Code signing certificate - is my understanding right?

I’ve been looking into kernel mode code signing certificates (for a
driver for a USB device
I am developing), and was hoping someone could tell me if my
understanding here is
correct or not before I go buying one. To be honest I’m a bit new to
code signing
in general, having always just distributed EXEs fresh from the compiler,
so I apologize if this is just a big list of confusion:

(1) The Verisign certificate is only needed to create an account for
Winqual.
(2) Any of these companies (
http://msdn.microsoft.com/en-us/windows/hardware/gg487315.aspx )
are fine for the kernel mode certificate, for drivers.
(3) None of that will help for XP, where I’d need the driver to be
approved by
Microsoft WHQL. Doing that involves Winqual, but the Verisign
certificate is only
for creating the account so is an ordinary kernel mode certificate good
through this
entire process? This is a part I haven’t been able to find good
information on.
I’m wondering if there are any roadblocks I will run into if I get the
certificate from
someone else…
(4) Not kernel related but while I’m asking: If I want to reuse this
certificate for user
mode code signing, XP will not autodownload certificates but Vista and
up will,
so for XP compatibility in user mode I can’t choose a certificate
provider for
kernel+user that didn’t exist back then (say, StartCom).
(5) Verisign timestamp should be OK regardless of whose certificate I am
using.

Thank you,

James

> mode code signing, XP will not autodownload certificates

It will. Via Windows Update.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

On 1/20/2012 10:33 AM, James Bellinger wrote:

(1) The Verisign certificate is only needed to create an account for
Winqual.

WinQual sign-up requires a verified identity. Only VeriSign-issued
certificate signatures are accepted.

We use GlobalSign for code signing, and registered with WinQual (for
Windows Error Reporting) with VeriSign.

Note: We don’t know if WHQL submission requires a VeriSIgn signature.

(////side note
Note: WinQual had a “$99” VeriSign certificate offer.

Technically the cert you get can be used for code signing.
[In fact it needs to: To verify your “Organizational ID”, you need to
sign and upload an exe file to WinQual.]

Legally however, from what I learned from the VeriSign website, this
cert is for an “Organizational ID” only.

So if you KMCS-sign your driver with it, VeriSign can come back to you
later and ask you to “upgrade” (for $399 p.a.) to a “proper” KMCS cert.
////side note)

(2) Any of these companies […] are fine for the kernel mode
certificate, for drivers.

Correct. (Any CA that MS provides a KMCS cross-certificate for.)

(3) None of that will help for XP, where I’d need the driver to be
approved by Microsoft WHQL.

On WinXP/32bit, no digital signature is required to install+run the
driver. But only a WHQL signature allows completely “silent install”.

(5) Verisign timestamp should be OK regardless of whose certificate I
am using.

Correct.

Last I checked Thawte, and I just skimmed the website today, it seems their certificates are not usable for
kernel mode signing?

The list of supported root CAs grew quite a bit since last summer.

Hagen Patzke wrote:

> (2) Any of these companies […] are fine for the kernel mode
> certificate, for drivers.

Correct. (Any CA that MS provides a KMCS cross-certificate for.)

–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

James Bellinger wrote:

(1) The Verisign certificate is only needed to create an account for
Winqual.

Winqual requires a VeriSign certificate – any VeriSign certificate.
You’re just validating your identification.

(2) Any of these companies (
http://msdn.microsoft.com/en-us/windows/hardware/gg487315.aspx )
are fine for the kernel mode certificate, for drivers.

Yes. KMCS requires a class 3 code-signing certificate, from a
Certificate Authority for which Microsoft has a cross certificate.

Since I believe in visual aids, here is a terrible ASCII art Venn diagram:

*—* *–*----*
/ / \ \
* /\ \ 3 \
| |Z | C | |
* V / * /
\ /____/ /
*—* ______/

The “V” area is the set of all VeriSign certificates. The “3” area is
the set of all class 3 code-signing certificates. The “C” area is the
set of class 3 code-signing certificates with Microsoft cross
certificates. The “Z” area is Verisign’s class 3 code-signing certificates.

Anything in V can be used for Winqual. Anything in C can be used for
KMCS. The small intersection in Z can be used for both purposes.

