So, which certificates surely support driver signing? (some time ago
I wanted to go with Thawte, but they did not support drivers signing)
I am only sure about Verisign and GlobalSign, ATM, but I reckon
GoDaddy certs also work? (I know what the list of cross certs says, but
I ask about first-hand experience).
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
I have only used Verisign and Globalsign. I know these are acceptable for
driver signing.
Thomas F. Divine
http://www.pcausa.com
From: “Dejan Maksimovic”
Sent: Monday, May 21, 2012 8:57 AM
To: “Windows System Software Devs Interest List”
Subject: [ntdev] Current list of certs that support driver signing?
>
> So, which certificates surely support driver signing? (some time ago
> I wanted to go with Thawte, but they did not support drivers signing)
> I am only sure about Verisign and GlobalSign, ATM, but I reckon
> GoDaddy certs also work? (I know what the list of cross certs says, but
> I ask about first-hand experience).
>
> –
> Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
> http://www.alfasp.com
> File system audit, security and encryption kits.
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
GoDaddy doesn’t support it, I happened to have checked the FAQ just now.
“Thomas F. Divine” wrote:
I have only used Verisign and Globalsign. I know these are acceptable for
driver signing.Thomas F. Divine
http://www.pcausa.com
From: “Dejan Maksimovic”
> Sent: Monday, May 21, 2012 8:57 AM
> To: “Windows System Software Devs Interest List”
> Subject: [ntdev] Current list of certs that support driver signing?
>
> >
> > So, which certificates surely support driver signing? (some time ago
> > I wanted to go with Thawte, but they did not support drivers signing)
> > I am only sure about Verisign and GlobalSign, ATM, but I reckon
> > GoDaddy certs also work? (I know what the list of cross certs says, but
> > I ask about first-hand experience).
> >
> > –
> > Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
> > http://www.alfasp.com
> > File system audit, security and encryption kits.
> >
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
On 5/21/2012 2:57 PM, Dejan Maksimovic wrote:
So, which certificates surely support driver signing?
GIYF. Get Microsoft’s list of “Cross-Certificates for Kernel Mode Code
Signing”.
I noted it’s not correct, right? As I mentioned GoDaddy and Thawte are on the cross cert list, but do NOT
support driver signing.
Hagen Patzke wrote:
On 5/21/2012 2:57 PM, Dejan Maksimovic wrote:
> So, which certificates surely support driver signing?GIYF. Get Microsoft’s list of “Cross-Certificates for Kernel Mode Code Signing”.
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
On 5/21/2012 2:57 PM, Dejan Maksimovic wrote:
(I know what the list of cross certs says, but
I ask about first-hand experience).
Signing and cert-cross-signing is a mechanical process. Important is
only an unbroken chain of certificates up to a “root” certificate.
As long as your user-cert is signed by a cert higher which has a
cross-cert path to the “Microsoft Code Verification Root” it will be fine.
Microsoft issued a lot of cross-certificates lately. Good!
Have you actually used a GoDaddy certificate to sign a driver? Contrary to what GoDaddy website says? (it says
it’s not possible)
Hagen Patzke wrote:
On 5/21/2012 2:57 PM, Dejan Maksimovic wrote:
> (I know what the list of cross certs says, but
> I ask about first-hand experience).
>Signing and cert-cross-signing is a mechanical process. Important is
only an unbroken chain of certificates up to a “root” certificate.As long as your user-cert is signed by a cert higher which has a
cross-cert path to the “Microsoft Code Verification Root” it will be fine.Microsoft issued a lot of cross-certificates lately. Good!
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
On 5/21/2012 4:18 PM, Dejan Maksimovic wrote:
I noted it’s not correct, right? As I mentioned GoDaddy and Thawte are on the cross cert list, but do NOT
support driver signing.
The CA’s - here GoDaddy and Thawte - do not need to specifically
“support” driver signing.
You just need a “code signing certificate” (some call that MS
AuthentiCode certificate).
Driver signing differs not from normal code signing, only if you need to
run on 64bit machines, you also need to embed-sign your driver binary.
Then you need to also embed the Microsoft cross-certificate for the CA
you choose in your binary.
Check if the GoDaddy and Thawte CAs - with the thumbprints listed in the
cross-cert-list from Microsoft - are in your Windows 7 certificate
store. If they are, you should be fine with any “code signing
certificate” these CAs issue to you.
