Driver Signing options for an independent developer

Probably this shouldn’t be in this category as the question is not really related to problems in developing the driver, but rather in releasing it.
So I’m an individual developer (with not so much experience, especially in kernel-development; I’m just a 20yo) which wants to release an app that takes advantage of my own keyboard filter driver. The driver is almost done and what will remain to be developed is the app. I need to sign it so users can install it without putting their system in testsigning mode. The driver will be installed by the application’s installer that will take advantage of it (like VirtualBox installs their drivers when you install VirtualBox). Reading other topics and driver signing guides from this forum, I understood that I need to sign my driver with an EV code signing certificate as any other certificate won’t work for a kernel driver. Are there any alternatives to the expensive 300$ EV certificates? Both the driver and the app would be launched as open-source so I wouldn’t make any profit for them and I do not really want to spend much money for this project. I would spend 100-150$ for a certificate if I have no other options, but 300$+ seems too much for me. Certum has a cheap certificate for open-source projects(50EUR for the cloud version), but I do not think that’s gonna work for a driver. I see that GoDaddy has a ~180$ “Driver Signing Certificate”, but in the description it says “Required for all Microsoft® hardware drivers on Windows Vista® and Windows 7” and nothing about Windows 10, is it gonna work for a windows 10 driver too? Are there any other affordable alternatives for an independent developer that wants to launch an open-source project?

No, there is no alternative. You are correct that the GoDaddy certificate will not work for Windows 10. For Windows 10, your driver must be signed by Microsoft itself. In order to do that, you have to create a Hardware Dashboard account. To do THAT, you need an EV certificate. To do THAT, you have to be a corporation. Individuals cannot get one.

An open source driver would usually be released in source form. That doesn’t need a certificate, of course. The people who want to build and use your driver would either need their own certificate, or to put their system in “test” mode.

Microsoft is not interested in hobbyist drivers. Drivers significantly impact system stability and security. They want drivers done by professionals.

FYI last time libusb-win32 and libusbk developer Travis Robinson was able to get a 3-year DigiCert High Assurance EV SHA1 cert in 2014 to sign the driver. Money was donated by the community (through libusb-win32 mailing list and libusb mailing list). Now it may be more difficult.

Since we have no new release of libusb0.sys (last release was in 2012) and libusbk.sys (last release was in 2014), we are not worried about kernel driver signing now (the cert expired in 2017). We are now encouraging users to move to WinUSB even though there are still users who want to use the two drivers.
Ref: https://github.com/libusb/libusb/issues/741

Since the two drivers (libusb0.sys and libusbk.sys) are signed with valid certificate before Windows 10 release, they are still working fine in Windows 10. For driver package (with inf) installation, there is a work-around. You can use libwdi/Zadig to install the driver packages.
Ref: https://github.com/pbatard/libwdi/wiki/FAQ#What_are_these_USBVID_PID_MI__Autogenerated_certificates_that_libwdi_installs_in_the_Trusted_certificate_stores

Other options:

  1. Find another developer who has the valid certificate who is willing to help to sign the driver for you.
  2. Register as a company and buy the EV certificate. For money you can try to collect through donation. Back in 2014, we got enough donation to buy a 3-year DigiCert EV certification for US$535.

@Tim_Roberts said:
An open source driver would usually be released in source form. That doesn’t need a certificate, of course. The people who want to build and use your driver would either need their own certificate, or to put their system in “test” mode.
Target user of the app wouldn’t only be developers and tech savvy users so the app install experience should be the classic “next, next, install, finish”.

