Kernel Driver signing in Vista x64 and Certificate expiration

NTDEV
1

All is nearly clear for me with kernel driver signing. I am starting to
prepare to publish my application to be compatible with Vista x64 Beta 2 and
later. All is working. Last step is kernel driver signing. One question
only.

Imaging I got 1 or 2 year long certificate from CA. Use it with version
of my software. Customer pay for this version of software and use it. I
develop next versions of my software. After 2 years certificate I used with
my kernel driver in old software version is expired. I have limited support
for this old version now. It is usual practice in the world. And my customer
can not use this old version of my application – drivers can not be loaded.

What I can do for this customer? I see driver signing as artificial
limiting life of old good versions and force customer to pay for upgrade.

Am I correct in above? Or my kernel driver with embedded signing will
continue be loadable after certificate expired?

Best Regards,
Igor Arsenin

2

If you use timestamping service (e.g. from Verisign) when you signing
your driver, your driver will be run even after the expiration of your
certificate as long as you signed the driver before your certificate
expired. Otherwise - with no timestamp - your driver will not be loaded
after expiration date of your certificate.

Signtool with /t http://timestamp.verisign.com/scripts/timestamp.dll
timestamps your signature.

Chesong Lee

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Igor Arsenin
Sent: Saturday, July 22, 2006 10:21 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Kernel Driver signing in Vista x64 and Certificate
expiration

All is nearly clear for me with kernel driver signing. I am starting
to
prepare to publish my application to be compatible with Vista x64 Beta 2
and
later. All is working. Last step is kernel driver signing. One question
only.

Imaging I got 1 or 2 year long certificate from CA. Use it with
version
of my software. Customer pay for this version of software and use it. I
develop next versions of my software. After 2 years certificate I used
with
my kernel driver in old software version is expired. I have limited
support
for this old version now. It is usual practice in the world. And my
customer
can not use this old version of my application – drivers can not be
loaded.

What I can do for this customer? I see driver signing as artificial
limiting life of old good versions and force customer to pay for
upgrade.

Am I correct in above? Or my kernel driver with embedded signing
will
continue be loadable after certificate expired?

Best Regards,
Igor Arsenin

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

> Imaging I got 1 or 2 year long certificate from CA. Use it with version

of my software. Customer pay for this version of software and use it. I
develop next versions of my software. After 2 years certificate I used with
my kernel driver in old software version is expired. I have limited support
for this old version now. It is usual practice in the world. And my customer
can not use this old version of my application – drivers can not be loaded.

Provide a patch on your website.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

4

Hello Maxim,

I like an idea that my applications continue working after my company
gone. So I like an idea about “timestamping service” much more than
publishing patches on site for many previous versions.

Best Regards,
Igor Arsenin

“Maxim S. Shatskih” wrote in message
news:xxxxx@ntdev…
> > Imaging I got 1 or 2 year long certificate from CA. Use it with
version
> > of my software. Customer pay for this version of software and use it. I
> > develop next versions of my software. After 2 years certificate I used
with
> > my kernel driver in old software version is expired. I have limited
support
> > for this old version now. It is usual practice in the world. And my
customer
> > can not use this old version of my application – drivers can not be
loaded.
>
> Provide a patch on your website.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>

5

> Otherwise - with no timestamp - your driver will

not be loaded after expiration date of your certificate.

This is new to me; a kind of disposable driver. Software that someone buys that expires in less than 2 years should be considered junkware and people warned ahead of time. Because what if these forced updates are worse and buggier than the original or just never come to exist? What if the system will no longer boot after expiration? There are timelocked *applications*, but I can’t understand why anyone would ever create a *driver* that behaves like this.

eof

6

Thanks Lee!

Am I correct in assumption that TSA services are free? And no matter
what CA I certificate got to sign code from and what TSA I use to timestamp
signed code.

Best Regards,
Igor Arsenin

“Chesong Lee” wrote in message news:xxxxx@ntdev…
If you use timestamping service (e.g. from Verisign) when you signing
your driver, your driver will be run even after the expiration of your
certificate as long as you signed the driver before your certificate
expired. Otherwise - with no timestamp - your driver will not be loaded
after expiration date of your certificate.

Signtool with /t http://timestamp.verisign.com/scripts/timestamp.dll
timestamps your signature.

Chesong Lee

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Igor Arsenin
Sent: Saturday, July 22, 2006 10:21 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Kernel Driver signing in Vista x64 and Certificate
expiration

All is nearly clear for me with kernel driver signing. I am starting
to
prepare to publish my application to be compatible with Vista x64 Beta 2
and
later. All is working. Last step is kernel driver signing. One question
only.