On 5/21/2012 4:36 PM, Dejan Maksimovic wrote:
Have you actually used a GoDaddy certificate to sign a driver? Contrary to what GoDaddy website says? (it says
it’s not possible)
Where does it state that?
When I look at “Code Signing Certificate” at godaddy.com, it says
“Supports Microsoft Authenticode and Java and allows publishers to sign
.exe, .cab, .dll, and .ocx files; Java Applets and MIDlets; Microsoft®
Office documents with macros; and other types of files that support
digital signatures. Code Signing Certificates are perfect for software
publishers and content providers of ActiveX controls, dynamic link
libraries (.dll files), .cab files, HTML content or any other software
distributed over the Internet or via an extranet. The provided
time-stamp service allows distribution of signed code beyond certificate
expiration.”
Thet’s all you need. Drivers are “code”, and are signed with a “Software
Publisher Certificate” (SPC) for “Microsoft Authenticode”.
(BTW: I also converted our GlobalSign Cert for use with Java, but that’s
not something to be done for the faint at heart.)
The only difference between a driver and a normal executable is that you
need to (a) embed the signature with (b) a Microsoft cross-certificate
for the CA in the driver sys file.
In the past Microsoft did not provide cross-certificates to the
“Microsoft Code Verification Root” to anyone else than VeriSign and
GlobalSign. Then you could not use GoDaddy for drivers that also load
on 64bit WinVista and Win7 systems.
From GoDaddy FAQ:
“Can I sign Windows Vista 64-bit device drivers with a code signing certificate?
No. Windows Vista device driver signing requires special code signing certificates which we do not currently offer.”
So… again… have you actually used the GoDaddy cert to sign a driver and have you tested it working on a
different x64 machine?
Dejan.
Hagen Patzke wrote:
On 5/21/2012 4:18 PM, Dejan Maksimovic wrote:
> I noted it’s not correct, right? As I mentioned GoDaddy and Thawte are on the cross cert list, but do NOT
> support driver signing.The CA’s - here GoDaddy and Thawte - do not need to specifically
“support” driver signing.You just need a “code signing certificate” (some call that MS
AuthentiCode certificate).
Driver signing differs not from normal code signing, only if you need to
run on 64bit machines, you also need to embed-sign your driver binary.
Then you need to also embed the Microsoft cross-certificate for the CA
you choose in your binary.Check if the GoDaddy and Thawte CAs - with the thumbprints listed in the
cross-cert-list from Microsoft - are in your Windows 7 certificate
store. If they are, you should be fine with any “code signing
certificate” these CAs issue to you.
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
On 5/21/2012 4:59 PM, Dejan Maksimovic wrote:
From GoDaddy FAQ:
“Can I sign Windows Vista 64-bit device drivers with a code signing certificate?
No. Windows Vista device driver signing requires special code signing certificates which we do not currently offer.”
Back, when Vista came out, Microsoft did not provide a cross-cert for
GoDaddy. At that time the above statement was true.
So… again… have you actually used the GoDaddy cert to sign a driver and have you tested it working on a
different x64 machine?
No, of course not. When we got our first certificate, back in 2006, and
also when we got our last certificate renewal, Microsoft had not issued
a cross-certificate for GoDaddy. So they were not eligible. This has
changed. Today they are.
You should probably just buy a VeriSign certificate. Alternatively, you
could read up on PK, signatures, signature chains and Authenticode, and
check my arguments for yourself.
#eod#
> Back, when Vista came out, Microsoft did not provide a cross-cert for
GoDaddy. At that time the above statement was true.
> So… again… have you actually used the GoDaddy cert to sign a driver and have you tested it working on a
> different x64 machine?
No, of course not. When we got our first certificate, back in 2006, and also when we got our last certificate renewal,
Microsoft had not issued a cross-certificate for GoDaddy. So they were not eligible. This has
changed. Today they are.
Then, I hope someone can confirm that GoDaddy certs can be used to sign x64 drivers.
You should probably just buy a VeriSign certificate. Alternatively, you could read up on PK, signatures, signature
chains and Authenticode, and check my arguments for yourself.
Verisign is 3x the price of any other, GlobalSign does not offer certs for all countries, so I am looking for
others.
