Question regarding Deprecation of Software Publisher Certificates?

@Dejan_Maksimovic
We did have a certificate and used it for sending Attestation and WHQL submissions, but it expired a few weeks ago. So during this time there wasn’t any valid certificate assigned to our Dashboard account. Now the new Entrust certificate arrived, and I’ve added it to the account, and it was accepted. I mentioned it just to confirm that Entrust EV certificate is good enough for MS Dashboard. (And also, since my last comment I’ve already tried submitting a simple HLKX package, and it worked fine too.)

@CaptainFlint said:
@Dejan_Maksimovic
We did have a certificate and used it for sending Attestation and WHQL submissions, but it expired a few weeks ago. So during this time there wasn’t any valid certificate assigned to our Dashboard account. Now the new Entrust certificate arrived, and I’ve added it to the account, and it was accepted. I mentioned it just to confirm that Entrust EV certificate is good enough for MS Dashboard. (And also, since my last comment I’ve already tried submitting a simple HLKX package, and it worked fine too.)

Hi Flint, thank you for sharing

I have not used the MS dashboard yet, but I’m curious, how long does it usually take for my .sys driver to get attestation signed by Microsoft? can we even submit .sys files?

I heard that the first submission to account usually takes 1-2 days, but the rest of them will only take 1-2 hours, is this true? because i wonder if they are actually manually analyzing drivers or its all automatic?

Thread drift.

You submit a “driver package” which includes the. .sys file — It takes 20 minutes or so, assuming the package is properly formatted, first time and every time.

Peter

@david_mk85 said:
I heard that the first submission to account usually takes 1-2 days, but the rest of them will only take 1-2 hours, is this true? because i wonder if they are actually manually analyzing drivers or its all automatic?

I have not experienced this 1-2 days processing. However, it’s been a while since I started working with it. I don’t remember much of those days, and I’m not sure if I was the first in our company to send an attestation submission. Besides, back then even the Dashboard was completely different. As for the non-first submissions, I can only confirm what Peter said: indeed, it takes about 20 minutes (at least for the packages that I’ve dealed with so far). It’s fully automatic.

Thanks, I wanted to make sure that you differentiate the dashboard
accepting the cert does not guarantee it is an EV cert. But if it is the
only valid one, then it does.

Regards, Dejan.

Well, you need an EV cert to create and maintain the account, but you can register other certs (EV or non-EV) in your dashboard account. Your submissions have to be signed with any one of the registered certs.

Exactly why I asked.

I have been out of the driver world for a long while until now. Our code signing certificate is about to expire and I read all about the new process. I work for a company where I cannot just upload a driver package to be signed at the Hardware Dev Center. Anyone in the same situation? Are there exceptions?

I’ve never seen an exception made, except for drivers at Microsoft that are part of the build, of course. Never.

ETA: And you’re necroposting.

Peter

@Rony
The official position of Microsoft is simple: the only way to load the newly built drivers on Windows (apart from test signing mode, or disabling signature enforcing on boot) is to make it signed by Microsoft. Full stop.

Although I’ve seen some companies still releasing cross-signed drivers; but I have no idea if they are unknownly (or maybe deliberately) violating the MS regulations, or they’ve been granted an exclusive deal.

I work for a company where I cannot just upload a driver package to be signed at the Hardware Dev Center.

SOMEBODY must have the keys to that closet. If you’re doing drivers, you ought to be able to access that person. Indeed, it’s easy on the Hardware Dev Center for your administrator to create a sub-account for your use, that won’t interfere with other users.

Well, nothing on that web site is easy, but it’s possible.

Okay thanks everyone I guess I need to find who can help me here :slight_smile: .

Was I not using the correct thread? Seemed applicable.

Was I not using the correct thread? Seemed applicable.

Well, this is a community philosophy thing. Your question was a new question. It did not add anything to nor answer any questions in the existing dead thread. Thus, it should have been asked AS a new question, and not by resurrecting the old thread.

Except for the fact that you’re breaking the rules by necroposting, I don’t think it matters.

There’s nobody here who can grant you special dispensation to NOT require an EV cert. In fact, I personally do not believe that there is anybody who can grant you a Dashboard account without an EV Cert AT ALL.

You just need to find the right guy at your company who’ll sign-off on the docs, get the Cert issued, sign-up for the dashboard account, and be done with it. If defense contractors and enormous multi-national corporations can figure this out, and small consultancies world-wide can figure this out, then I’m sure you can figure it out as well.

Peter

@Tim_Roberts and @“Peter_Viscarola_(OSR)” thanks for your input.

Just to clarify for next time. I did a search, found this thread and posted. Where do you check that the thread is closed?

You check by posting and having Peter yell at you for necroposting.

Mark Roddy

1 Like

Huh… I had to organize the Dashboard access for one of my previous
employers/comtractees.

If you can pay, out of your pocket, to get a new cert, and a whole new
account - do it!!! Honestly. An hour or so, most of which is waiting.
Sorting existing access, if the Azure admin in the company/org does not
know the ins and outs already, can take weeks! Actual work weeks, as in man
hours!

And we had pretty expensive MS support to help on the way :slight_smile:

Kind regards, Dejan.
https://www.alfasp.com

SOMEBODY must have the keys to that closet. If you’re doing drivers, you

If you can pay, out of your pocket, to get a new cert, and a whole new account - do it!!!

In the corporate world, such a path is fraught with danger. When you create an account, you are certifying that you are authorized to enter into contracts on behalf of your employer. Most cubicle-dwellers do not have that kind of power.

Just to clarify for next time. I did a search, found this thread and posted. Where do you check that the thread is closed?

You read the guidelines and rules… the ones that say “Read Before Posting”… and a note that it specifically says not to post follow-ups when the last post is more than a month old.

It’s not hard,

Peter

I was not suggesting circumventing access requirements, pretending to have
authorization to get a new certificate, or anything similar.
The (new) Dashboard account can be made by the company/org's Azure admin,
controlled by them, etc. The FOB or the HSM server would also be controlled
by the proper folks.

What I meant is that it would cost you less to pay for that yourself (in
terms of lost nerves, you are obviously paid for your time, even if that
time is weeks, I hope?), than to bother trying to figure existing setup, if
that setup is not publicly listed and easily found.

The company I mentioned still has one dashboard account they are not aware
of (and MS is not telling even the Admin, nor the listed contact, which
account that is - no name, no contact details). It was good that the
certificate used on that account expired, so at least the cost of the cert
wasn’t wasted.
But getting them to order a new EV cert (most big companies have several
active ones, anyway, and from different issuers, to minimize any downtime I
guess), getting the admin to create a new dashboard account and set it up
again was WAY easier than figuring existing setup!
Granted, this is not a company that deals with drivers a lot, but still 200
submissions a year… I’ve seen problems with companies that make nothing
other than drivers (so 1000+ submissions a year are normal) in the same
branch :slight_smile:

Hopefully, I got the right message across. No unauthorized stuff, all
legal, but “make new from scratch, don’t try to fix existing holes” :wink:

Kind regards, Dejan Maksimovic.
FS Lead: http://www.alfasp.com