(3) None of that will help for XP, where I’d need the driver to be
approved by Microsoft WHQL. Doing that involves Winqual, but the Verisign
certificate is only for creating the account so is an ordinary kernel mode certificate good
through this entire process? This is a part I haven’t been able to find good
information on.

Well, there are three DIFFERENT certificate requirements at work here.
You need a Verisign certificate to open a Winqual account. You have a
handle on that.

For drivers, there are two different signature checks. KMCS requires
the class 3 code-signing certificate, and is the check done only on the
64-bit systems. KMCS is checked every time the driver loads. If you
fail KMCS, your driver will not load.

The other check is the WHQL check, and applies to all operating systems
since Win 2000. It is only checked when your driver is installed. If
you fail the WHQL check, the user merely sees a dialog saying “this
driver is unsigned, are you sure you want to continue?” If he says yes,
as users routinely do, then your driver loads and runs fine from that
point on. The signature is not checked again.

If you don’t care about silent install, then you don’t need to worry
about the WHQL check.

There is one additional twist to this. On Vista and above, if you
signed the driver package yourself but do not have WHQL, the “this
driver is unsigned” warning changes to “do you trust this publisher?”.
To get a totally silent install, on any system, you need WHQL.

I’m wondering if there are any roadblocks I will run into if I get the
certificate from someone else…

If you get one from the KMCS list, it will work fine. There are cheaper
class 3 code-signing certificates available, and you can use those to
sign applications and PDF files, but they will not satisfy KMCS.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

On 1/20/2012 1:23 PM, Tim Roberts wrote:

James Bellinger wrote:
> (1) The Verisign certificate is only needed to create an account for
> Winqual.
Winqual requires a VeriSign certificate – any VeriSign certificate.
You’re just validating your identification.

> (2) Any of these companies (
> http://msdn.microsoft.com/en-us/windows/hardware/gg487315.aspx )
> are fine for the kernel mode certificate, for drivers.
Yes. KMCS requires a class 3 code-signing certificate, from a
Certificate Authority for which Microsoft has a cross certificate.

Since I believe in visual aids, here is a terrible ASCII art Venn diagram:

*—* *–*----*
/ / \ \
* /\ \ 3 \
| |Z | C | |
* V / * /
\ /____/ /
*—* ______/

The “V” area is the set of all VeriSign certificates. The “3” area is
the set of all class 3 code-signing certificates. The “C” area is the
set of class 3 code-signing certificates with Microsoft cross
certificates. The “Z” area is Verisign’s class 3 code-signing certificates.

Anything in V can be used for Winqual. Anything in C can be used for
KMCS. The small intersection in Z can be used for both purposes.

Ah ok, this makes a lot of sense. One last part I’m wondering about
Winqual etc…
http://www.verisign.com/code-signing/content-signing-certificates/winqual-developers/index.html
sounds like submitting for WHQL needs code signing. Since the site
requires a Verisign
certificate (like say their $99 one) to create an account, would the
submission require maintaining
a valid Verisign certificate or is the WHQL submission process less
restrictive than the account creation,
allowing any certificate Windows would find valid for a driver? For
instance, if I were to get Verisign’s $99
for creating the account, and eventually let it expire, signing with
instead a GlobalSign certificate, would
this pose any roadblocks for WHQL and the like?

Thanks,

James

James Bellinger wrote:

Ah ok, this makes a lot of sense. One last part I’m wondering about
Winqual etc…
http://www.verisign.com/code-signing/content-signing-certificates/winqual-developers/index.html
sounds like submitting for WHQL needs code signing.

That web page is packed with marketing doublespeak. It says:

Winqual signatures are required for 64-bit drivers on Windows 7 and
Vista. The Windows Logo Programs also mandate code signing at the
time of application submission.

The first statement is definitely false. KMCS signatures are required
for 64-bit drivers. Winqual signatures are not. I don’t know for
certain that the Logo program does not require a signed driver, but I
don’t think that it does. After all, WHQL replaces whatever signature
might be in the CAT file with their own.

