I am attempting to get a driver signed via the portal using “attestation” signing. I followed the instructions specified here https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release but I feel I am missing some obvious step. Also the instructions include a screen shot of the submission page in the portal which doesn’t match what I am seeing, is there a different portal for attestation driver signing ?
I have an EV cert, signed and cross signed the cab file with driver and inf file in it and submit it through the portal. Once I upload the cab through the portal it comes up with some check boxes for “Perform test-signing for Win10 and above” or "Perform test-signing for OS below Win10 legacy) below this are checkboxes for various versions of Windows 10.
Regardless of what I select here, the portal will accept the submission, sign the driver and return it to me however the returned driver is not attestation signed and will not load on windows 10. signtool verify says the driver is valid however it won’t load and event viewer shows the error as “Code integrity determined that the image hash of a file is not valid”
I submitted a question to Microsoft about this and they said don’t select any checkboxes here to let the portal know I want it attestation signed, however the website will not allow that. I must select either “Perform test-signing for Win10 and above” or “legacy”. I see no other option in the portal to let it know I want to attestation sign the driver.
Here are the enhanced key usage values of the .sys file I got back which doesn’t say “attestation” in it and will not load.
Microsoft Windows Hardware Compatibility Publisher Lifetime Signing (1.3.6.1.4.1.311.10.3.13)
Preview Build Signing (1.3.6.1.4.1.311.10.3.27)
Windows Hardware Driver Verification (1.3.6.1.4.1.311.10.3.5) Code Signing (1.3.6.1.5.5.7.3.3)
thanks,
John
On Oct 12, 2018, at 1:23 PM, jglavin wrote:
>
> … Also the instructions include a screen shot of the submission page in the portal which doesn’t match what I am seeing, is there a different portal for attestation driver signing ?
Can you post a screenshot of what you DO see, and give us the exact steps you used to get there? Like, what URL did you start at, and which options did you click?
> I have an EV cert, signed and cross signed the cab file with driver and inf file in it and submit it through the portal. Once I upload the cab through the portal it comes up with some check boxes for “Perform test-signing for Win10 and above” or "Perform test-signing for OS below Win10 legacy) below this are checkboxes for various versions of Windows 10.
“Test signing” is not the same as “attestation signing.” A test signature is essentially worthless; you can do the same thing on your local machine using a self-generated certificate.
> Regardless of what I select here, the portal will accept the submission, sign the driver and return it to me however the returned driver is not attestation signed and will not load on windows 10.
If you submitted it for test signing, then it is not attestation signed.
> signtool verify says the driver is valid however it won’t load and event viewer shows the error as “Code integrity determined that the image hash of a file is not valid”
Use “signtool verify /v /kp”. If the certificate list does not include the “Microsoft Code Verification Root”, then it is not properly signed. Also, note that there is nothing in the signed package that mentions attestation. Attestation is the process, not the result. An attestation-signed package is identical to a package that goes through full WHQL. The only difference is that the CAT file is only marked valid for Windows 10.
> I submitted a question to Microsoft about this and they said don’t select any checkboxes here to let the portal know I want it attestation signed, however the website will not allow that. I must select either “Perform test-signing for Win10 and above” or “legacy”. I see no other option in the portal to let it know I want to attestation sign the driver.
Then you’re not in the right spot.
> Here are the enhanced key usage values of the .sys file I got back which doesn’t say “attestation” in it and will not load.
It will never say “attestation”. It will say “Microsoft Code Verification Root.”
—
Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.
> It will never say “attestation”. It will say “Microsoft Code Verification Root.”
That tripped me up, too. It actually DOES say “attestation”, in
exactly the place they said it does. (In the “enhanced key usage”
values.)
Seeing the signature with “Microsoft Windows Hardware Compatibility
Publisher” certificate is all I look for & consider success for the
attested signing. But if you look in the details of that signature
and choose “View Certificate”, the “Details” tab there will list a
“Enhanced Key Usage” attribute which includes the value “Windows
Hardware Driver Attested Verification (1.3.6.1.4.1.311.10.3.5.1)”.
I agree that it sounds like “test signing” is being requested, and I
agree that you are NOT forced to select either “Windows 10” or
“legacy”. You can leave both test signing options un-selected, and
just choose the Windows 10 platform(s) you want attested signing for.
Just performed an attested signing yesterday where I saw RS5 options
for the first time. But the behavior & resulted attested signing was
still successful, as expected, and included “Windows Hardware Driver
Attested Verification (1.3.6.1.4.1.311.10.3.5.1)” in the result.
Alan Adams
Client for Open Enterprise Server
Micro Focus
alan.adams@microfocus.com
Thank you, I knew it had to be something obvious. Yes the procedure is leave both “test signing” options blank, but then select the OS versions below and this will perform an attestation signing and it is now working fine.