James Bellinger wrote:
(1) The Verisign certificate is only needed to create an account for
Winqual.
Winqual requires a VeriSign certificate – any VeriSign certificate.
You’re just validating your identification.
(2) Any of these companies (
http://msdn.microsoft.com/en-us/windows/hardware/gg487315.aspx )
are fine for the kernel mode certificate, for drivers.
Yes. KMCS requires a class 3 code-signing certificate, from a
Certificate Authority for which Microsoft has a cross certificate.
Since I believe in visual aids, here is a terrible ASCII art Venn diagram:
*—* *–*----*
/ / \ \
* /\ \ 3 \
| |Z | C | |
* V / * /
\ /____/ /
*—* ______/
The “V” area is the set of all VeriSign certificates. The “3” area is
the set of all class 3 code-signing certificates. The “C” area is the
set of class 3 code-signing certificates with Microsoft cross
certificates. The “Z” area is Verisign’s class 3 code-signing certificates.
Anything in V can be used for Winqual. Anything in C can be used for
KMCS. The small intersection in Z can be used for both purposes.
(3) None of that will help for XP, where I’d need the driver to be
approved by Microsoft WHQL. Doing that involves Winqual, but the Verisign
certificate is only for creating the account so is an ordinary kernel mode certificate good
through this entire process? This is a part I haven’t been able to find good
information on.
Well, there are three DIFFERENT certificate requirements at work here.
You need a Verisign certificate to open a Winqual account. You have a
handle on that.
For drivers, there are two different signature checks. KMCS requires
the class 3 code-signing certificate, and is the check done only on the
64-bit systems. KMCS is checked every time the driver loads. If you
fail KMCS, your driver will not load.
The other check is the WHQL check, and applies to all operating systems
since Win 2000. It is only checked when your driver is installed. If
you fail the WHQL check, the user merely sees a dialog saying “this
driver is unsigned, are you sure you want to continue?” If he says yes,
as users routinely do, then your driver loads and runs fine from that
point on. The signature is not checked again.
If you don’t care about silent install, then you don’t need to worry
about the WHQL check.
There is one additional twist to this. On Vista and above, if you
signed the driver package yourself but do not have WHQL, the “this
driver is unsigned” warning changes to “do you trust this publisher?”.
To get a totally silent install, on any system, you need WHQL.
I’m wondering if there are any roadblocks I will run into if I get the
certificate from someone else…
If you get one from the KMCS list, it will work fine. There are cheaper
class 3 code-signing certificates available, and you can use those to
sign applications and PDF files, but they will not satisfy KMCS.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.