Since the site requires a Verisign certificate (like say their $99 one) to create an account, would the submission require maintaining a valid Verisign certificate or is the WHQL submission process less restrictive than the account creation, allowing any certificate Windows would find valid for a driver? For instance, if I were to get Verisign’s $99 for creating the account, and eventually let it expire, signing with instead a GlobalSign certificate, would this pose any roadblocks for WHQL and the like?

Yes it would. When you are ready to submit to WHQL, you gather up your
driver (which could have been signed with a GlobalSign cert), plus all
of the DTM logs, plus an application form, combine them all into a
“cabinet”, and sign the cabinet. The certificate you use to sign the
cabinet must be the same one that was used to create the Winqual
account, and it must not be expired. That’s how they prove that you are
authorized to submit packages to WHQL.

That certificate will never be seen by customers. It is ONLY used to
validate you to the Winqual site.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

On 1/20/2012 2:33 PM, Tim Roberts wrote:

Yes it would. When you are ready to submit to WHQL, you gather up your
driver (which could have been signed with a GlobalSign cert), plus all
of the DTM logs, plus an application form, combine them all into a
“cabinet”, and sign the cabinet. The certificate you use to sign the
cabinet must be the same one that was used to create the Winqual
account, and it must not be expired. That’s how they prove that you
are authorized to submit packages to WHQL. That certificate will never
be seen by customers. It is ONLY used to validate you to the Winqual
site.

Hmm… in this case, doesn’t it mean that to use WHQL you need to keep
a Verisign certificate valid, in which case,
what benefit is there to purchasing a non-Verisign kernel mode signing
certificate? It seems like if you have to pay
Verisign to keep a valid certificate with them anyway… Do non-Verisign
certificates then only make sense if you
aren’t going to bother with WHQL, or have I missed something?

Thanks,

James

James Bellinger wrote:

Hmm… in this case, doesn’t it mean that to use WHQL you need to keep a Verisign certificate valid, in which case, what benefit is there to purchasing a non-Verisign kernel mode signing certificate? It seems like if you have to pay Verisign to keep a valid certificate with them anyway… Do non-Verisign certificates then only make sense if you aren’t going to bother with WHQL, or have I missed something?

Although there is some disagreement among the various parties, the
VeriSign web page says that the $99 VeriSign certificate is supposed to
be used ONLY for Winqual. That would exclude code-signing. A VeriSign
code-signing certificate runs something like $500 a year.

I get my GlobalSign certificate for about $150 a year. So, it makes
economic sense to use GlobalSign for code-signing and VeriSign for WinQual.

The key word in the signature and certificate arena is “confusion”.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

On 1/20/2012 3:40 PM, Tim Roberts wrote:

James Bellinger wrote:
> Hmm… in this case, doesn’t it mean that to use WHQL you need to keep a Verisign certificate valid, in which case, what benefit is there to purchasing a non-Verisign kernel mode signing certificate? It seems like if you have to pay Verisign to keep a valid certificate with them anyway… Do non-Verisign certificates then only make sense if you aren’t going to bother with WHQL, or have I missed something?
Although there is some disagreement among the various parties, the
VeriSign web page says that the $99 VeriSign certificate is supposed to
be used ONLY for Winqual. That would exclude code-signing. A VeriSign
code-signing certificate runs something like $500 a year.

I get my GlobalSign certificate for about $150 a year. So, it makes
economic sense to use GlobalSign for code-signing and VeriSign for WinQual.

The key word in the signature and certificate arena is “confusion”.

I was thinking so too, until you mentioned the need to have an unexpired
Winqual certificate
to upload to Winqual – if the $99 certificate only lasts for one year
(being a promotion),
are you not having to renew with Verisign at the full $500 rate on top
of paying for a Globalsign certificate?

Thanks,

James

James Bellinger wrote:

I was thinking so too, until you mentioned the need to have an unexpired Winqual certificate to upload to Winqual – if the $99 certificate only lasts for one year (being a promotion), are you not having to renew with Verisign at the full $500 rate on top of paying for a Globalsign certificate?

The “promotion” so far appears to be permanent. It’s been up for
something like 5 years. So, just go buy another one.

