: Company X sends us a request to sign their driver
package. We:

a) Execute an NDA with Company X, that includes a “hold harmless” clause
saying A&P LLC won’t be responsible for any crap we sign for Company X.

b) Have Company X send us their driver, in source code form, with build
instructions.

c) We examine the driver (handwave, handwave), and if we don’t see
anything we hate, we build it per the instructions.

d) We sign the .SYS file and the package.

e) We return this package to Company X and they can distribute it to
their users.

Total time invested: 10 minutes.

Service to the community: Priceless.

I don’t expect A&P LLC would be liable for the driver if it didn’t work,
failed to meet its specs, or if it did anything malicious. We didn’t
MAKE it. We just signed the package.

So, somewhere between “We’re fully responsible” and “We sign
anything”…

To me, that would work nicely.

Peter
OSR


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

>

c) We examine the driver (handwave, handwave), and if we don’t see
anything we
hate, we build it per the instructions.

Total time invested: 10 minutes.

Service to the community: Priceless.

I don’t expect A&P LLC would be liable for the driver if it didn’t
work,
failed to meet its specs, or if it did anything malicious. We didn’t
MAKE it.
We just signed the package.

If you are going to spend 10 minutes looking at the code you might as
well not bother.

For open source projects you could come up with a workable solution
though:

a. Company X sends us the source code and build instructions
b. We build the binaries, sign them, and sign the source archive and
make it available on our website for anyone to inspect.

That way our liability is to confirm that the binaries we built were
built from the source, and anyone can prove (as much as you trust us and
the certificate system) that the binaries they have were built from the
source that they can obtain and inspect. You’d probably make the source
code open to public inspection for some time (7 days?) before doing the
build and sign to reduce the chance of signing a malicious driver or
something.

Someone like Sourceforge could do it, and have some criteria that the
project have been hosted on sourceforge for some time (3 months?) before
allowing access to the signing process.

It doesn’t work for non-open source stuff of course, but who trusts
closed source code anyway? :slight_smile:

James

The customer goes to the author if their system crashes. A&P signing the
driver in no way abrogates the author from their responsibility for
maintaining their code. The author has to make sure that what he sends to
A&P is a final cut, because every time A&P signs a driver there is a charge
— no “do overs” because the author sent the wrong source files. Unless the
author tells them who signed the driver or the customer has the smarts to
run CertMgr and looks at the signature, the customer really doesn’t need to
know about A&P.

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Arora, Harish
Sent: Monday, January 04, 2010 5:18 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Why is signing drivers such a mess?

I don’t expect A&P LLC would be liable for the driver if it didn’t
work, failed to meet its specs, or if it did anything malicious. We
didn’t MAKE it. >We just signed the package.
So, somewhere between “We’re fully responsible” and “We sign
anything”…
To me, that would work nicely.

So what happens to the customer ? what does he do in case his system
crashes at home.? Who should he contact ? does the package installation
or the signing framework have enough information to tell the customer
that A&P LLC can only be trusted for delivery of package and not for
it’s quality ?

Harish

-----Original Message-----
From: xxxxx@osr.com [mailto:xxxxx@osr.com]
Sent: Monday, January 04, 2010 1:44 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Why is signing drivers such a mess?

No. I think there’s room for a legitimate middle ground.

Let’s say you and I start a web-based company, “A&P, LLC”, that signs
drivers for people at… I don’t know… US$50/driver.

Here’s how we do it: Company X sends us a request to sign their driver
package. We:

a) Execute an NDA with Company X, that includes a “hold harmless” clause
saying A&P LLC won’t be responsible for any crap we sign for Company X.

b) Have Company X send us their driver, in source code form, with build
instructions.

c) We examine the driver (handwave, handwave), and if we don’t see
anything we hate, we build it per the instructions.

d) We sign the .SYS file and the package.

e) We return this package to Company X and they can distribute it to
their users.

Total time invested: 10 minutes.

Service to the community: Priceless.

I don’t expect A&P LLC would be liable for the driver if it didn’t work,
failed to meet its specs, or if it did anything malicious. We didn’t
MAKE it. We just signed the package.

So, somewhere between “We’re fully responsible” and “We sign
anything”…

To me, that would work nicely.

Peter
OSR


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

__________ Information from ESET Smart Security, version of virus signature
database 4743 (20100104) __________

The message was checked by ESET Smart Security.

http://www.eset.com

__________ Information from ESET Smart Security, version of virus signature
database 4743 (20100104) __________

The message was checked by ESET Smart Security.

http://www.eset.com

On 1/4/2010 5:08 PM Tim Roberts wrote:
> HP has become one of the worst. Their hardware is good, but their
> driver people should be hung at dawn. When I install a printer, ALL I
> WANT is a driver that turns GDI calls into dots on paper. …

Don’t blame the developers – I guarantee it isn’t their choice to
include all the extra “value add” with the printer drivers.

–John

P.S. For some HP printers, you can download either a “consumer” or
“corporate” driver package. The corporate package omits most of the
extra stuff.

It aint their driver people that spam you with all of that shovelware

d

-----Original Message-----
From: Tim Roberts
Sent: Monday, January 04, 2010 3:11 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Why is signing drivers such a mess?

Bruce Ellis wrote:
> Paying big bucks to someone who only cares about the money does not
> ensure quality or liability. Try this for a laugh - try and connect
> more than one model of HP printer to any PC. The drivers fight over
> “who is the real messiah” and you end up with a different mess every
> time you boot.

