Driver signing: new user and the morass of MicroSoft

I am a long-time developer, always in non-Microsoft environments. I am working with a hardware developer on a product for our mutual hobby. His hardware, my code. The potential user base is small, on the order of 50-75 people around the world, most with only usual computer capabilities. The cost to any individual will be less than $100.

The software is written in Java and performs perfectly in a Linux environment, using libusb for USB access to the external hardware device. Now, attempting to package to use in Windows, I have run up against the "digital signing" wall that is required in Microsoft.

I have packaged and tested the software in a Windows 11 system that is set in TestMode and the driver self-signed (I hope this is all the right terms: I am a rank newby in the Windows environment). Now I need official signing and since this is a very small project, a one-time development, a very small user base, etc., I simply don't want to try and climb into the full-blown WIndows environment but simply want to get my application packaged so my few users can load it and execute with the new external hardware piece. The cost of cetificates is more than a simple, one-time project can handle.

Can anyone offer some help/guidance?

Thank you.

Regards,

Bill Lee

There are few good answers. Since you are developing the hardware, you do have the option of using the Microsoft OS Descriptors in your USB descriptors, as described here:

This eliminates the need for an INF file entirely. You can register your GUID and have WinUSB automatically loaded. WinUSB is not identical to libusb, but the differences are mostly in the spelling. The philosophy is the same.

It was suggested I post this here:

Hello;

I’m an independent developer preparing a small Java-based application for distribution. It interfaces with a USB microcontroller device (VID: 10C4, PID: 8780) using the standard WinUSB driver. My user base is very limited (approximately 50–75 users worldwide), and I'm trying to avoid the high cost of purchasing my own EV code signing certificate.

I am seeking a one-time driver attestation signing service using Microsoft’s Partner Center, via your existing EV certificate.

The driver consists of:

  • A functional .inf file based on winusb.inf
  • The associated .sys file (WinUSB)
  • Optional: .cat file (can be regenerated as needed)
    Would you be willing to help sign this driver package so it can be installed on Windows 10/11 systems with Secure Boot enabled (i.e., without requiring Test Mode)? I'm happy to prepare the package in any required format (e.g., .cab, .zip) and follow your instructions.

Please let me know about your availability, pricing, and any documentation or verification you need from me.

Thank you for your time and consideration.

Best regards,

Bill Lee
Bill@WRLee.com

No reputable company is going to do this. One of the main purposes of EV signing is legal liability. If someone sues, they can use the certificate chain to prove that company X wrote the driver, AND that company X attested to Microsoft that they had done testing. That's a huge liability exposure.

1 Like

Thank you, Tim for your response. It is quite obvious from my questions that I rank at the bottom of thenewby category.

The structure of my software is a large Java program broken into many classes, one of which is the class that handles all communication to the external device. It is Java code using libusb via usb4java. When using Windows, I end up with WinUSB.

It seems strange that Microsoft asks me to "sign" for some of their own software, WinUSB. That, apparently, is what I am faced with. Do you have any suggestions for how to address this problem short of a quite expensive "EV Code Signing Certificate", etc? Which I will need exactly one time?

Regards,

Bill Lee

Is installing winusb the only thing you need your INF to do? If so, your device just needs to report the hardware ID "USB\MS_COMP_WINUSB" and winusb will automatically install on the device

1 Like

Zac is right. The easiest answer is to add the Microsoft OS Descriptors (described above) to get a hardware ID assigned. That lets you be covered by a built-in INF file, plug-and-play.

There used to be an organization that would sign libusb INF files, but I understand their certificate was revoked, because that broke the rules.

Remembering my newby status: I think I understand that The OS Descriptor you and Zak mention is a string embedded in the firmware of the device, returned to the OS when the device is plugged in. If that is correct, I need to determine if it is already configured that way. If not, I need the HW builder to add it and give me new firmware.

Is this an accurate understanding?

Yep, that's right. I'm assuming it doesn't report this ID already since it doesn't immediately work after connecting it