I was asked to cross-post this here from microsoft.public…winlogo.
The personal opinion of
Gary G. Little
“Gary G. Little” wrote in message news:…
> Post a feedback report. You may or may not want to referrence the one I
have
> already posted concerning the reqirement to use Verisign as a CA. Then
any
> one affected by this has got to vote on it.
>
> –
> The personal opinion of
> Gary G. Little
>
> “Ray Trent” wrote in message
> news:evYhJkiQGHA.1160@TK2MSFTNGP09.phx.gbl…
> >I was just forwarded an email response we received from WinQual when we
> >inquired about getting a PIC for signing our drivers for the new x64
> >signing policy. I’m hoping I’m just over reacting, but…
> >
> > I was disturbed to hear that they are not available at this time. In
fact,
> > there was a strong implication in this email that PICs would not be
> > available until the last release candidate for Vista.
> >
> > Here is the relevant portion of this email: “This is not available
yet,
> > but should be in time for Vista launch. The PIC is a new signing
program
> > for files we couldn’t sign before. We’ll be making more announcements
> > regarding the availability of PIC to sign drivers as we get closer to
the
> > Vista logo program launch, which will be at the last Release
Candidate.”
> >
> > Microsoft has done this in the past (i.e. not releasing full WHQL
tests,
> > signing tools, etc. until just before RTM), and it always has caused
> > problems. So I’m trying to head this off at the pass this time.
> >
> > I don’t know about the rest of you, but we need time to get a PIC,
> > integrate signing with it into our build process, build a driver, test
it
> > internally, fix any problems that signing caused (and rebuild and
retest)
> > and deliver a candidate driver to the OEMs early enough that they have
> > time to test it themselves (and get any needed bug fixes) before their
> > deadline for burning a golden master for manufacturing of their first
x64
> > machines.
> >
> > And that’s assuming that the Vista Beta community doesn’t find any
bugs in
> > the kernel embedded signing code in Windows…
> >
> > I’m crossposting this to m.p.d.d.d because I think this issue is of
wider
> > interest than just the winlogo newsgroup. And yes, I’ve already sent
an
> > email to WinQual about this.
> > –
> > Ray
>
>
Copied from m.p.d.d.d by popular demand :-)…
Here’s an update (needless to say I’m not overly reassured by this
response).
I got the following from Winqual in response to the email I wrote them
about PICs not being available:
“We are aware of the tight schedule that OEM’s have and do not want to
do anything to jeopardize your ability to get this product out on time.
Unfortunately this is all the information that I have been given at this
time. Our new website is tentatively scheduled to be released in June.
I’m guessing I can’t say for sure, that the PIC program will be
available around this time. I believe this should give you enough time
to run through all your tests and correct any problems that you may have.”
Yes, I realize it’s impolite to forward people’s email to newsgroups
without asking… I’m just a rude kind of guy, I guess…
xxxxx@seagate.com wrote:
I was asked to cross-post this here from microsoft.public…winlogo.
The personal opinion of
Gary G. Little
“Gary G. Little” wrote in message news:…
>> Post a feedback report. You may or may not want to referrence the one I
> have
>> already posted concerning the reqirement to use Verisign as a CA. Then
> any
>> one affected by this has got to vote on it.
>>
>> –
>> The personal opinion of
>> Gary G. Little
>>
>> “Ray Trent” wrote in message
>> news:evYhJkiQGHA.1160@TK2MSFTNGP09.phx.gbl…
>>> I was just forwarded an email response we received from WinQual when we
>
>>> inquired about getting a PIC for signing our drivers for the new x64
>>> signing policy. I’m hoping I’m just over reacting, but…
>>>
>>> I was disturbed to hear that they are not available at this time. In
> fact,
>>> there was a strong implication in this email that PICs would not be
>>> available until the last release candidate for Vista.
>>>
>>> Here is the relevant portion of this email: “This is not available
> yet,
>>> but should be in time for Vista launch. The PIC is a new signing
> program
>>> for files we couldn’t sign before. We’ll be making more announcements
>>> regarding the availability of PIC to sign drivers as we get closer to
> the
>>> Vista logo program launch, which will be at the last Release
> Candidate.”
>>> Microsoft has done this in the past (i.e. not releasing full WHQL
> tests,
>>> signing tools, etc. until just before RTM), and it always has caused
>>> problems. So I’m trying to head this off at the pass this time.
>>>
>>> I don’t know about the rest of you, but we need time to get a PIC,
>>> integrate signing with it into our build process, build a driver, test
> it
>>> internally, fix any problems that signing caused (and rebuild and
> retest)
>>> and deliver a candidate driver to the OEMs early enough that they have
>
>>> time to test it themselves (and get any needed bug fixes) before their
>
>>> deadline for burning a golden master for manufacturing of their first
> x64
>>> machines.
>>>
>>> And that’s assuming that the Vista Beta community doesn’t find any
> bugs in
>>> the kernel embedded signing code in Windows…
>>>
>>> I’m crossposting this to m.p.d.d.d because I think this issue is of
> wider
>>> interest than just the winlogo newsgroup. And yes, I’ve already sent
> an
>>> email to WinQual about this.
>>> –
>>> Ray
>>
>
>
–
Ray
Did you submit a Feedback report? If so, what is the number?
Gary G. Little
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@synaptics.spamblock.com
Sent: Wednesday, March 08, 2006 3:48 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Fw: PICs for driver signing in x64 unavailable?
Copied from m.p.d.d.d by popular demand :-)…
Here’s an update (needless to say I’m not overly reassured by this
response).