@Xiaofan_Chen said:
For driver package (with inf) installation, there is a work-around. You can use libwdi/Zadig to install the driver packages.
Ref: https://github.com/pbatard/libwdi/wiki/FAQ#What_are_these_USBVID_PID_MI__Autogenerated_certificates_that_libwdi_installs_in_the_Trusted_certificate_stores

But would microsoft see it as trusted for kernel-mode? I thought the “extended validation” meaning from the ‘EV’ certificate means that it has a second step to validate (which a standard certificate, like a self-signed one or a normal code signing certificate wouldn’t pass it). My driver would be installed as a upperfilter class driver, which from what I saw on this forum isn’t really possible with an .inf file because .inf can’t edit a REG_MULTI_SZ record (a workaround I can think of tho is to install the driver with .inf and then have the app installer modify the registry). If this method works (adding the self-signed certificate in the trusted certificates list by the installer), I’m down to go with this one.

@Xiaofan_Chen said:
Other options:

  1. Find another developer who has the valid certificate who is willing to help to sign the driver for you.
    Taking in the account what I said below(registering a company myself)
  1. Register as a company and buy the EV certificate. For money you can try to collect through donation. Back in 2014, we got enough donation to buy a 3-year DigiCert EV certification for US$535.

Even ignoring the extra-cost for registering a company, I would have to make sure that the company is within the law in (eg. in profit-reporting; I’m not even sure if I can register a company in IT, as in my country you need to be a professional in the domain you want to open the company and I’m still a student, I haven’t finish my bachelor’s degree yet) which would probably require to pay a lawyer/accountant at least once per year to make sure everything is ok. This is the least option I would like to go with.

I understand it is not easy to get an EV certificate. And as Tim mentioned that Microsoft is not interested in hobbyist drivers. So you can always leave it in the source format if it is difficult for you to go through the hassle.

I think for the libwdi method to work, the driver file (.sys) needs to be properly signed first with an EV certificate. So it does not apply to your case as you do need an inf file and your driver (.sys file) is not yet signed.

1 Like

libwdi still works under latest version of Windows 10.
Ref for old discussion: https://community.osr.com/discussion/271918/libwdi-and-windows-10

You can try the methodology as well by generating a test certificate on the fly. My take is that it may not work if your .sys driver is not signed. But no harm trying.

@Xiaofan_Chen said:
I understand it is not easy to get an EV certificate. And as Tim mentioned that Microsoft is not interested in hobbyist drivers. So you can always leave it in the source format if it is difficult for you to go through the hassle.

I think for the libwdi method to work, the driver file (.sys) needs to be properly signed first with an EV certificate. So it does not apply to your case as you do need an inf file and your driver (.sys file) is not yet signed.

Tried to add the test-signed certificate generated by VS to the Root and Trusted Publishers directory and yes indeed, the driver failed to start because of an invalid certificate. As I said, publishing the driver source code or an unsigned version of it wouldn’t be an option as the user would have to put his computer on testsigning mode. Creating a company just for this and pay a lot of money not only for the EV certificate but also for creating the company isn’t worth it.
I think I’ll go with: first, finishing the driver and the app so they are ready for production; second, when they’re ready for production I’m gonna try to find someone with an EV certificate that would like to sign my driver with his certificate (for a fee) either try to find someone with a business which would want to buy the certificate for me and I’m gonna pay for it.

… try to find someone with a business which would want to buy the certificate for me and I’m gonna pay for it.

As a young and idealistic student ;), I don’t think you appreciate what you’re asking here. There are legal implications that would make such a tactic extremely unwise.

An EV certificate is a legal statement by a certificate provider saying “I have verified through multiple mechanisms that the company named in this certificate is who they say they are, and that the holder of this certificate is authorized to act on behalf of the company.” I don’t think you’ll find a company who is willing to authorize you to act on their behalf.

As I mentioned, you use that certificate to open a hardware dashboard account with Microsoft. Opening that account requires you to sign a number of legal documents on behalf of the company, such as a codes of conduct and authorizations. Unless you are an employee, you could not in good faith sign most of those documents.

It’s an ugly situation, and it makes Linux look more and more appealing.

1 Like

Any ideas how easy it is to register a company remotely?
A good bunch of companies get EVs that way.

Creating a company just for this and pay a lot of money not only for the EV certificate but also for creating the company isn’t worth it.

