EV code sign certificate

Hello,

Currently I’m using Digicert’s dongle to sign a win10 driver.
After this stage, driver is signed again by microsoft by uploading the cab file to Azure account.

I heard that starting from 2021, digicert (or any other 3rd party) will not be part of this process.

Can you confirm this ?

Thank you,
Zvika

That’s news to me. That does not sound correct… but anything is possible these days with driver signing.

Peter

The only part any cert providers will play anymore is to sell you an EV
cert. What has changed is that MSFT is dropping support for third party
root certs, so digicert won’t be able to sell you a standard (non-EV)
kernel mode code signing cert, as it won’t work.

Mark Roddy

It can sell them, but NEITHER will work for signing drivers directly from
a certain Win10 build.

If EV cert RENEWALs are required, they would only be a bloody expense!

There is ZERO real checking done to verify an entity.
I have personally been involved in getting EVs for several companies. It
is as if I ordered a KitKat and had to wait a few days for it.

It is plain money grab :frowning:

OK, here is what I know.

Today, you do not need to sign your drivers at all in order to get them attestation signed. You must sign the cabinet file, in order to prove to Microsoft that you have the authority to submit drivers to that dashboard account. None of that will change. You will still need an EV cert to create your dashboard account, and you will need to sign your package with a cert that matches one in your account.

Here’s what’s changing. Today, you can use your EV cert to sign your own drivers, doing cross-signing like we’ve always done, without involving Microsoft. Such a package works (and, indeed is required) on systems older than Windows 10, and it even works on Windows 10 as long as “secure boot” is turned off in the BIOS. That whole mechanism is supposedly going away.

I have STILL not heard anyone say how we are supposed to release drivers for older systems. Microsoft might not like it, but WIndows 7 and 8.1 are still very much in the mainstream today. Without cross-signing, it won’t be possible to create workable drivers on the older systems. The antitrust implications of that are disturbing, and I honestly thought that’s the aspect that would force this to go away.

And, frankly, I’m not sure how we WOULD learn. I’m not aware of any “official” channel for releasing critical notifications like this.

yup it is really just a development tax.

Mark Roddy

If I understood correctly, the cross-signing will just not work
starting with some build of Windows 10.
You can still cross-sign them for earlier versions, but HAVE to at
least attestation sign them for 2021 build of Windows 10 (whatever
that build gets called/numbered).

That still won’t run on Secure Boot, I think? I.e. attestation signed
drivers don’t work on Secure Boot systems already, right?

I have STILL not heard anyone say how we are supposed to release drivers for
older systems. Microsoft might not like it, but WIndows 7 and 8.1 are still
very much in the mainstream today. Without cross-signing, it won’t be
possible to create workable drivers on the older systems. The antitrust
implications of that are disturbing, and I honestly thought that’s the
aspect that would force this to go away.

And, frankly, I’m not sure how we WOULD learn. I’m not aware of any
“official” channel for releasing critical notifications like this.

Hi All,
Thank you very much !
Zvika

What digicert told me is that cross signing certs will start expiring in
2021 and will not be renewed. I have no idea how drivers will get signed
outside of WHQL for win7/8/8.1.

Mark Roddy

@Dejan_Maksimovic … yes, attestation signing works on secure boot.

Peter

Dejan, what the announcement said is they are shutting down the entire infrastructure for doing cross-signing. Not just that Windows won’t accept the drivers, but that it will be impossible to DO the signing. That’s a big problem.

That’ll teach me to “remember”…