Yet Another Signing Change?? (AKA: Will MSFT *REMOVE* Ability To Sign Win7/8/8.1 Drivers by 2021?)

Have any of you seen this gem yet?

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificate

If I read this correctly, and it’s not entirely clear that I am, it looks to me like Microsoft finally intends to terminate the option to sign drivers using the cross-certificate technique, which today is still quite useful for systems with Secure Boot turned off. But they are not doing so by closing a loophole in new kernels, which would be sensible. Instead, it looks like they are shutting down the entire “Microsoft Code Verification Root” CA, thereby making it impossible to cross-sign driver packages at all.

To me, this look like yet another example of the Redmond bubble, in which people don’t have to live in the Real World. In the Real World, MANY of us are still writing drivers that have to run on Windows 7, 8, and 8.1, where attestation signing is entirely useless and cross-signing is required.

If I am reading this right, and I invite those with Microsoft contacts to correct me I’m wrong, then I can only hope that an industry outcry will once again convince them that major policy decisions cannot be made in a bubble.

/shakes head slowly

I read this the same way you do. If we’re reading it right, this could be a “really, really, huge deal”…

I’ve sent an initial inquiry to an MSFT colleague and I’ll post back if/when I have something more definitive to add.

If we’re reading this correctly, we HAVE been successful at getting mistaken policies changed in the past. But, I have to believe that we’re missing something. They CAN’T take away the ability to release new production Win 7 drivers. Or Win 8. Or Win 8.1 – they just CAN’T.

Peter
OSR

[I added to the title of Mr. Roberts’ original post to call more attention to it. If Mr. Roberts objects, I’ll remove the addition.]

Surely they’ll add a checkbox on attestation signing for these operating systems? No way they would flip a switch and all our software products wither on the vine. There have been a lot of bad driver signing policy decisions over the years, but in this case the software and hardware development outfits all over the world have too much money and commitments on the line and even MS would not stoop this low and hurt its customers and platform this badly. I am waiting for the clarification on this announcement. I expect that yes signing will get harder (that’s what they always do), but we’ll be able to do it.

No way they would flip a switch and all our software products wither on the vine.

For Windows 7, 8, and 8.1? I’m not so sure. Big parts of Microsoft want to pretend those systems don’t really exist in the wild.

However, I’ve been contacted by a member of the team that developed the policy, and they’ve asked me for feedback. That’s encouraging, and I’ll let you know what comes of it.

If I read this correctly
Q: Is there a way to run production driver packages without exposing it to Microsoft?
A: No, all production driver packages must be submitted to, and signed by Microsoft.
IMHO it is clear enough…

They have two years to unfuck this.

I predict they’ll just expand attestation signing as Mr. Rourke has suggested. That’ll be OK.

Peter

@“Peter_Viscarola_(OSR)” said:

I predict they’ll just expand attestation signing as Mr. Rourke has suggested.
But attestation signing IS exposing driver package to MS, isn’t it? And MS will the only product drivers signer from 2021 as FAQ states. No matter is it HLK tests or attestation signing or anything else.

But attestation signing IS exposing driver package to MS, isn’t it?

Sure. But I don’t care about that. Not even a little bit.

And MS will the only product drivers signer from 2021 as FAQ states

Well, sure. But, again, I don’t care. Attestation signing completely satisfies me for Win10, and – as long as they don’t change any of the rules and will sign without question ANY driver we upload – it will completely satisfy me if they provide it for Win7 and later.

Peter

The point, @SweetLow, is that there are many drivers that don’t fit into WHQL, and attestation signing doesn’t work prior to Windows 10. I haven’t done a lot of WHQL submissions, but every time I have, it has required a multi-week tech support session to get a variance.

Any update on this?

Ah! A necropost. How unusual.

The last I heard on this, my contacts told me that Attestation Signing would be extended to the down-level operating systems. But… I haven’t asked or heard a word on this since perhaps early October.

Peter

@“Peter_Viscarola_(OSR)” said:
Ah! A necropost. How unusual.

A thousand pardons. On the old platform I read NTDEV daily via e-mail digest. On the new platform I find myself thinking “Oh, I’d better go check NTDEV” only once every few months, so my responses tend to lag a bit. I’ll be careful not to do it again.

The last I heard on this, my contacts told me that Attestation Signing would be extended to the down-level operating systems.

Thank you for the info. That seems the most logical solution. I’m glad that’s the way they were leaning.

@“Peter_Viscarola_(OSR)” said:
The last I heard on this, my contacts told me that Attestation Signing would be extended to the down-level operating systems.

That would be really useful so we don’t have to juggle with the confusion of releasing two sets of driver binaries like today. I wish they would just do this now rather than later so the benefits can start right away.

1 Like