Cheapest signing certificate

I would like to develop and ship drivers for Vista x64.

Q1: Has anyone shopped around to see where the cheapest signing certificate can be had from?

Q2: Can verisign timestamping (or some other free one) be run on any such certificate to ensure the drivers do not expire?

Q3: Is there any reason to pay more than the absolute minimum for a certificate?

Q4: Will the same certificate work for signing other types of Windows drivers (x86, XP, Windows 2000) and Windows applications?

TIA

The is areason I can think of paying more (i.e. Verisign) is that it allows
access to the WinQual data and doing WHQL submissions. WinQual is the
database of all the crashes that get reported to Microsoft. Even though
they have a number of certificate vendors for signing, if you want to see
if your driver is being indited for system crashes you need to have
Verisign. I think this is a huge mistake on Microsoft’s part, since they
should be getting bug data to companies whenever possible to help improve
quaility.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply

wrote in message news:xxxxx@ntdev…
>I would like to develop and ship drivers for Vista x64.
>
> Q1: Has anyone shopped around to see where the cheapest signing
> certificate can be had from?
>
> Q2: Can verisign timestamping (or some other free one) be run on any
> such certificate to ensure the drivers do not expire?
>
> Q3: Is there any reason to pay more than the absolute minimum for a
> certificate?
>
> Q4: Will the same certificate work for signing other types of Windows
> drivers (x86, XP, Windows 2000) and Windows applications?
>
> TIA
>
>

xxxxx@email.com wrote:

> Q1: Has anyone shopped around to see where the cheapest signing certificate can be had from?
>
> Q3: Is there any reason to pay more than the absolute minimum for a certificate?
>

Thawte (owned by Verisign) is slightly cheaper, but Verisign has better
market support and name recognition. If you want best support and trust
for your software, I’d spend the $$ with Verisign.

> Q2: Can verisign timestamping (or some other free one) be run on any such certificate to ensure the drivers do not expire?
>

Yes.

> Q4: Will the same certificate work for signing other types of Windows drivers (x86, XP, Windows 2000) and Windows applications?

Yes, in fact you can convert the MS Authenticode certificate pair to any
of the other formats Verisign sells separately.

http://www.jensign.com/JavaScience/Thawte/

-Ryan

> The is areason I can think of paying more (i.e. Verisign) is that it allows

access to the WinQual data and doing WHQL submissions. WinQual is the
database of all the crashes that get reported to Microsoft. Even though
they have a number of certificate vendors for signing, if you want to see
if your driver is being indited for system crashes you need to have
Verisign. I think this is a huge mistake on Microsoft’s part, since they
should be getting bug data to companies whenever possible to help improve
quaility.

It is indeed ridiculous not to provide that bug list to the world. At least , MSDN
member subscribers should be able to see that list. Let’ hope this will change.

Christiaan


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply

wrote in message news:xxxxx@ntdev…
> >I would like to develop and ship drivers for Vista x64.
> >
> > Q1: Has anyone shopped around to see where the cheapest signing
> > certificate can be had from?
> >
> > Q2: Can verisign timestamping (or some other free one) be run on any
> > such certificate to ensure the drivers do not expire?
> >
> > Q3: Is there any reason to pay more than the absolute minimum for a
> > certificate?
> >
> > Q4: Will the same certificate work for signing other types of Windows
> > drivers (x86, XP, Windows 2000) and Windows applications?
> >
> > TIA
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Christiaan Ghijselinck wrote:

It is indeed ridiculous not to provide that bug list to the world. At least , MSDN
member subscribers should be able to see that list. Let’ hope this will change.

Interesting, I intend to read the whole settlement reached between
Microsoft and the DOJ in the antitrust case later
tonight. Microsoft does indeed have partnerships with various companies
which I’m sure DO have access too
WinQual - however the rest of us don’t. This sounds a little
‘anti-competitive’ too me.

I’m pretty sure the’re violating some part of the settlement by not
providing this info; hell, if they had to agree too
share the OS’s source threw SSI, crash dumps are a no brainer.

m.

MM wrote:

Christiaan Ghijselinck wrote:

> It is indeed ridiculous not to provide that bug list to the world. At
> least , MSDN member subscribers should be able to see that list. Let’
> hope this will change.
>
Interesting, I intend to read the whole settlement reached between
Microsoft and the DOJ in the antitrust case later
tonight. Microsoft does indeed have partnerships with various
companies which I’m sure DO have access too
WinQual - however the rest of us don’t.

Of course you do. All you have to do is buy a Verisign certificate.