Imaging I got 1 or 2 year long certificate from CA. Use it with
version
of my software. Customer pay for this version of software and use it. I
develop next versions of my software. After 2 years certificate I used
with
my kernel driver in old software version is expired. I have limited
support
for this old version now. It is usual practice in the world. And my
customer
can not use this old version of my application – drivers can not be
loaded.

What I can do for this customer? I see driver signing as artificial
limiting life of old good versions and force customer to pay for
upgrade.

Am I correct in above? Or my kernel driver with embedded signing
will
continue be loadable after certificate expired?

Best Regards,
Igor Arsenin


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

7

Yes! It seems like only pass with TimeStamp added is THE ONLY VALID
ALTERNATIVE.

Igor Arsenin

wrote in message news:xxxxx@ntdev…
> > Otherwise - with no timestamp - your driver will
> > not be loaded after expiration date of your certificate.
>
> This is new to me; a kind of disposable driver. Software that someone buys
that expires in less than 2 years should be considered junkware and people
warned ahead of time. Because what if these forced updates are worse and
buggier than the original or just never come to exist? What if the system
will no longer boot after expiration? There are timelocked applications,
but I can’t understand why anyone would ever create a driver that behaves
like this.
>
> eof
>
>

8

It is mentioned in Code Signing Best Practices. (search for best_practices.doc in microsoft.com)

— begin quote —
Certificates normally expire after a period of time, such as one year. However, software is typically designed to operate for many years. If the certificate that was used to sign the code expires, the signature cannot be validated and the software might not install or run. To avoid this issue, Microsoft recommends that software publishers timestamp their digital signatures.

A timestamp is an assertion from a trusted source, called a time-stamping authority (TSA), that the digital signature’s signed hash was in existence when the timestamp was issued. If the signing certificate was valid at that time, Windows considers the signature to be valid even if the certificate has since expired. If a signature is not timestamped, when the certificate used to sign the software expires, the signature simply becomes invalid.
— end quote —

Actually, it just says that “The signature simply becomes invalid.” –> equivalent to not signed.

Rationale is to prevent signing drivers with expired certificates.
Without timestamps, there is no way to tell if the code was signed before expiration.
Timestamp from the valid source (such as VeriSign) ensures the actual time (not of the build system or developer’s system).

In other words, when you release your drivers to the public, it is
mandatory to sign them with timestamp.

Chesong Lee

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@email.com
Sent: Sunday, July 23, 2006 1:22 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Kernel Driver signing in Vista x64 and Certificate expiration

Otherwise - with no timestamp - your driver will
not be loaded after expiration date of your certificate.

This is new to me; a kind of disposable driver. Software that someone buys that expires in less than 2 years should be considered junkware and people warned ahead of time. Because what if these forced updates are worse and buggier than the original or just never come to exist? What if the system will no longer boot after expiration? There are timelocked *applications*, but I can’t understand why anyone would ever create a *driver* that behaves like this.

eof

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

9

We have an SPC from VeriSign and using VeriSign timestamp service with it does not incur any charges.

I have never tested with SPC’s from other CA’s for VeriSign timestamping service.

Can anyone in this list who has SPC’s from Thawte or other CA’s test this?
Maybe each CA has its own timestamping service.

Regards,

Chesong Lee

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Igor Arsenin
Sent: Sunday, July 23, 2006 1:57 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Kernel Driver signing in Vista x64 and Certificate expiration

Thanks Lee!

Am I correct in assumption that TSA services are free? And no matter
what CA I certificate got to sign code from and what TSA I use to timestamp
signed code.

Best Regards,
Igor Arsenin

“Chesong Lee” wrote in message news:xxxxx@ntdev…
If you use timestamping service (e.g. from Verisign) when you signing
your driver, your driver will be run even after the expiration of your
certificate as long as you signed the driver before your certificate
expired. Otherwise - with no timestamp - your driver will not be loaded
after expiration date of your certificate.

Signtool with /t http://timestamp.verisign.com/scripts/timestamp.dll
timestamps your signature.

Chesong Lee

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Igor Arsenin
Sent: Saturday, July 22, 2006 10:21 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Kernel Driver signing in Vista x64 and Certificate
expiration

All is nearly clear for me with kernel driver signing. I am starting
to
prepare to publish my application to be compatible with Vista x64 Beta 2
and
later. All is working. Last step is kernel driver signing. One question
only.