I got the following from Winqual in response to the email I wrote them
about PICs not being available:
“We are aware of the tight schedule that OEM’s have and do not want to
do anything to jeopardize your ability to get this product out on time.
Unfortunately this is all the information that I have been given at this
time. Our new website is tentatively scheduled to be released in June.
I’m guessing I can’t say for sure, that the PIC program will be
available around this time. I believe this should give you enough time
to run through all your tests and correct any problems that you may have.”
Yes, I realize it’s impolite to forward people’s email to newsgroups
without asking… I’m just a rude kind of guy, I guess…
xxxxx@seagate.com wrote:
I was asked to cross-post this here from microsoft.public…winlogo.
The personal opinion of
Gary G. Little
“Gary G. Little” wrote in message news:…
>> Post a feedback report. You may or may not want to referrence the one I
> have
>> already posted concerning the reqirement to use Verisign as a CA. Then
> any
>> one affected by this has got to vote on it.
>>
>> –
>> The personal opinion of
>> Gary G. Little
>>
>> “Ray Trent” wrote in message
>> news:evYhJkiQGHA.1160@TK2MSFTNGP09.phx.gbl…
>>> I was just forwarded an email response we received from WinQual when
we
>
>>> inquired about getting a PIC for signing our drivers for the new x64
>>> signing policy. I’m hoping I’m just over reacting, but…
>>>
>>> I was disturbed to hear that they are not available at this time. In
> fact,
>>> there was a strong implication in this email that PICs would not be
>>> available until the last release candidate for Vista.
>>>
>>> Here is the relevant portion of this email: “This is not available
> yet,
>>> but should be in time for Vista launch. The PIC is a new signing
> program
>>> for files we couldn’t sign before. We’ll be making more announcements
>>> regarding the availability of PIC to sign drivers as we get closer to
> the
>>> Vista logo program launch, which will be at the last Release
> Candidate.”
>>> Microsoft has done this in the past (i.e. not releasing full WHQL
> tests,
>>> signing tools, etc. until just before RTM), and it always has caused
>>> problems. So I’m trying to head this off at the pass this time.
>>>
>>> I don’t know about the rest of you, but we need time to get a PIC,
>>> integrate signing with it into our build process, build a driver, test
> it
>>> internally, fix any problems that signing caused (and rebuild and
> retest)
>>> and deliver a candidate driver to the OEMs early enough that they have
>
>>> time to test it themselves (and get any needed bug fixes) before their
>
>>> deadline for burning a golden master for manufacturing of their first
> x64
>>> machines.
>>>
>>> And that’s assuming that the Vista Beta community doesn’t find any
> bugs in
>>> the kernel embedded signing code in Windows…
>>>
>>> I’m crossposting this to m.p.d.d.d because I think this issue is of
> wider
>>> interest than just the winlogo newsgroup. And yes, I’ve already sent
> an
>>> email to WinQual about this.
>>> –
>>> Ray
>>
>
>
–
Ray
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I’m not certain I understand what this thread is about (it’s kinda messy, with the quoting and all)… But I THINK the gist of the thread is “We have to sign our X64 drivers, but according to WinQual, the PIC distribution process is not yet in place.”
Is that the issue?
If so, Microsoft mentioned at IDF this week that the PIC distribution program will be in place as of RC1. Also, I am aware that there IS a program manager and initial team in place that’s responsible for establishing the initial PIC process.
In terms of building your signing infrastructure, the tools for signing binaries and CAT files are available now in the WDK (and some of them are also in the SDK). If you just want to try things out, or set up your processes, you wouldn’t want to be doing this with your REAL PIC in any case (for security reasons). Rather, generate yourself a self-signed certificate (using makecert) and use that to sign your binaries.
Finally, I don’t *think* that signing enforcement can even be enabled in the Feb CTP (I’m sure someone will correct me if I’m wrong). So, if you HAD a PIC, not only would you not WANT to use it, but you really COULDN’Tdo anything with it yet 
I’m not saying signing’s not a pain… I’m saying that it’s a bit early to be stressing over not having the PIC procedures in place.
BTW, the upcoming issue of The NT Insider has an article on this x64 driver signing thing, including a response/update from Microsoft. The community manged to convince Microsoft on one issue at least, and that’s the requirement for a bypass method that’ll work for testing (so driver testing can be done without having to use your “real” PIC, and without having the debugger actively hooked up). THAT’s good news, at least.
Peter
OSR
wrote in message news:xxxxx@ntdev…
<snip…>
> BTW, the upcoming issue of The NT Insider has an article on this x64
> driver signing thing, including a response/update from Microsoft. The
> community manged to convince Microsoft on one issue at least, and that’s
> the requirement for a bypass method that’ll work for testing (so driver
> testing can be done without having to use your “real” PIC, and without
> having the debugger actively hooked up). THAT’s good news, at least.
>
> Peter
> OSR
Peter,
In terms of NT Insider - it would be wonderful if there was an article about
just settung up DTM to perform the simplest driver reliability tests and
self-sign. Follow that through al the way through the test and signing
process. Just sign a DDK sample driver. Should be easy, right?
I’m trying to work through that myself, and the number of re-installs to get
things working (not yet accomplished) is astounding.
Thomas</snip…>
Good article suggestion, thanks.
Just to be absolutely sure we’re on the same page (and for the benefit of other readers), note that there’s nothing about x64 driver signing that requires DTM. DTM is required if (a) you want to run the WHQL logo tests, or (b) you want to participate in the Driver Reliability Signature program. HOWEVER, to JUST sign your driver with a PIC all you need is signtool.exe, your cert (PIC), your private key, and the executable that you want to sign. It’s a single line command, and you’re done.
Peter
OSR