This sounds a little ‘anti-competitive’ too me.

Nonsense. You can get the information, you just have to follow the same
rules that the big boys follow.

Also, unless I am mistaken, the only information you can get is
information on crashes caused by YOUR drivers. You can’t get the whole
crash list, and neither can ATI or Dell.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

>

Also, unless I am mistaken, the only information you can get is
information on crashes caused by YOUR drivers. You can’t get the whole
crash list, and neither can ATI or Dell.

This sounds reasonable , but then WinQual should not be restricted to users
having a Verisign certificate only. Users that will use a certificate from
other CA authorities that can be used for driver signing , should be allowed too.

I remember that someone wrote in another thread that only habitants from the US
could get a code signing certificate from Verisign. If this is true , then no-one
outside the US can view “The List” . Strange …

C.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Christiaan Ghijselinck wrote:

>Also, unless I am mistaken, the only information you can get is
>information on crashes caused by YOUR drivers. You can’t get the whole
>crash list, and neither can ATI or Dell.
>
>

This sounds reasonable , but then WinQual should not be restricted to users
having a Verisign certificate only. Users that will use a certificate from
other CA authorities that can be used for driver signing , should be allowed too.

I don’t know; it’s a tough call. Microsoft shouldn’t be burdened with
collecting crash information on Joe Blow College Student’s first driver
attempt; one could argue that they should concentrate on crashes in
WHQLed drivers, and such drivers will have the Verisign signature.

I remember that someone wrote in another thread that only habitants from the US
could get a code signing certificate from Verisign. If this is true , then no-one
outside the US can view “The List” . Strange …

No, that rumor was debunked quite a while ago.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Can someone please post a direct link to VeriSign’s site for the product I need? I need to sign boot start drivers for Vista x64 and hopefully use the same thing to sign regular applications. Strangely, VeriSign claimed they don’t offer anything to sign drivers with and to go elsewhere. I prodded and was transferred to an elevated level of support and received the same response. They say EXE is ok, but they don’t do SYS/CAT.

eof

You need what I heard is a “Class 3” certificate. This sure isn’t rocket
science as many messages have been posted about this subject for the last
year. You then need to use your certificate to obtain a cross-certificate
from Microsoft that can be used to sign drivers. Start in WHQL at
microsoft.com.

wrote in message news:xxxxx@ntdev…
> Can someone please post a direct link to VeriSign’s site for the product I
> need? I need to sign boot start drivers for Vista x64 and hopefully use
> the same thing to sign regular applications. Strangely, VeriSign claimed
> they don’t offer anything to sign drivers with and to go elsewhere. I
> prodded and was transferred to an elevated level of support and received
> the same response. They say EXE is ok, but they don’t do SYS/CAT.
>
> eof
>
>

Interesting. I spoke with Verisign support too and they didn’t seem to
know anything about Vista Driver signing. The guy said to just try with
our regular MS Authenticode code signing cert. I did and it appears to
work (as per “signtool verify”), but when installing on Vista x64 RC2 we
get a driver signing error - apparently the MS cross-certificate is not
properly chained in the certificate trust hierarchy. I’m still looking
for a solution.

Is there anyone out there who has an embedded release signature in their x64 Vista RC2 driver to confirm that this is not simply a pre-release software glitch we’re facing?

-Ryan
PS. In case it’s any use, here’s the Verisign code-signing link:
*http://tinyurl.com/6frqe

xxxxx@email.com wrote:

Can someone please post a direct link to VeriSign’s site for the product I need? I need to sign boot start drivers for Vista x64 and hopefully use the same thing to sign regular applications. Strangely, VeriSign claimed they don’t offer anything to sign drivers with and to go elsewhere. I prodded and was transferred to an elevated level of support and received the same response. They say EXE is ok, but they don’t do SYS/CAT.

eof


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Ryan Kidd[SMTP:xxxxx@hummingbird.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, November 01, 2006 6:46 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Cheapest signing certificate

Is there anyone out there who has an embedded release signature in their x64 Vista RC2 driver to confirm that this is not simply a pre-release software glitch we’re facing?

I can confirm embedded signatures work with all RC1 and RC2 Vista builds we have. Make sure you’re using the latest WDK signing tools; there were errors with previous releases.

BTW, correct verification method for embedded signature is “signtool verify /kp” but I saw binaries which passed it and OS refused to load them Weird.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

Michal Vodicka wrote:

> Is there anyone out there who has an embedded release signature in
> their x64 Vista RC2 driver to confirm that this is not simply a
> pre-release software glitch we’re facing?
I can confirm embedded signatures work with all RC1 and RC2 Vista
builds we have. Make sure you’re using the latest WDK signing tools;
there were errors with previous releases.