BTW, Microsoft offered cross certs for Thawte some time ago - I tried to sign with a Thawte certificate at the
time, and did NOT work for x64 drivers. Hence my doubts on this.
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
Hagen Patzke wrote:
On 5/21/2012 2:57 PM, Dejan Maksimovic wrote:
> So, which certificates surely support driver signing?
GIYF. Get Microsoft’s list of “Cross-Certificates for Kernel Mode Code
Signing”.
Many of the certificate vendors are now providing the KMCS
cross-certificate themselves, so it’s not clear that there is any longer
a reliable central authority for this information. You really need to
ask the vendor, and hope they know what they’re talking about.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Hagen Patzke wrote:
When I look at “Code Signing Certificate” at godaddy.com, it says
"Supports Microsoft Authenticode and Java and allows publishers to sign
.exe, .cab, .dll, and .ocx files; Java Applets and MIDlets; Microsoft®
Office documents with macros; and other types of files that support
digital signatures. …Thet’s all you need. Drivers are “code”, and are signed with a “Software
Publisher Certificate” (SPC) for “Microsoft Authenticode”.
That is patently untrue. KMCS is much more restrictive than Microsoft
Authenticode signing. Authenticode signing will go out to the Internet
to check the certificate chain. KMCS will not. It absolutely requires
that the embedded certificate chain end with the Microsoft Code
Verification Root. Authenticode doesn’t require that.
The only difference between a driver and a normal executable is that you
need to (a) embed the signature with (b) a Microsoft cross-certificate
for the CA in the driver sys file.
Well, yes, but that is a HUGE difference! It is exactly this “only
difference” that means you cannot use a GoDaddy code-signing
certificate: there is no such cross-certificate available.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
On 5/21/2012 7:24 PM, Tim Roberts wrote:
> The only difference between a driver and a normal executable is that you
> need to (a) embed the signature with (b) a Microsoft cross-certificate
> for the CA in the driver sys file.
Well, yes, but that is a HUGE difference! It is exactly this “only
difference” that means you cannot use a GoDaddy code-signing
certificate: there is no such cross-certificate available.
Sorry, but what the heck is Microsoft *then* listing on its
cross-certificate page on
http://msdn.microsoft.com/en-us/library/windows/hardware/gg487315.aspx
Does this not apply to the GoDaddy root CA cert?
*Go Daddy Root Certificate Authority – G2*
Root certificate thumbprint:
84 2c 5c b3 4b 73 bb c5 ed 85 64 bd ed a7 86 96 7d 7b 42 ef
Download cross-certificate for Go Daddy Root Certificate Authority –
G2
http:
>
> (Certificate file in a 2 KB zip file)
>
> **</http:>
On 5/21/2012 6:59 PM, Dejan Maksimovic wrote:
> Microsoft had not issued a cross-certificate for GoDaddy. So they were not eligible. This has
> changed. Today they are.
Then, I hope someone can confirm that GoDaddy certs can be used to sign x64 drivers.
Amen.
> You should probably just buy a VeriSign certificate. Alternatively, you could read up on PK, signatures, signature
> chains and Authenticode, and check my arguments for yourself.
Verisign is 3x the price of any other, GlobalSign does not offer certs for all countries, so I am looking for
others.
Yes, of course. On the other hand $134 should also not exactly be
bank-breaking, compared to the developer time.
BTW, Microsoft offered cross certs for Thawte some time ago - I tried to sign with a Thawte certificate at the
time, and did NOT work for x64 drivers. Hence my doubts on this.
Actually I’m not surprised if anyone has a problem using certificates
for signing, simply because the available signing tools are far, far
from “easy-to-use”.
The “KMCS walkthrough” document is very good, but you have to follow it
to the letter. And as soon as you set up your own scripts for automation
you need to experiment to see what you can safely add or change and what
not.
When I last time signed our driver, Signtool embedded the wrong
certificate in the driver binary.
The driver would install without any warning, but it did not load on a
Win7/64bit system.
Turned out this was actually caused by an automatic certificate update!
From two available CA root certs, Signtool selected the “newer” one for
embedding.
This is normally a good strategy, but unfortunately Signtool selected
the one for which MS did not provide a cross-certificate yet.
With WDK7600 and up, Signtool now at least issues a somewhat cryptic
warning that “not all certificates could be embedded”.
