Question regarding Deprecation of Software Publisher Certificates?

@henrik_meida said:
One thing i forgot to ask, do you think that if we get a DUNs number that will count as our verification, and basically complete the whole verification process with Entrust? because currently we are in the process of getting one, and we are not sure if we should wait until we get it, then proceed with the purchase or not, any thoughts ?

Unfortunately, I don’t know all the details, I’ve caught just a few glimpses. I’m not been involved in the process of either buying the certificate, or verifying the company. My taks is a purely technical one, to make certain our tools work with the certificate when we finally get it.

I recommend you contact Entrust and check with them. From what I’ve seen in our internal emails, they are quite helpful.

Having just gone through this with entrust, all I needed was 1) a
registered corporation of any sort (e.g. a LLC) 2) a registered domain that
could be verified as owned by said LLC.

Mark Roddy

@Tim_Roberts said:
EV is only a requirement for creating a Hardware Dashboard account.

Are you saying if one has a dashboard account there is no need to buy EV certs anymore because one can submit drivers for attestation using just a cheap, easy to get code signing certificate from then on? Are you absolutely certain of this?

@Rourke said:
Are you saying if one has a dashboard account there is no need to buy EV certs anymore because one can submit drivers for attestation using just a cheap, easy to get code signing certificate from then on? Are you absolutely certain of this?

You need to have an active EV certificate to keep using the dashboard services. As soon as it expires, you are automatically blocked from sending any submissions, until you attach a new active EV certificate to your account.

I’m not sure if you can use any other certificate for signing your submission packages (I know you can do it for drivers). But even if you can, it’s just a question of convenience (hardware EV token versus PFX files). You cannot save money/effort on that.

Yes, you need a current EV cert to maintain the dashboard account, as CaptainFlint said. You can use ANY certificate to sign your submissions, as long as you have registered the certificate with the dashboard account.

@Mark_Roddy said:
Having just gone through this with entrust, all I needed was 1) a
registered corporation of any sort (e.g. a LLC) 2) a registered domain that
could be verified as owned by said LLC.

Mark Roddy

Hi Mark, thank you for sharing,

I have two questions and would be grateful if you can answer :

  1. Can you post the cert chain for us when you cross sign a driver with it, so we can see if it in fact chains up to G2 CA (that expires beyond 2022) ? or can you check it yourself and let us know ? (signtool verify /v /kp <mydriver.sys>)

  2. What documents with regards to our company/employees do we need to prepare to send Entrust? we first wanted to get a DUNs number before purchasing the EV but that is too complicated by its own so i think we might go for it before getting A DUNs. The problem is that our company doesn’t have a Online present right now (No website or anything), do you think we need to prepare a website and a mail server using our own domain and send them the email with our own domain instead of using gmail for example?

@henrik_meida Haven’t we had this discussion before? Talk with the CA They are the only ones who can definitively tell you what they’ll accept.

Peter

OK, finally we’ve managed to get the new certificate. As promised, here are the details.

First, I was mightily surprised to see that they sent us the cert not on a token, but as a set of private/public key files. I thought EV was supposed to run only from a non-exportable token. Apparently, there is no such requirement. (And, yes, according to the certificate policy OIDs 2.23.140.1.3 and 2.16.840.1.114028.10.1.2, this is an EV; and it was accepted by the MS Dashboard, although I have not sent any submission yet.)

Second, and more important, the cross-certificate is, indeed, valid and active till 2025. They even attached this cross-certificate file in the archive they’ve sent us, and it’s completely identical to the one we can download from the MS site. I’ve tried signing some PNP driver and its catalog file, and installed it into Windows 7. Upon installation I’ve got a red warning about an untrusted signature (apparently, because Entrust wasn’t present in my root CA storage), but after confirming, installation finished successfully, and the driver was loaded by the kernel. Just in case, I also tried signing the driver+CAT without a cross-certificate, and, as expected, the kernel refused to load the driver.

Here is the output of signtool verify /kp /v driver.sys (I edited out our company name and the leaf certificate’s thumbprint):