However, your point is a valid one. If you are a large company, then
your company probably already has the necessary certificate, although
there may be hurdles to climb to gain access to it. In my case, as an
independent consultant, I don’t ever submit to WHQL. I do the
development, the testing, and the preparation, but I’m not legally
authorized to submit on behalf of my clients. They have to do all of
the Winqual stuff.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

On 20.01.2012 20:33, Tim Roberts wrote:

After all, WHQL replaces whatever signature might be in the CAT file
with their own.

Interesting news to me. Thank you, Tim!

(I always assumed they just cross-sign the CAT with their certificate.
As we don’t submit to WHQL, I never actually checked.)

Do you happen to know if WHQL also replaces any embedded signature?

Hagen Patzke wrote:

Interesting news to me. Thank you, Tim!

(I always assumed they just cross-sign the CAT with their certificate.
As we don’t submit to WHQL, I never actually checked.)

Do you happen to know if WHQL also replaces any embedded signature?

I’m not exactly sure what you mean. The only thing you get back from
WHQL is a signed CAT file. I just double-checked, and my own signature
in the CAT file has been completely replaced.

WHQL does not send back any of the other files. If you signed the SYS
files, then your signature will still be there when you build your
driver package with the new CAT file.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

On 23-Jan-2012 20:50, Tim Roberts wrote:

Hagen Patzke wrote:
>
> Interesting news to me. Thank you, Tim!
>
> (I always assumed they just cross-sign the CAT with their certificate.
> As we don’t submit to WHQL, I never actually checked.)
>
> Do you happen to know if WHQL also replaces any embedded signature?

I’m not exactly sure what you mean. The only thing you get back from
WHQL is a signed CAT file. I just double-checked, and my own signature
in the CAT file has been completely replaced.

WHQL does not send back any of the other files. If you signed the SYS
files, then your signature will still be there when you build your
driver package with the new CAT file.

What about boot drivers files which must be signed? How to put WHQL
signature (and the whole cert chain) on the sys files?
– pa

Pavel A wrote:

On 23-Jan-2012 20:50, Tim Roberts wrote:
> WHQL does not send back any of the other files. If you signed the SYS
> files, then your signature will still be there when you build your
> driver package with the new CAT file.
What about boot drivers files which must be signed? How to put WHQL
signature (and the whole cert chain) on the sys files?

The WHQL signature only affects installation. It’s not involved in
KMCS. For a boot start driver, you sign the SYS files yourself.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tim Roberts wrote:

Pavel A wrote:
> On 23-Jan-2012 20:50, Tim Roberts wrote:
>> WHQL does not send back any of the other files. If you signed the SYS
>> files, then your signature will still be there when you build your
>> driver package with the new CAT file.
> What about boot drivers files which must be signed? How to put WHQL
> signature (and the whole cert chain) on the sys files?
The WHQL signature only affects installation. It’s not involved in
KMCS. For a boot start driver, you sign the SYS files yourself.

My answer is not quite correct, and it’s worth fixing, since there is so
much confusion in this area.

A WHQL signature on the CAT file is sufficient to satisfy KMCS, but it
is not necessary. KMCS is satisfied by any valid class 3 code-signing
certificate. For silent install, the WHQL signature on the CAT file is
necessary.

For a boot start driver, you could use the CAT file signature alone, and
it would work. Microsoft’s recommendation is that you sign the SYS
files also, for efficiency. You would sign the SYS files yourself.
WHQL doesn’t do it.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> You would sign the SYS files yourself. WHQL doesn’t do it.

That could open up a legal can of worms.

Hagen Patzke wrote:

Do you happen to know if WHQL also replaces any embedded signature?

On 1/23/2012 7:50 PM, Tim Roberts wrote:

The only thing you get back from WHQL is a signed CAT file.

Many thanks - this explains it completely.

I just double-checked, and my own signature in the CAT file has been
completely replaced.

Thank you for the extra effort!!

>> You would sign the SYS files yourself. WHQL doesn’t do it.

On 1/24/2012 2:49 AM, xxxxx@gmail.com wrote:

That could open up a legal can of worms.

Unlikely. The main purpose of the whole KMCS signature shebang is to
provide [legal] accountability. And this purpose is well served.

Remember, for production your public key needs to be countersigned from
a MS code-signing cross-certified Certification Authority.