Attested signing live on Windows HW Dev Center portal

Attested driver signing has joined its HLK/HCK brethren in moving away from sysdev to the new Windows Hardware Dev Center portal:

https://developer.microsoft.com/en-us/dashboard/hardware/

The error messages on failed submissions are now much more informative. The process of submitting has been streamlined and the feedback at each stage of the process is significantly more useful. I still have to create dummy INF files for those drivers that don’t normally use them, but overall this seems like a big upgrade. Kudos to the developers that made this happen.

What is the “Azure AD” all about? Is that something else that needs to
be purchased just to get drivers signed?

On 1/23/2017 12:09 PM, gabe.jones@ni.com wrote:

Attested driver signing has joined its HLK/HCK brethren in moving away from sysdev to the new Windows Hardware Dev Center portal:

https://developer.microsoft.com/en-us/dashboard/hardware/

The error messages on failed submissions are now much more informative. The process of submitting has been streamlined and the feedback at each stage of the process is significantly more useful. I still have to create dummy INF files for those drivers that don’t normally use them, but overall this seems like a big upgrade. Kudos to the developers that made this happen.

George M. Garner Jr. wrote:

What is the “Azure AD” all about? Is that something else that needs to
be purchased just to get drivers signed?

No, nothing so sinister. AD is “Active Directory”, which is Microsoft’s
central user validation architecture. It’s been around for a very long
time. If you have a Windows domain server at your place of work, you
are using Active Directory. (You can tell what generation a concept is
from by the name: Active, Direct, .NET, etc.)

Azure is Microsoft’s cloud. So, “Azure AD” is just their cloud-based
central user validation thing. Their new dashboard uses that to
administer dashboard users. Your company has to have one “global admin”
account that gets delegated the responsibility to manage your company’s
users.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

It really does appear to mean an Azure AD global admin account. Oddly
enough it would not let me use my existing account through my VS
subscription, so I had to create an entire new one. Painful but free. I
have no idea. Likely there was some other way to do it.

Just click on the create a new azure ad account and it all gets done.

Mark Roddy

On Mon, Jan 23, 2017 at 4:19 PM, Tim Roberts wrote:

> George M. Garner Jr. wrote:
> > What is the “Azure AD” all about? Is that something else that needs to
> > be purchased just to get drivers signed?
>
> No, nothing so sinister. AD is “Active Directory”, which is Microsoft’s
> central user validation architecture. It’s been around for a very long
> time. If you have a Windows domain server at your place of work, you
> are using Active Directory. (You can tell what generation a concept is
> from by the name: Active, Direct, .NET, etc.)
>
> Azure is Microsoft’s cloud. So, “Azure AD” is just their cloud-based
> central user validation thing. Their new dashboard uses that to
> administer dashboard users. Your company has to have one “global admin”
> account that gets delegated the responsibility to manage your company’s
> users.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

Ok! So what command line options do I use with signtool? The “Learn
How” link just redirects me to the signtool help page with a million
options. What hash algorithm, for example (SHA1, SHA256)? A sample
command line would be helpful, particularly since I have to sign the
file offline and transfer it to a computer with Internet access.

George M. Garner Jr. wrote:

Ok! So what command line options do I use with signtool? The “Learn
How” link just redirects me to the signtool help page with a million
options. What hash algorithm, for example (SHA1, SHA256)? A sample
command line would be helpful, particularly since I have to sign the
file offline and transfer it to a computer with Internet access.

Most of the parameters to “signtool sign” are used to identify which
certificate to use. I generally use the SHA1 thumbprint for that,
because it’s unambiguous. I also use /v to get me more information, and
you’re going to want /t to provide a timestamp provider. That’s about it.

So, it’s just
signtool sign /v /sha1 11112222333344445555666677778888 /t
http://timestamp.verisign.com/scripts/timestamp.dll xxxxx.cab

If you don’t know the thumbprint, you can say
signtool sign /v /a nothing.exe

and it will give you a list.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Hmmm! When I upload the signed signable file (“SignableFile.exe”) I get
the following error message:

“Error: signature is valid but your uploaded file was not expected. Did
you reload the page? If so, start over and try again.”

The upload file filter is expecting an xml file. But the downloaded
signable file is an exe. Has anyone gone through this process and got it
to work?

George M. Garner Jr. wrote:

Hmmm! When I upload the signed signable file (“SignableFile.exe”) I get
the following error message:

“Error: signature is valid but your uploaded file was not expected. Did
you reload the page? If so, start over and try again.”

The upload file filter is expecting an xml file. But the downloaded
signable file is an exe. Has anyone gone through this process and got it
to work?

What part of the process are you in here? Are you still trying to get
your account set up, on the page entitled “Sign and upload your file”?
That sends you an exe, which you sign, and then send back the uploaded
file via your browser. That upload dialog doesn’t specify an extension.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

I am at step 4 of
https://developer.microsoft.com/en-us/dashboard/registration/hardware
(“Upload your signed file”). If you click on the link “browse your
files” the dialog has a “*.xml” extension filter. You can override the
filter and upload the exe. But it most definitely does have a filter.

Hmmm! At step 2 it says “Important: don’t refresh your browser page
before uploading your signed file, or you will need to start this
process over.” So evidently there is something session specific in the
downloaded exe file. This is a problem since I need to transfer the
dowloaded file to a different (offline) computer to sign the file. Does
this mean that I can’t log off in between step 2 and 4?

I was able to sign winqual.exe and use it to create a company account on
the old sysdev site. But you can’t upload files for signing there
anymore. You get redirected to the new hardware dev center. Microsoft
seems to assume that you will expose your code signing certificate to
the Internet, which is not very good opsec.