What it does not tell you is that your driver package will install on
Win7/64bit, but the driver load will fail.
Also you cannot detect this on the signing PC, because Signtool
happily imports all used certificates into the registry.
So the certificates are found there and any driver test will work happily.
The “non-developer” Win7/64bit system has these certs not in the
registry, of course.
Thus load fails. (The full story is in the OSR archives.)
Subsequently I learned to peruse the “certmgr ” incantation
quite intensely. Not funny.
This is the reason why Tim properly pointed out that embedding the
certificate chain into a driver makes all the difference between
Authenticode signing and Driver signing, and this difference is a major one.
Technically, however, the code signing certificate is good for both
(Authenticode and KMCS), all depends on having the cross-certificate
made by Microsoft.
You have to make sure everything needed is embedded in the binary, then
you ave to make sure you get the signing order right.
And of course you may not change a single bit of the INF after the
CAT/sign process (someone did this when our company name changed several
yeras ago - they meant well but of course broke the signature).
NB: Additional free fun: there can be up to three different certificate
stores on a Windows PC: one in the registry, one in the JRE, and another
one in Mozilla. Better make sure you import your cert into the correct
cert store. 
On 5/21/2012 7:20 PM, Tim Roberts wrote:
Many of the certificate vendors are now providing the KMCS
cross-certificate themselves, so it’s not clear that there is any
longer a reliable central authority for this information. You really
need to ask the vendor, and hope they know what they’re talking about.
Only Microsoft can produce a cross-certificate from any CA to the
Microsoft Code Verification Root.
Do you imply the MSCV root private key got leaked?
The “master page” for KMCS cross-certificates should be
“Cross-Certificates for Kernel Mode Code Signing” on msft.microsoft.com.
Or did you mean the certificate vendors offer an additional download
site for the cross-certificate?
(This would be very reasonable, of course.)
> >> You should probably just buy a VeriSign certificate. Alternatively, you could read up on PK, signatures, signature
>> chains and Authenticode, and check my arguments for yourself.
> Verisign is 3x the price of any other, GlobalSign does not offer certs for all countries, so I am looking for
> others.
Yes, of course. On the other hand $134 should also not exactly be
bank-breaking, compared to the developer time.
What $134? Verisign is $499. GlobalSIgn is $229. GoDaddy is $199.
Bank-breaking or not, why not find the cheaper solution that does work?
> BTW, Microsoft offered cross certs for Thawte some time ago - I tried to sign with a Thawte certificate at the
> time, and did NOT work for x64 drivers. Hence my doubts on this.
Actually I’m not surprised if anyone has a problem using certificates
for signing, simply because the available signing tools are far, far
from “easy-to-use”.
Please stop saying it’s my fault; the GlobalSign certificate worked for me at the time, and the Thawte did NOT, even
though Microsoft listed the cross cert for them. And Thawte told us “sorry about that, sir, but we never said we support
kernel mode signing, and we certainly don’t. Here’s a refund”.
If you have not used a specific non-Verisign/Globalsign to sign an x64 driver, please let others respond if they
did. You are not helping.
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
On 5/22/2012 12:08 PM, Dejan Maksimovic wrote:
What $134? Verisign is $499. GlobalSIgn is $229. GoDaddy is $199.
Bank-breaking or not, why not find the cheaper solution that does work?
Are we in different realities? When I go to godaddy.com, select “SSL &
Security”, then “Code Signing Certificate”, I get a box that states $139
for one year, $125 for two and $118 for three years. (So you are right,
its $139, not $134, my sincere apologies.)
You are not helping.
Correct. I’ll withdraw from NTDEV.
> On 5/22/2012 12:08 PM, Dejan Maksimovic wrote:
> What $134? Verisign is $499. GlobalSIgn is $229. GoDaddy is $199.
> Bank-breaking or not, why not find the cheaper solution that does work?
Are we in different realities? When I go to godaddy.com, select “SSL &
Security”, then “Code Signing Certificate”, I get a box that states $139
for one year, $125 for two and $118 for three years. (So you are right,
its $139, not $134, my sincere apologies.)
Seems we are, I get $199 for code signing certs on GoDaddy 
1 yr - $199.99/yr
2 yr - $179.99/yr
3 yr - $169.99/yr
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.