Well, personally I am more afraid of the extra paperwork and burrecracy required to manage such a company. Actually, I did not created a company exactly for these reasons yet. I need to study the subject more.

as in my country you need to be a professional in the domain you want to open the company and I’m still a student

It depends how “being a professional in the domain” is defined. In certain domains, you definitely need to pass some “examination” but there are pleny of domains (most of IT stuff included) where you just pay a fee and become a professional (for the law at least). The fact that you are a student is not a problem. At least, in my country.

In 2011, as young and idealistic student, I acquired my code signing certificate (from Symantec). Since I knew nothing about notarized letters at international level at that time, I had really hard time to go through the verification process (which was quite rigorous although I was just an Individual – I have never experienced something like that when requesting a non-EV code signing certificate from other CAs). IIRC I succeeded on my second attempt…

To sum it up, money was just a minor issue :-).

On Mon, Sep 7, 2020 at 8:15 PM rumble06
wrote:
> I think I’ll go with: first, finishing the driver and the app so they are ready for production; second, when they’re ready for production I’m gonna try to find someone with an EV certificate that would like to sign my driver with his certificate (for a fee) either try to find someone with a business which would want to buy the certificate for me and I’m gonna pay for it.

Yes it is more important to finish the driver first.
As for finding someone with an EV Certificate to sign your driver, it
will depend on how useful your driver is and how you interact with the
community. No harm trying.

Create a github repo, set up a mailing list, build up the community,
and then probably there will be someone who has interests in the
driver and then help signing the driver. For example, the initial
signed libusb-win32 kernel driver libusb0.sys is not signed by the
developer (Travis) but from another developer who trusted us. Later
Travis got a GlobalSign signing certificate when it was still open to
personal developers to sign the final release of libusb0.sys (back in
2012).

Last time, there were a few organizations who would help on signing
open source windows drivers for free (they would get the source, build
the binary themselves, and then sign the driver). But it seems to me
those efforts have disappeared after the Windows 10 requirements.

Ref:
1) Driver Signing by ReactOS Foundation
https://reactos.org/wiki/Driver_Signing
2) signed-drivers project
https://sourceforge.net/projects/signed-drivers/

@Tim_Roberts said:

… try to find someone with a business which would want to buy the certificate for me and I’m gonna pay for it.

As a young and idealistic student ;), I don’t think you appreciate what you’re asking here. There are legal implications that would make such a tactic extremely unwise.

An EV certificate is a legal statement by a certificate provider saying “I have verified through multiple mechanisms that the company named in this certificate is who they say they are, and that the holder of this certificate is authorized to act on behalf of the company.” I don’t think you’ll find a company who is willing to authorize you to act on their behalf.

As I mentioned, you use that certificate to open a hardware dashboard account with Microsoft. Opening that account requires you to sign a number of legal documents on behalf of the company, such as a codes of conduct and authorizations. Unless you are an employee, you could not in good faith sign most of those documents.

It’s an ugly situation, and it makes Linux look more and more appealing.

I know it won’t be easy, and my idea wasn’t for me to register the microsoft account or me having access to the certificate. My idea was that the company would buy it, take the source code of my driver, build it themselves and release it/give the signed file to me so I can release it. But you’re right, even that would probably be hard.

@“Martin_Dráb” said:

Well, personally I am more afraid of the extra paperwork and burrecracy required to manage such a company. Actually, I did not created a company exactly for these reasons yet. I need to study the subject more.

I’m in the same situation, even if I can wait 2-3 months until I have enough money for both the certificate and registering a company, I know nothing about companies and bureaucracy.

It depends how “being a professional in the domain” is defined. In certain domains, you definitely need to pass some “examination” but there are pleny of domains (most of IT stuff included) where you just pay a fee and become a professional (for the law at least). The fact that you are a student is not a problem. At least, in my country.

Either by having a bachelor’s degree in that domain(which I still have to wait 2 more years) or finished a “recognized” lessons program (which they usually cost a lot).

