Hi, I arrived to the point I decided I need a code signing certificate. The
most difficult part for me is to actually find and get one. I understood I
can only use a certificate for which a cross-certificate exists so I can
choose Equifax, Cybertrust, Global Sign, Geotrust, Verisign but not Thawthe.
Is that right ?
I spent really a lot of time reading and searching on those websites. These
websites are not straightforward, they all expose an uncomprehensible layer
of business abstraction and just do not speak my language. None of them make
any mention of ‘driver signing’. Even searching on the term ‘code signing’
does not produce any relevant results on these sites.
If you actually got one and would like to share your experience, I would be
very grateful. My questions are: which certificate did you get, did it work
out for you, how much did you spend and which were the hassles involved.
Thanks,
/Daniel
I believe a class 3 code signing certificate from Verisign will work. It is
not easy to get unless you have a US company with an office in the US. That
public key is submitted to Microsoft and they generate a cross-certificate
that you can use to sign your drivers. I don’t know all the details but for
drivers start with the DTM documentation and WHQL. You don’t have to get a
signature of the drivers to release them, but many companies won’t use them
if they are not signed with a Microsoft cat file. The cross certificate is
used to sign the drivers before they are sent to Microsoft for the cat to be
created. If they are boot start drivers Microsoft may have to sign the
driver file and not just a cat file.
Good luck as I was wondering if the latest rr will work on Vista. I only
use Vista at work for testing, so I don’t need it rr for a while.
“Daniel Terhell” wrote in message
news:xxxxx@ntdev…
> Hi, I arrived to the point I decided I need a code signing certificate.
> The most difficult part for me is to actually find and get one. I
> understood I can only use a certificate for which a cross-certificate
> exists so I can choose Equifax, Cybertrust, Global Sign, Geotrust,
> Verisign but not Thawthe. Is that right ?
>
> I spent really a lot of time reading and searching on those websites.
> These websites are not straightforward, they all expose an
> uncomprehensible layer of business abstraction and just do not speak my
> language. None of them make any mention of ‘driver signing’. Even
> searching on the term ‘code signing’ does not produce any relevant results
> on these sites.
>
> If you actually got one and would like to share your experience, I would
> be very grateful. My questions are: which certificate did you get, did it
> work out for you, how much did you spend and which were the hassles
> involved.
>
> Thanks,
>
> /Daniel
>
>
>
>
If you want to sign drivers…I would recommend to take a certificate from
GlobalSign. It works for drivers and it’s reasonably priced.
The cross certificate for GlobalSign can be found here:
http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx#ENG
“Daniel Terhell” schrieb im Newsbeitrag
news:xxxxx@ntdev…
> Hi, I arrived to the point I decided I need a code signing certificate.
> The most difficult part for me is to actually find and get one. I
> understood I can only use a certificate for which a cross-certificate
> exists so I can choose Equifax, Cybertrust, Global Sign, Geotrust,
> Verisign but not Thawthe. Is that right ?
>
> I spent really a lot of time reading and searching on those websites.
> These websites are not straightforward, they all expose an
> uncomprehensible layer of business abstraction and just do not speak my
> language. None of them make any mention of ‘driver signing’. Even
> searching on the term ‘code signing’ does not produce any relevant results
> on these sites.
>
> If you actually got one and would like to share your experience, I would
> be very grateful. My questions are: which certificate did you get, did it
> work out for you, how much did you spend and which were the hassles
> involved.
>
> Thanks,
>
> /Daniel
>
>
>
>
> not easy to get unless you have a US company with an office in the US. That
public key is submitted to Microsoft and they generate a cross-certificate
If we are not speaking about DTM/WinQual - you sign everything yourself without
submissions to MS. The only requirement is that the cert must be from an
MS-approved source, which means - Vista must have an MS’s cross-certificate for
this “source” embedded to it. Verisign is surely such.
Submission of the package to MS is required for WinQual signature, and it is
another song. This means “the driver was tested using MS’s suite”, not just
“this driver is produced by the established entity”.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Daniel, I can only confirm ‘frank’.
BTW, GlobalSign states explicitly on the website that their Object Sign
Cetificate is suitable for Authenticode and Code Signing. 
They have local Registration Authorities in the EU - I guess, the other
Certification Authorities will do likewise e.g. in the US.
The only little hitch I came upon is that on my first release signing
tries I had to import the certificate into my local computer’s
certification store to have both the cross-certificate and our company
certificate incorporated into the CAT file (using two external
file-based signatures or combining them into one file did not seem to
work - well, maybe I’ll try again some time…).
What was also a bit worrying for me at first is the fact that the Device
Manager still displays “not signed” in the additional driver properties
- even with a driver file with embedded (release) signature and
additionally a (release) signed CATalog file (both verified with the
signature verify process suggested by MS, and I get an unbroken chain of
signatures).
I want to do a little experimenting on this (would like to see a green
“tick” here), but then we don’t do WHQL certification, and I guess
that’s the reason.
Anyway, Vista 64 happily installs and loads our WDM driver, Vista 32 did
not even go into the Security Console mode when I installed it. The
exact same 32-bit bulk USB driver runs on W2000, Win2003, XP, Vista32.
(I have still to check Win98/ME, and also the 64-bit code on some
platforms, but so far it looks very promising. )
For me it is a good feeling that we can ensure/check the integrity of
our drivers, down to every byte of the INF file.
BTW, as a non-obvious positive side effect, with the additional
DateTimeCertificate stamp (e.g. from Verisign) you can even prove that
you have some technology implemented (in your driver) today.
Hope that helps,
-H