Imaging I got 1 or 2 year long certificate from CA. Use it with
version
of my software. Customer pay for this version of software and use it. I
develop next versions of my software. After 2 years certificate I used
with
my kernel driver in old software version is expired. I have limited
support
for this old version now. It is usual practice in the world. And my
customer
can not use this old version of my application – drivers can not be
loaded.

What I can do for this customer? I see driver signing as artificial
limiting life of old good versions and force customer to pay for
upgrade.

Am I correct in above? Or my kernel driver with embedded signing
will
continue be loadable after certificate expired?

Best Regards,
Igor Arsenin


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

10

I thought the correct timestamping URL was:
/t http://timestamp.verisign.com/scripts/timstamp.dll

At least that’s what it says at Verisign’s site:
http://www.verisign.com/support/code-signing-support/code-signing/identity-authentication.html

Although, the Kernel Mode Signing Walkthrough available at:
http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
and the driver signing paper for x64 drivers on Windows Vista at:
http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx
both say “timestamp.dll” in their examples.

All the docs I’ve read (at least until now) said that the “e” was omitted in
the DLL name. Did this change (if so, no complaint – I won’t have to
remember to mistype the DLL name anymore)? Or is it a typo in these docs?

-Dan

----- Original Message -----

Subject: RE: Kernel Driver signing in Vista x64 and Certificate expiration
From: “Chesong Lee”
> Date: Sat, 22 Jul 2006 13:41:49 -0400
> X-Message-Number: 15
>
> If you use timestamping service (e.g. from Verisign) when you signing
> your driver, your driver will be run even after the expiration of your
> certificate as long as you signed the driver before your certificate
> expired. Otherwise - with no timestamp - your driver will not be loaded
> after expiration date of your certificate.
>
> Signtool with /t http://timestamp.verisign.com/scripts/timestamp.dll
> timestamps your signature.
>
> Chesong Lee
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Igor Arsenin
> Sent: Saturday, July 22, 2006 10:21 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Kernel Driver signing in Vista x64 and Certificate
> expiration
>
>
>
> All is nearly clear for me with kernel driver signing. I am starting
> to
> prepare to publish my application to be compatible with Vista x64 Beta 2
> and
> later. All is working. Last step is kernel driver signing. One question
> only.
>
> Imaging I got 1 or 2 year long certificate from CA. Use it with
> version
> of my software. Customer pay for this version of software and use it. I
> develop next versions of my software. After 2 years certificate I used
> with
> my kernel driver in old software version is expired. I have limited
> support
> for this old version now. It is usual practice in the world. And my
> customer
> can not use this old version of my application – drivers can not be
> loaded.
>
> What I can do for this customer? I see driver signing as artificial
> limiting life of old good versions and force customer to pay for
> upgrade.
>
> Am I correct in above? Or my kernel driver with embedded signing
> will
> continue be loadable after certificate expired?
>
> Best Regards,
> Igor Arsenin

11

I have always used < http://timestamp.verisign.com/scripts/timstamp.dll >.
I just tried < http://timestamp.verisign.com/scripts/timestamp.dll > and
that seems to work too, now. Not sure that I’d switch everything to use it
given that VeriSign still says that you should not use “timestamp.dll” but
should instead use “timstamp.dll”, though.