HP has become one of the worst. Their hardware is good, but their
driver people should be hung at dawn. When I install a printer, ALL I
WANT is a driver that turns GDI calls into dots on paper. I don’t want
600 megabytes of download, 39 DLLs, 22 full-time processes, 18 injected
hooks, 15 desktop icons, 13 unrelated utilities, 9 RSS subscriptions, 7
IE toolbars, a cheerful audio-driven help system and a partridge in a
pear tree. I did not buy my computer for the sole purpose of talking to
that printer.

It drives me nuts. That’s why I bought an Epson last time. They aren’t
nearly as bad.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

So how did HP get all this shit signed?

And why does windows insist that simple “drivers” like printer
interfaces must be in the kernel.

That’s not even old school, it’s brain-dead.

Only apple competes for silliness.

Printer drivers should be user procs - correct me if I’m wrong.

brucee

On Tue, Jan 5, 2010 at 10:52 AM, Doron Holan wrote:
> It aint their driver people that spam you with all of that shovelware
>
> d
>
>
>
> -----Original Message-----
> From: Tim Roberts
> Sent: Monday, January 04, 2010 3:11 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Why is signing drivers such a mess?
>
>
> Bruce Ellis wrote:
>> Paying big bucks to someone who only cares about the money does not
>> ensure quality or liability. Try this for a laugh - try and connect
>> more than one model of HP printer to any PC. The drivers fight over
>> “who is the real messiah” and you end up with a different mess every
>> time you boot.
>
> HP has become one of the worst. ?Their hardware is good, but their
> driver people should be hung at dawn. ?When I install a printer, ALL I
> WANT is a driver that turns GDI calls into dots on paper. ?I don’t want
> 600 megabytes of download, 39 DLLs, 22 full-time processes, 18 injected
> hooks, 15 desktop icons, 13 unrelated utilities, 9 RSS subscriptions, 7
> IE toolbars, a cheerful audio-driven help system and a partridge in a
> pear tree. ?I did not buy my computer for the sole purpose of talking to
> that printer.
>
> It drives me nuts. ?That’s why I bought an Epson last time. ?They aren’t
> nearly as bad.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

It occurs to me that creating an entity to sign such packages is not the
only form of solution.

Enabling the end-user system to ‘sign’ the package as permissible would
suffice as well.

This clearly makes it the end-user’s responsibility and removes the issue of
finding the source. It restores the “as-is” quality of service but it only
works on the single machine. How you secure that feature so that, for
instance, malware does not find a way to ‘sign’ itself is a challenge of
course, but perhaps smart people can figure out how to ‘localize’ the
solution to the machine.

I am under the impression that the big issue would be the very limited
ability of the O/S Loader (on 64-bit platforms) to verify BOOT start
drivers. How you give it another certificate for embedded signatures to be
validated against seems to be the challenge.

But if a way could be created to ensure the usefulness of a signature was
scoped to the machine on which it was generated, then, at least you would
not be enabling malware except if you inflicted it on yourself. That is
what freedom is all about right? The freedom to shoot one’s own foot?

And then there is the whole DRM thing… back come the lawyers :slight_smile:

The poorly considered opinion of…
Dave Cattley

OK. That’s an approach, too.

But in 10 minutes I can probably determine if the obvious intent of the driver is to insert malware. That’s all I would want to do.

Absolutely. I agree. This is ALMOST as secure as having A&P LLC sign random stuff, EXCEPT for the fact that if A&P LLC sign some malware, it’s barely conceivable that Microsoft could revoke their cert. No way to do that if people sign their own stuff.

Peter
OSR

Bruce Ellis wrote:

So how did HP get all this shit signed?

Why wouldn’t they? WHQL doesn’t check for “smart” vs “stupid”.
(Indeed, I’m not sure how you would design a test for that…) They
doesn’t even install the driver. If you pass DTM, you get a logo.

And why does windows insist that simple “drivers” like printer
interfaces must be in the kernel.

They don’t. Most printer drivers live in user-mode.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Printer drivers have been in um since win2k. At some point we removed support for km printer drivers, but i do not know the exact release

d

-----Original Message-----
From: Bruce Ellis
Sent: Monday, January 04, 2010 4:53 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Why is signing drivers such a mess?

So how did HP get all this shit signed?

And why does windows insist that simple “drivers” like printer
interfaces must be in the kernel.

That’s not even old school, it’s brain-dead.

Only apple competes for silliness.

Printer drivers should be user procs - correct me if I’m wrong.

brucee

On Tue, Jan 5, 2010 at 10:52 AM, Doron Holan wrote:
> It aint their driver people that spam you with all of that shovelware
>
> d
>
>
>
> -----Original Message-----
> From: Tim Roberts
> Sent: Monday, January 04, 2010 3:11 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Why is signing drivers such a mess?
>
>
> Bruce Ellis wrote:
>> Paying big bucks to someone who only cares about the money does not
>> ensure quality or liability. Try this for a laugh - try and connect
>> more than one model of HP printer to any PC. The drivers fight over
>> “who is the real messiah” and you end up with a different mess every
>> time you boot.
>
> HP has become one of the worst. Their hardware is good, but their
> driver people should be hung at dawn. When I install a printer, ALL I
> WANT is a driver that turns GDI calls into dots on paper. I don’t want
> 600 megabytes of download, 39 DLLs, 22 full-time processes, 18 injected
> hooks, 15 desktop icons, 13 unrelated utilities, 9 RSS subscriptions, 7
> IE toolbars, a cheerful audio-driven help system and a partridge in a
> pear tree. I did not buy my computer for the sole purpose of talking to
> that printer.
>
> It drives me nuts. That’s why I bought an Epson last time. They aren’t
> nearly as bad.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Why… you ask us on the list, of course. WE can tell “smart” versus “stupid”!

Peter
OSR