! ! Signing Certificate Chain: ! Issued to: Entrust Root Certification Authority - G2 ! Issued by: Entrust Root Certification Authority - G2 ! Expires: Sat Dec 07 20:55:54 2030 ! SHA1 hash: 8CF427FD790C3AD166068DE81E57EFBB932272D4 ! ! Issued to: Entrust Extended Validation Code Signing CA - EVCS1 ! Issued by: Entrust Root Certification Authority - G2 ! Expires: Sun Nov 10 17:12:49 2030 ! SHA1 hash: 64B8F1EDEF40D7D28602B6B9171AFF114E12A646 ! ! Issued to: [COMPANY NAME REDACTED] ! Issued by: Entrust Extended Validation Code Signing CA - EVCS1 ! Expires: Tue Apr 23 19:07:18 2024 ! SHA1 hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ! ! The signature is timestamped: Fri Apr 23 21:11:05 2021 ! Timestamp Verified by: ! Issued to: DigiCert Assured ID Root CA ! Issued by: DigiCert Assured ID Root CA ! Expires: Mon Nov 10 03:00:00 2031 ! SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 ! ! Issued to: DigiCert SHA2 Assured ID Timestamping CA ! Issued by: DigiCert Assured ID Root CA ! Expires: Tue Jan 07 15:00:00 2031 ! SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297 ! ! Issued to: DigiCert Timestamp 2021 ! Issued by: DigiCert SHA2 Assured ID Timestamping CA ! Expires: Mon Jan 06 03:00:00 2031 ! SHA1 hash: E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3 ! ! Cross Certificate Chain: ! Issued to: Microsoft Code Verification Root ! Issued by: Microsoft Code Verification Root ! Expires: Sat Nov 01 16:54:03 2025 ! SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3 ! ! Issued to: Entrust Root Certification Authority - G2 ! Issued by: Microsoft Code Verification Root ! Expires: Mon Jul 07 23:55:49 2025 ! SHA1 hash: D8FC248748585E173EFBFB3075C4B4D60F9D8D08 ! ! Issued to: Entrust Extended Validation Code Signing CA - EVCS1 ! Issued by: Entrust Root Certification Authority - G2 ! Expires: Sun Nov 10 17:12:49 2030 ! SHA1 hash: 64B8F1EDEF40D7D28602B6B9171AFF114E12A646 ! ! Issued to: [COMPANY NAME REDACTED] ! Issued by: Entrust Extended Validation Code Signing CA - EVCS1 ! Expires: Tue Apr 23 19:07:18 2024 ! SHA1 hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX !

Of course, by now we know that we cannot use cross-signing after July 1 for public distribution, and that there have been found a few interesting workarounds for loading drivers in the older systems. But still it’s good to know that Entrust certificate works fine. At the very least it gives us a couple more months of standard cross-signing.

THANK you, CaptainFlint.

I definitely appreciate you taking the time to follow-up and let us know the ultimate outcome of your “certificate journey.”

Peter

Curious; that driver package, with that certificate chain, should NOT have given you the red warning box on Windows 7, assuming you have the SHA2 update. The fact that you have the Microsoft Code Verification Root should have been enough.

The user-mode installer does not check the cross-certificate chain. All it sees is the Enrust root certificate. And since it’s not in the trusted CA store, a warning is displayed. I would say, that’s totally expected behavior.

Did you have an EV cert on the dashboard already?

and it was accepted by the MS Dashboard, although I have not sent any

@Dejan_Maksimovic
We did have a certificate and used it for sending Attestation and WHQL submissions, but it expired a few weeks ago. So during this time there wasn’t any valid certificate assigned to our Dashboard account. Now the new Entrust certificate arrived, and I’ve added it to the account, and it was accepted. I mentioned it just to confirm that Entrust EV certificate is good enough for MS Dashboard. (And also, since my last comment I’ve already tried submitting a simple HLKX package, and it worked fine too.)

@CaptainFlint said:
@Dejan_Maksimovic
We did have a certificate and used it for sending Attestation and WHQL submissions, but it expired a few weeks ago. So during this time there wasn’t any valid certificate assigned to our Dashboard account. Now the new Entrust certificate arrived, and I’ve added it to the account, and it was accepted. I mentioned it just to confirm that Entrust EV certificate is good enough for MS Dashboard. (And also, since my last comment I’ve already tried submitting a simple HLKX package, and it worked fine too.)

Hi Flint, thank you for sharing

I have not used the MS dashboard yet, but I’m curious, how long does it usually take for my .sys driver to get attestation signed by Microsoft? can we even submit .sys files?

I heard that the first submission to account usually takes 1-2 days, but the rest of them will only take 1-2 hours, is this true? because i wonder if they are actually manually analyzing drivers or its all automatic?

Thread drift.

You submit a “driver package” which includes the. .sys file — It takes 20 minutes or so, assuming the package is properly formatted, first time and every time.

Peter

@david_mk85 said:
I heard that the first submission to account usually takes 1-2 days, but the rest of them will only take 1-2 hours, is this true? because i wonder if they are actually manually analyzing drivers or its all automatic?

I have not experienced this 1-2 days processing. However, it’s been a while since I started working with it. I don’t remember much of those days, and I’m not sure if I was the first in our company to send an attestation submission. Besides, back then even the Dashboard was completely different. As for the non-first submissions, I can only confirm what Peter said: indeed, it takes about 20 minutes (at least for the packages that I’ve dealed with so far). It’s fully automatic.

Thanks, I wanted to make sure that you differentiate the dashboard
accepting the cert does not guarantee it is an EV cert. But if it is the
only valid one, then it does.

Regards, Dejan.

Well, you need an EV cert to create and maintain the account, but you can register other certs (EV or non-EV) in your dashboard account. Your submissions have to be signed with any one of the registered certs.

Exactly why I asked.

I have been out of the driver world for a long while until now. Our code signing certificate is about to expire and I read all about the new process. I work for a company where I cannot just upload a driver package to be signed at the Hardware Dev Center. Anyone in the same situation? Are there exceptions?