Ken Johnson (Skywing)
Windows SDK MVP

“Daniel E. Germann” wrote in message news:xxxxx@ntdev…
>I thought the correct timestamping URL was:
> /t http://timestamp.verisign.com/scripts/timstamp.dll
>
> At least that’s what it says at Verisign’s site:
> http://www.verisign.com/support/code-signing-support/code-signing/identity-authentication.html
>
> Although, the Kernel Mode Signing Walkthrough available at:
> http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
> and the driver signing paper for x64 drivers on Windows Vista at:
> http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx
> both say “timestamp.dll” in their examples.
>
> All the docs I’ve read (at least until now) said that the “e” was omitted
> in the DLL name. Did this change (if so, no complaint – I won’t have to
> remember to mistype the DLL name anymore)? Or is it a typo in these docs?
>
> -Dan
>
> ----- Original Message -----
>> Subject: RE: Kernel Driver signing in Vista x64 and Certificate
>> expiration
>> From: “Chesong Lee”
>> Date: Sat, 22 Jul 2006 13:41:49 -0400
>> X-Message-Number: 15
>>
>> If you use timestamping service (e.g. from Verisign) when you signing
>> your driver, your driver will be run even after the expiration of your
>> certificate as long as you signed the driver before your certificate
>> expired. Otherwise - with no timestamp - your driver will not be loaded
>> after expiration date of your certificate.
>>
>> Signtool with /t http://timestamp.verisign.com/scripts/timestamp.dll
>> timestamps your signature.
>>
>> Chesong Lee
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Igor Arsenin
>> Sent: Saturday, July 22, 2006 10:21 AM
>> To: Windows System Software Devs Interest List
>> Subject: [ntdev] Kernel Driver signing in Vista x64 and Certificate
>> expiration
>>
>>
>>
>> All is nearly clear for me with kernel driver signing. I am starting
>> to
>> prepare to publish my application to be compatible with Vista x64 Beta 2
>> and
>> later. All is working. Last step is kernel driver signing. One question
>> only.
>>
>> Imaging I got 1 or 2 year long certificate from CA. Use it with
>> version
>> of my software. Customer pay for this version of software and use it. I
>> develop next versions of my software. After 2 years certificate I used
>> with
>> my kernel driver in old software version is expired. I have limited
>> support
>> for this old version now. It is usual practice in the world. And my
>> customer
>> can not use this old version of my application – drivers can not be
>> loaded.
>>
>> What I can do for this customer? I see driver signing as artificial
>> limiting life of old good versions and force customer to pay for
>> upgrade.
>>
>> Am I correct in above? Or my kernel driver with embedded signing
>> will
>> continue be loadable after certificate expired?
>>
>> Best Regards,
>> Igor Arsenin
>
>

12

It was a very weird thing at first to use timstamp.dll. Before publishing kernel signing document for Vista, all documents were saying to use http://timestamp.verisign.com/scripts/timstamp.dll mentioning that timstamp.dll is not a typo.
Seems like conforming with 8.3 naming convention. Anyhow, they both work now.

http://timestamp.verisign.com/scripts/timstamp.dll
http://timestamp.verisign.com/scripts/timestamp.dll

Chesong Lee

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Daniel E. Germann
Sent: Sunday, July 23, 2006 9:28 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Kernel Driver signing in Vista x64 and Certificate expiration

I thought the correct timestamping URL was:
/t http://timestamp.verisign.com/scripts/timstamp.dll

At least that’s what it says at Verisign’s site:
http://www.verisign.com/support/code-signing-support/code-signing/identity-authentication.html

Although, the Kernel Mode Signing Walkthrough available at:
http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
and the driver signing paper for x64 drivers on Windows Vista at:
http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx
both say “timestamp.dll” in their examples.

All the docs I’ve read (at least until now) said that the “e” was omitted in
the DLL name. Did this change (if so, no complaint – I won’t have to
remember to mistype the DLL name anymore)? Or is it a typo in these docs?

-Dan

----- Original Message -----

Subject: RE: Kernel Driver signing in Vista x64 and Certificate expiration
From: “Chesong Lee”
> Date: Sat, 22 Jul 2006 13:41:49 -0400
> X-Message-Number: 15
>
> If you use timestamping service (e.g. from Verisign) when you signing
> your driver, your driver will be run even after the expiration of your
> certificate as long as you signed the driver before your certificate
> expired. Otherwise - with no timestamp - your driver will not be loaded
> after expiration date of your certificate.
>
> Signtool with /t http://timestamp.verisign.com/scripts/timestamp.dll
> timestamps your signature.
>
> Chesong Lee
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Igor Arsenin
> Sent: Saturday, July 22, 2006 10:21 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Kernel Driver signing in Vista x64 and Certificate
> expiration
>
>
>
> All is nearly clear for me with kernel driver signing. I am starting
> to
> prepare to publish my application to be compatible with Vista x64 Beta 2
> and
> later. All is working. Last step is kernel driver signing. One question
> only.
>
> Imaging I got 1 or 2 year long certificate from CA. Use it with
> version
> of my software. Customer pay for this version of software and use it. I
> develop next versions of my software. After 2 years certificate I used
> with
> my kernel driver in old software version is expired. I have limited
> support
> for this old version now. It is usual practice in the world. And my
> customer
> can not use this old version of my application – drivers can not be
> loaded.
>
> What I can do for this customer? I see driver signing as artificial
> limiting life of old good versions and force customer to pay for
> upgrade.
>
> Am I correct in above? Or my kernel driver with embedded signing
> will
> continue be loadable after certificate expired?
>
> Best Regards,
> Igor Arsenin


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer