Hello Guys, I am in process of signing my protocol driver. But I am confused a bit. I searched but didn’t found any clear reply.
I had made Network Protocol Driver. For signing I selected
File signing services -> Create driver signing submission
But it ask me sign legal agreements, then in legal agreement there are dozens of legal documents. Out of that we signed
Code Signing Agreement for Extended Validation (EV) Certified Code
But still it is asking for signing legal agreement. So which legal agreement do I need to sign. My driver is just a Network Protocol driver.
Also Is it compulsory to go through HKL and HCK test for signing this driver. Or just a cab file containing sys, cat and inf is sufficient.
I will be relay very grateful for help from guys.
xxxxx@yahoo.co.in wrote:
Hello Guys, I am in process of signing my protocol driver. But I am confused a bit. I searched but didn’t found any clear reply.
I had made Network Protocol Driver. For signing I selected
File signing services -> Create driver signing submission
But it ask me sign legal agreements, then in legal agreement there are dozens of legal documents. Out of that we signed
Code Signing Agreement for Extended Validation (EV) Certified Code
But still it is asking for signing legal agreement. So which legal agreement do I need to sign. My driver is just a Network Protocol driver.
You have to sign ALL of the agreements they ask for. I think there were
a couple of dozen agreements when I created my account.
Also Is it compulsory to go through HKL and HCK test for signing this driver. Or just a cab file containing sys, cat and inf is sufficient.
It depends on what you’re after. If you want the Windows logo, then you
have to go through all the tests, and submit those test results. If you
just want the Windows 10 attestation signature, you’re not required to
run the tests, although they do ask that you do testing. You only have
to include the SYS and INF. Any CAT file you include is discarded.
PLEASE NOTE that the signed CAT file you get back from attestation
signing is valid ONLY for Windows 10. Since Windows 10 is still
perfectly happy with a package signed the old-fashioned way, you really
need to be clear about why you are going to the extra trouble.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Hi Tim, Thanks for your reply.
We do not want Windows logo, we use that driver for our application related to network. So it seems just signing without HLK/HCK test will work.
While reading agreement I found payment related sections that says Microsoft will invoice if they test. So are they really going to invoice us? I hope they will let us know before going through that testing process?
Also second query is that my driver runs from Windows 7 onwards. As attestation signing is valid for Windows 10, so should we sign drivers below Windows 10 with other cross certificate? I had done testing of my network related driver on all OS and it works perfectly. Is there any way that same driver can run on all OS from Windows 7 onwards?
xxxxx@yahoo.co.in wrote:
We do not want Windows logo, we use that driver for our application related to network. So it seems just signing without HLK/HCK test will work.
While reading agreement I found payment related sections that says Microsoft will invoice if they test. So are they really going to invoice us? I hope they will let us know before going through that testing process?
If you submit through the “File signing services” on the sysdev
dashboard, there is no charge. I’ve done it. If you create an HLK/HCK
or WLK submission, then you will be charged.
Remember that Microsoft never actually tests anything. In the
HLK/HCK/WLK process, all they do is validate your test results.
Also second query is that my driver runs from Windows 7 onwards. As attestation signing is valid for Windows 10, so should we sign drivers below Windows 10 with other cross certificate? I had done testing of my network related driver on all OS and it works perfectly. Is there any way that same driver can run on all OS from Windows 7 onwards?
For now, if you use the old cross-signing procedure, it will work on all
systems, including Windows 10. The attestation requirement that
frightened us all so much appears to have evolved into a non-issue. If
you are doing drivers that are Win 10 only, then use it. Otherwise,
it’s not clear what the point is.
Note that Server 2016 will require an HCK submission. Neither
cross-signed nor attestation-signed packages will work. You must go
through the logo process.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
I signed my driver with SHA-1 certificate which was still valid till July. But after signing I am getting security warning of “Windows can’t verify the publisher of this driver software”. What might be the reason for this. I had old driver which was signed with same certificate some months before does not give this error. Do I need to take special care for it?
At what stage do you see this warning? Is it when you install? Also, which OS is this on?
I’m speculating, but it could be related to the fact that we’re now in 2016 and there’s some indication (although not confirmed) that SHA-1 signed drivers timestamped after 1/1/2016 are less trusted than those timestamped before this date.