@Xiaofan_Chen said:
On Mon, Sep 7, 2020 at 8:15 PM rumble06
wrote:
Yes it is more important to finish the driver first.
As for finding someone with an EV Certificate to sign your driver, it
will depend on how useful your driver is and how you interact with the
community. No harm trying.

Create a github repo, set up a mailing list, build up the community,
and then probably there will be someone who has interests in the
driver and then help signing the driver. For example, the initial
signed libusb-win32 kernel driver libusb0.sys is not signed by the
developer (Travis) but from another developer who trusted us. Later
Travis got a GlobalSign signing certificate when it was still open to
personal developers to sign the final release of libusb0.sys (back in
2012).

Last time, there were a few organizations who would help on signing
open source windows drivers for free (they would get the source, build
the binary themselves, and then sign the driver). But it seems to me
those efforts have disappeared after the Windows 10 requirements.

Ref:

  1. Driver Signing by ReactOS Foundation
    https://reactos.org/wiki/Driver_Signing
  2. signed-drivers project
    https://sourceforge.net/projects/signed-drivers/

I’m not sure if people would use it or find it as interesting as I find it, but I hope so. Pretty much the driver and the app(or api, if someone wants to build a better app than mine but with the same driver) would allow to setup per-keyboard macros. I tried to do something similar using windows api without going to kernel, but that’s not really possible in windows (with raw input you can’t cancel or modify inputs but you can see from which keyboard it comes and with the WH_KEYBOARD_LL event you can cancel the key press but you can’t see from which keyboard it comes, and the WH_KEYBOARD_LL event comes before the raw input so I can’t use both of them to achieve a solution without using kernel). There is already a similar driver on the market (called Interception), but the driver is closed-source and once you have 10 devices plug into computer it would forcefully fail the connection of every device plugged after (my keyboard creates 3 devices alone inside device manager) so that is not an option. My idea is to launch it as open-source as if anyone is interested in it and more experienced than me, can improve it or take advantage of it. Found out about Interception from Taran (a linustechtips employee), he has like 2-3 videos on Linus’s channel talking about this problem and how he didn’t find a GOOD solution yet and I’m trying to fill this gap and help the community. So I hope it’ll be interesting enough that I can get someone to build the project from the source and sign it with their own certificate.

Sounds interesting. Based on your description, I think your driver
will attract some users and someone may get interested to help you.

Wish you all the best for your driver development journey.

Windows driver development is a niche. Open Source Windows driver
development by independent developers is even more of a niche. So I
think you should be encouraged rather than getting discouraged.

On Wed, Sep 9, 2020 at 5:41 AM rumble06
osr+d292357-s6030753@vanillacommunity.email wrote:

I’m not sure if people would use it or find it as interesting as I find it, but I hope so. Pretty much the driver and the app(or api, if someone wants to build a better app than mine but with the same driver) would allow to setup per-keyboard macros. I tried to do something similar using windows api without going to kernel, but that’s not really possible in windows (with raw input you can’t cancel or modify inputs but you can see from which keyboard it comes and with the WH_KEYBOARD_LL event you can cancel the key press but you can’t see from which keyboard it comes, and the WH_KEYBOARD_LL event comes before the raw input so I can’t use both of them to achieve a solution without using kernel). There is already a similar driver on the market (called Interception), but the driver is closed-source and once you have 10 devices plug into computer it would forcefully fail the connection of every device plugged after (my keyboard creates 3 devices alone inside device manager) so that is not an option. My idea is to launch it as open-source as if anyone is interested in it and more experienced than me, can improve it or take advantage of it. Found out about Interception from Taran (a linustechtips employee), he has like 2-3 videos in Linus’s channel talking about this problem and how he didn’t find a GOOD solution yet and I’m trying to fill this gap and help the community. So I hope it’ll be interesting enough that I can get someone to build the project from the source and sign it with their own certificate.

1 Like