BTW, correct verification method for embedded signature is “signtool
verify /kp” but I saw binaries which passed it and OS refused to load
them Weird.

Thanks for the tips. I just got the following instructions from
Microsoft which solved the problem:

“The cross certificate is not getting added to the signature in your case. Can you double check to see if you have the Verisign root certificate in your personal (“my”) store. If yes then can you delete the Verisign Root ceritificate from the personal store and give it a try.”
Appears to be a glitch in the signing tools. Apparently those extra
Verisign root certs got added by default when I added our Verisign
code-signing cert to my Personal cert store.

Now my verification chain looks proper with the Microsoft cross
certificate root first:

Verifying: o\x64\r\hclnfs.sys
SHA1 hash of file: 2AC3AA4B42E68EFC9643D064A3A44411D21275AD
Signing Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: 11/1/2025 8:54:03 AM
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: Class 3 Public Primary Certification Authority
Issued by: Microsoft Code Verification Root
Expires: 5/23/2016 12:11:29 PM
SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408

Issued to: VeriSign Class 3 Code Signing 2004 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 7/15/2014 6:59:59 PM
SHA1 hash: 197A4AEBDB25F0170079BB8C73CB2D655E0018A4

Issued to: XXXXXXXXXXX
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 1/25/2007 6:59:59 PM
SHA1 hash: 5943666D45819764BDDEC336D0C106830E0FFFCC

Successfully verified: o\x64\r\hclnfs.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

This is my exchange with VeriSign support:

Customer: my understanding is a “class 3 code signing certificate” is needed for this [driver signing] and is something verisign provides
Support: No, we do not have any codesigning ID that signs that.

Back to square one. So can someone please provide a link to their site to the appropriate thing to purchase? I know this should be easy but I don’t see anything called a class 3 certificate on their site and they don’t know what I am talking about. Help please!

eof

Nice. Even better than MS support :wink:

I guess you need following but wait until somebody confirms it: http://www.verisign.com/products-services/security-services/code-signing/digital-ids-code-signing/index.html and the “Microsoft Authenticode Digital ID” at this page.

Our certificate I found there has following properties:

Class: Digital ID Class 3 - Software Validation
Organizational Unit: Digital ID Class 3 - Microsoft Software Validation v2

Please note I haven’t bought it personally so it may not be correct info. Fortunately, it isn’t developers’ task in our company :slight_smile:

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]


From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@email.com[SMTP:xxxxx@email.com]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, November 02, 2006 4:58 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Cheapest signing certificate

This is my exchange with VeriSign support:

Customer: my understanding is a “class 3 code signing certificate” is needed for this [driver signing] and is something verisign provides
Support: No, we do not have any codesigning ID that signs that.

Back to square one. So can someone please provide a link to their site to the appropriate thing to purchase? I know this should be easy but I don’t see anything called a class 3 certificate on their site and they don’t know what I am talking about. Help please!

eof


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Hi

Do they not mean V3 X509 Certificate?

I have a question regarding a code signing Certificate used for signing Java
Applets, that is common to the buisness, can this Certificate be used for
Driver Signing… Any body from Microsoft, can they reply…? If we can use
this, then it will reduce our costs…

Thanks

Steve
----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Thursday, November 02, 2006 3:58 AM
Subject: RE:[ntdev] Cheapest signing certificate

> This is my exchange with VeriSign support:
>
> Customer: my understanding is a “class 3 code signing certificate” is
needed for this [driver signing] and is something verisign provides
> Support: No, we do not have any codesigning ID that signs that.
>
> Back to square one. So can someone please provide a link to their site to
the appropriate thing to purchase? I know this should be easy but I don’t
see anything called a class 3 certificate on their site and they don’t know
what I am talking about. Help please!
>
> eof
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>
>
>

Use the link Michal Vodicka listed and order the Authenticode Id as I
can sign drivers that work on RC1 & RC2 (infact I emailed our our
alpha/beta install to several customers yesterday for testing). Our
Verisign contact confirmed the one we needed, see below.

Me: One question I have is, is which certificate do we need to request
for Vista 64 signing (SPC) Software Publishing Certificate.

Verisign: The certificate you need is the Microsoft Authenticode Digital
ID - I’ve attached our online guide for more info. It does not discuss
Windows Vista yet, but will be updated to include info on this soon.