I’ve signed drivers with a SHA-1 cert this year and not had any issues, but these are non-PNP driver which is loaded using a co-installer rather than installed using INF etc. Also, my testing has not been on Windows 10.
This is just install time warning. Once I say Install it anyway then it runs properly. I am seeing this warning in Windows 7 not yet looked in other OS.
I’ve just SHA-1 signed a driver and installed it on a Win 7 x64 machine via the INF with no such warning.
Have you timestamped your driver? Have you signed the cat file? What do you see on the ‘digital signatures’ tab of your .sys file properties?
Yes I had time-stamped driver by using below command
signtool.exe sign /v /ac <certificate.crt> /s my /n “CmpanyName” /t http://timestamp.globalsign.com/scripts/timstamp.dll *.sys
signtool.exe sign /v /ac <certificate.crt> /s my /n “CmpanyName” /t http://timestamp.globalsign.com/scripts/timstamp.dll *.cat
I am able to see signature list with SHA1 digest algorithm. and upon clicking details it shows “This digital signature is OK”.</certificate.crt></certificate.crt>
Not sure what’s wrong then I’m afraid. The difference between my scenario and yours might just be security settings. I guess you’ll just have to dig into the details in order to understand the difference between your old driver package and your new one.
Good luck.
Just to follow up on Ishan’s experiences with non-PNP driver installations. I have also tested a non-PNP (File System) driver signed with SHA-1 only and was able to install it on everything from Vista through Windows 10 without any problems. I’m still expecting the hammer to drop eventually on this, but it hasn’t yet (for SHA-256 let alone EV - but I believe EV not being required was expected due to the issuing date of the SHA-1 cert). Relevant facts for this are:
- The SHA-1 certificate was issued in April 2015
- The driver was signed and timestamped in January 4, 2016
- No Device Guard configuration on the Windows 10 system
Thanks Eric, Its really very strange. I am using command which I used for signing my driver on Nov 2015. When I run driver signed on Nov 2015 it gets install without showing publisher warning.
I tried many other ways even on Windows 7 64 bit it shows warning for driver signed in 2016.
Only difference which seems to me is that I am signing PNP driver. I don’t think it should be any problem.
I am not knowledgeable in this area, but maybe a variable between different
systems is the fact whether or not the target Windows operating system has
updates/patches applied or not, which might influence it’s acceptance of
signed driver (and when they are signed).
Leon
On Tue, Jan 26, 2016 at 2:24 PM, wrote:
> Thanks Eric, Its really very strange. I am using command which I used for
> signing my driver on Nov 2015. When I run driver signed on Nov 2015 it gets
> install without showing publisher warning.
> I tried many other ways even on Windows 7 64 bit it shows warning for
> driver signed in 2016.
>
> Only difference which seems to me is that I am signing PNP driver. I don’t
> think it should be any problem.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>
For Supporting Windows 10, now I have got Attestation signing. I am in process of signing it now. So I hope its going to work on Windows 10.
As per statement
“PLEASE NOTE that the signed CAT file you get back from attestation signing is valid ONLY for Windows 10.”
I can get my driver signed for Windows 10. But what should I do for Windows 7, 8, 8.1, Should I have to go through HCK test? Or this there any way I can get it signed without HCK test?
xxxxx@yahoo.co.in wrote:
For Supporting Windows 10, now I have got Attestation signing. I am in process of signing it now. So I hope its going to work on Windows 10.
As per statement
“PLEASE NOTE that the signed CAT file you get back from attestation signing is valid ONLY for Windows 10.”
I can get my driver signed for Windows 10. But what should I do for Windows 7, 8, 8.1, Should I have to go through HCK test? Or this there any way I can get it signed without HCK test?
Well, that depends. I’m sure Microsoft will be unhappy with me for
saying so, but in the real world, the attestation signing serves no
purpose. It is a useless distraction that provides no benefit. I’m
not going to do it any more. In order to get through attestation
signing, you must already have an EV certificate, right? Just build
your own CAT file and sign it with that certificate. Your package will
work on 7, 8, 8.1 and 10.
If you need a totally silent install process, then you have to go
through the full HCK testing and WHQL submission.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Create a separate install package from your Win10 install package, and sign it in the conventional way.
Peter
OSR
@OSRDrivers