I know this topic has already been discussed in a few threads, I had a look around, but they seemed to mostly descend into flames very quickly.
I have a piece of hardware, for which I have perfectly functioning open-source drivers for Linux and Mac (obviously this completely supersedes any normal issues addressed by driver signing, as the problems are covered by the license we use).
After persuading other members of the group that we should support windows, I’ve written some drivers using the KMDF (and after some advice from other members of this list, I managed to get them working too).
This is fine, except for the fact that my drivers cannot be used by end-users on x64 without significant disadvantage. VeriSign have told us they won’t sell us a certificate. How do I proceed? The only option I seem to have at the moment is to tell the users to take the problem up with Microsoft.
This is fine, except for the fact that my drivers cannot be used by
end-users on x64 without significant disadvantage. VeriSign have told
us they won’t sell us a certificate. How do I proceed? The only
option I seem to have at the moment is to tell the users to take the
problem up with Microsoft.
GlobalSign issues certificates to individuals that can be used to sign
drivers - they can’t be used for Winqual (and WHQL?) though.
Unfortunately VeriSign require company papers before issuing a
certificate which even rules out people who are self-employed.
You saying that has reminded me about the set of cross-certificates on Microsoft’s website. Am I correct in thinking that once I sign with a GlobalSign certificate and then the cross-certificate, the code will load on x64? There doesn’t seem to be any mention of which conditions cause this problem to be alleviated (I had assumed you could only install WHQL drivers on x64).
> GlobalSign issues certificates to individuals that can be used to sign
drivers
They don’t anymore ! They require now to provide company information as well .
Regards ,
Christiaan
----- Original Message -----
From: “Bruce Cran” To: “Windows System Software Devs Interest List” Cc: Sent: Saturday, November 13, 2010 9:47 AM Subject: Re: [ntdev] Individual Developers on x64
> On Sat, 13 Nov 2010 01:38:42 -0500 (EST) > xxxxx@hotmail.com wrote: > >> This is fine, except for the fact that my drivers cannot be used by >> end-users on x64 without significant disadvantage. VeriSign have told >> us they won’t sell us a certificate. How do I proceed? The only >> option I seem to have at the moment is to tell the users to take the >> problem up with Microsoft. > > GlobalSign issues certificates to individuals that can be used to sign > drivers - they can’t be used for Winqual (and WHQL?) though. > Unfortunately VeriSign require company papers before issuing a > certificate which even rules out people who are self-employed. > > – > Bruce Cran > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Apparently not sure anymore. I acquired my certificate on April 2009 ( one year ago ) , and then it was necessary to provide
company information , contrary to the signing certificate I received the year before. May be you should contact Globalsign and ask
them explicitely if the changed back the requirement to obtain a code signing certifcate for 64 bit windows device drivers ( OU =
ObjectSign CA ). I am really interested myself.
Regards ,
Christiaan
----- Original Message -----
From: To: “Windows System Software Devs Interest List” Sent: Saturday, November 13, 2010 11:33 AM Subject: RE:[ntdev] Individual Developers on x64
On Sat, 13 Nov 2010 12:38:35 +0100
“Christiaan Ghijselinck” wrote:
> Apparently not sure anymore. I acquired my certificate on April > 2009 ( one year ago ) , and then it was necessary to provide company > information , contrary to the signing certificate I received the year > before. May be you should contact Globalsign and ask them > explicitely if the changed back the requirement to obtain a code > signing certifcate for 64 bit windows device drivers ( OU = > ObjectSign CA ). I am really interested myself.
I got my code signing certificate in June this year and didn’t have to provide company information.
Ricky: once you have the driver correctly signed using the cross-certificate the driver will load on x64, albeit with a warning asking you if you trust the publisher. You never have to put your driver through WHQL.
“Bruce Cran” wrote in message news:xxxxx@ntdev… > I got my code signing certificate in June this year and didn’t have to > provide company information. >
That is interesting, did you have to go through a notarization process ? That was once a requirement as well. In any case policies are changing all the time without notice and I wonder even who sets the rule.
Thanks for the responses. I’ve now submitted an application for the individual developer license GlobalSign offers. I’m not too worried about the warnings about the driver being non-WHQL, so long as our users can use it without too much agg.
I’ll be sure to reply if I still can’t get the driver to load.
> That is interesting, did you have to go through a notarization > process ? That was once a requirement as well. In any case policies > are changing all the time without notice and I wonder even who sets > the rule.
They verified my phone number/address and called me to check I was at that number. I also had to send them photo ID.
I would like to know if it would be deemed ‘legal’ for a company to buy a certificate and charge self-employed developers $50 per driver to read through a driver source and cross sign it on their behalf. It would be quite profitable… and a good service for anyone unable to buy a license for themselves, other than the developer having to release their source but it wouldn’t work any other way…
How would that “legal” company ensure that they were no signing malware, or
for that matter trash? How would that company protect itself from possible
legal action because it signed either trash or an elegant piece of malware?
I would like to know if it would be deemed ‘legal’ for a company to buy a
certificate and charge self-employed developers $50 per driver to read
through a driver source and cross sign it on their behalf. It would be quite
profitable… and a good service for anyone unable to buy a license for
themselves, other than the developer having to release their source but it
wouldn’t work any other way…
By reading and compiling the sourcecode provided… It is just an idea I assumed in theory would work.
How would that “legal” company ensure that they were no signing malware, or
for that matter trash? How would that company protect itself from possible
legal action because it signed either trash or an elegant piece of malware?
By reading and compiling the sourcecode provided… It is just an idea
I
assumed in theory would work.