Also use the latest WDK and follow the KMCS walthrough to the letter and
you should have no problems, apart from I use inf2cat instead of
signability :slight_smile:

Hope it helps

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@email.com
Sent: 02 November 2006 03:58
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Cheapest signing certificate

This is my exchange with VeriSign support:

Customer: my understanding is a “class 3 code signing certificate” is
needed for this [driver signing] and is something verisign provides
Support: No, we do not have any codesigning ID that signs that.

Back to square one. So can someone please provide a link to their site
to the appropriate thing to purchase? I know this should be easy but I
don’t see anything called a class 3 certificate on their site and they
don’t know what I am talking about. Help please!

eof


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

anybody can tell me why?
my signing certificate chain as the following:

Verifying:test.sys
SHA1 hash of file: 2AC3AA4B42E68EFC9643D064A3A44411D21275AD
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Microsoft Code Verification Root
Expires: 5/23/2016 12:11:29 PM
SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408

Issued to: VeriSign Class 3 Code Signing 2004 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 7/15/2014 6:59:59 PM
SHA1 hash: 197A4AEBDB25F0170079BB8C73CB2D655E0018A4

Issued to: XXXXXXXXXXX
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 1/25/2007 6:59:59 PM
SHA1 hash: 5943666D45819764BDDEC336D0C106830E0FFFCC

Successfully verified: test.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
=================================-
i know the chains should be have some information about microsoft :

Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: 11/1/2025 8:54:03 AM
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

anybody can tell me why?
my signing certificate chain as the following:

Verifying:test.sys
SHA1 hash of file: 2AC3AA4B42E68EFC9643D064A3A44411D21275AD
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: 5/23/2016 12:11:29 PM
SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408

Issued to: VeriSign Class 3 Code Signing 2004 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 7/15/2014 6:59:59 PM
SHA1 hash: 197A4AEBDB25F0170079BB8C73CB2D655E0018A4

Issued to: XXXXXXXXXXX
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 1/25/2007 6:59:59 PM
SHA1 hash: 5943666D45819764BDDEC336D0C106830E0FFFCC

Successfully verified: test.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
=================================-
i know the chains should be have some information about microsoft :

Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: 11/1/2025 8:54:03 AM
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

I had the same problem and solved it as described in my post yesterday:


I just got the following instructions from Microsoft which solved the
problem:

> “The cross certificate is not getting added to the signature in your
> case. Can you double check to see if you have the Verisign root
> certificate in your personal (“my”) store. If yes then can you delete
> the Verisign Root ceritificate from the personal store and give it a
> try.”

Appears to be a glitch in the signing tools. Apparently those extra
Verisign root certs got added by default when I added our Verisign
code-signing cert to my Personal cert store.

Now my verification chain looks proper with the Microsoft cross
certificate root first:

Verifying: o\x64\r\hclnfs.sys
SHA1 hash of file: 2AC3AA4B42E68EFC9643D064A3A44411D21275AD
Signing Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: 11/1/2025 8:54:03 AM
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

Issued to: Class 3 Public Primary Certification Authority
Issued by: Microsoft Code Verification Root
Expires: 5/23/2016 12:11:29 PM
SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408

rhq@263.net wrote:

> anybody can tell me why?
> my signing certificate chain as the following:
> ---------------------------------------------------------------------------------
>
> Verifying:test.sys
> SHA1 hash of file: 2AC3AA4B42E68EFC9643D064A3A44411D21275AD
> Signing Certificate Chain:
> Issued to: Class 3 Public Primary Certification Authority
> Issued by: Class 3 Public Primary Certification Authority
> Expires: 5/23/2016 12:11:29 PM
> SHA1 hash: 58455389CF1D0CD6A08E3CE216F65ADFF7A86408
>
> Issued to: VeriSign Class 3 Code Signing 2004 CA
> Issued by: Class 3 Public Primary Certification Authority
> Expires: 7/15/2014 6:59:59 PM
> SHA1 hash: 197A4AEBDB25F0170079BB8C73CB2D655E0018A4
>
> Issued to: XXXXXXXXXXX
> Issued by: VeriSign Class 3 Code Signing 2004 CA
> Expires: 1/25/2007 6:59:59 PM
> SHA1 hash: 5943666D45819764BDDEC336D0C106830E0FFFCC
> …
>
> Successfully verified: test.sys
>
> Number of files successfully Verified: 1
> Number of warnings: 0
> Number of errors: 0
> =================================-
> i know the chains should be have some information about microsoft :
> -------------------------------------------------------------
> Issued to: Microsoft Code Verification Root
> Issued by: Microsoft Code Verification Root
> Expires: 11/1/2025 8:54:03 AM
> SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
>
>