How would that “legal” company ensure that they were no signing
malware, or
for that matter trash? How would that company protect itself from
possible
legal action because it signed either trash or an elegant piece of
malware?
This has been discussed here before. I think the big showstopper was
that if one bad piece of software gets signed and the certificate needs
to be revoked, then all software signed by that cert is now revoked.
wrote in message news:xxxxx@ntdev… > Hello, > > I know this topic has already been discussed in a few threads, I had a > look around, but they seemed to mostly descend into flames very quickly. > > I have a piece of hardware, for which I have perfectly functioning > open-source drivers for Linux and Mac (obviously this completely > supersedes any normal issues addressed by driver signing, as the problems > are covered by the license we use). > > After persuading other members of the group that we should support > windows, I’ve written some drivers using the KMDF (and after some advice > from other members of this list, I managed to get them working too). > > This is fine, except for the fact that my drivers cannot be used by > end-users on x64 without significant disadvantage. VeriSign have told us > they won’t sell us a certificate. How do I proceed? The only option I seem > to have at the moment is to tell the users to take the problem up with > Microsoft. > > Thanks, > Ricky
If you are individual developer, who is “the group”? Are there other users outside of that group? –pa
Interestingly enough, (or not) the 7winPhone developer toolset
includes a code signing certificate once you pay your $99/yr
subscription fee, and individual developers are allowed. I think the
cert is kept at MSFT so you cannot reuse it for plain old windows
drivers. Obviously there are other models that could work.
Mark Roddy
On Sat, Nov 13, 2010 at 6:09 PM, Pavel A. wrote: > wrote in message news:xxxxx@ntdev… >> >> Hello, >> >> I know this topic has already been discussed in a few threads, I had a >> look around, but they seemed to mostly descend into flames very quickly. >> >> I have a piece of hardware, for which I have perfectly functioning >> open-source drivers for Linux and Mac (obviously this completely supersedes >> any normal issues addressed by driver signing, as the problems are covered >> by the license we use). >> >> After persuading other members of the group that we should support >> windows, I’ve written some drivers using the KMDF (and after some advice >> from other members of this list, I managed to get them working too). >> >> This is fine, except for the fact that my drivers cannot be used by >> end-users on x64 without significant disadvantage. VeriSign have told us >> they won’t sell us a certificate. How do I proceed? The only option I seem >> to have at the moment is to tell the users to take the problem up with >> Microsoft. >> >> Thanks, >> Ricky > > If you are individual developer, who is “the group”? Are there other users > outside of that group? > --pa > > > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
> Interestingly enough, (or not) the 7winPhone developer toolset > includes a code signing certificate once you pay your $99/yr > subscription fee, and individual developers are allowed. I think the > cert is kept at MSFT so you cannot reuse it for plain old windows > drivers. Obviously there are other models that could work. > > Mark Roddy > > > > On Sat, Nov 13, 2010 at 6:09 PM, Pavel A. wrote: > > wrote in message news:xxxxx@ntdev… > >> > >> Hello, > >> > >> I know this topic has already been discussed in a few threads, I had a > >> look around, but they seemed to mostly descend into flames very quickly. > >> > >> I have a piece of hardware, for which I have perfectly functioning > >> open-source drivers for Linux and Mac (obviously this completely supersedes > >> any normal issues addressed by driver signing, as the problems are covered > >> by the license we use). > >> > >> After persuading other members of the group that we should support > >> windows, I’ve written some drivers using the KMDF (and after some advice > >> from other members of this list, I managed to get them working too). > >> > >> This is fine, except for the fact that my drivers cannot be used by > >> end-users on x64 without significant disadvantage. VeriSign have told us > >> they won’t sell us a certificate. How do I proceed? The only option I seem > >> to have at the moment is to tell the users to take the problem up with > >> Microsoft. > >> > >> Thanks, > >> Ricky > > > > If you are individual developer, who is “the group”? Are there other users > > outside of that group? > > --pa > > > > > > > > — > > NTDEV is sponsored by OSR > > > > For our schedule of WDF, WDM, debugging and other seminars visit: > > http://www.osr.com/seminars > > > > To unsubscribe, visit the List Server section of OSR Online at > > http://www.osronline.com/page.cfm?name=ListServer > >
> It is a pity that the Windows team and WHQL could not adopt that model.
Even if one gets a [free] certificate, it does not warrant that their stuff will run on production phones.
Authorisation and security for phones differs from “general use” machines.
WinCE always had API for device OEM to hook into code authorization.
Phone vendors like to lock their products to certain providers, content stores, DRM and so on.
– pa
Actually it looks like MSFT has provided a similar but more open and
lower cost developer environment than Apples with an equivalent to the
App Store for winphonehome7. You only have to certify your application
with MSFT through their process and it is then available to any
win7phonehome device. These are in fact general use machines with an
‘app store’ gatekeeper on what can be deployed. The physical phone
vendor does not have control over application deployment.
All of which is off topic for this list. My only point was that the
whole code signing cert for corporations only thing, a fairly
substantial barrier to open sourced windows drivers, and a barrier for
individual contributors and consultants, is artificial and antiquated.
Mark Roddy
On Mon, Nov 15, 2010 at 7:24 AM, wrote: >> It is a pity that the Windows team and WHQL could not adopt that model. > > Even if one gets a [free] certificate, it does not warrant that their stuff will run on production phones. > Authorisation and security for phones differs from “general use” machines. > WinCE always had API for device OEM to hook into code authorization. > Phone vendors like to lock their products to certain providers, content stores, DRM and so on. > – pa > > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer >