Production signing driver in Visual Studio 2019

>> MS gets no cut from certifying which CA can issue EV certs for KMCS

There is no “certification” involved. I would be very surprised to discover
that there was any cost associated with MSFT’s choice of CAs to trust.
You believe MS did all that work for pleasure?
I would see why Apple surpassed it by value then

If
there even is any such choice. I was under the impression that “any EV code
signing cert” would work for creating a dashboard account.
Never was the case, still isn’t. There is a list of trusted EV
providers (the ones for which a cross-cert exists). Others will not
work.
Funny enough, Symantec/Digicert were the only ones that worked at
start, then I believe GlobalSign was added, and gradually others.
But I can tell you from several experiences, that either the cert
bodies do not follow the guidelines, or the guidelines for EV
certification are c***.

scheme had been thwarted multiple ways, and the availability of non-EV certs
is very loose. So cross-signing wasn’t a very good way of ensuring “bad
actors” didn’t create malware that end users could unknowingly load. I
guess.
And Attestation helps… how exactly?

I know Mr. Maksimovic has repeatedly said that there’s no validation
involved in getting an EV cert, but I have heard multiple stories — and our
experiences getting EV Certs for OSR — that say otherwise.
What was involved for you in getting the EV cert?
One of my companies got the certificate simply by being listed on
Google Business. That was it… that was ALL the verification that they
did.

I don’t get the annoyance over attestation signing. At OSR, it just adds
one small step to our release process and hasn’t proved even the tiniest bit
inconvenient.
Submitting the driver, having to wait 20 minutes, downloading it and
then packaging it is not a PITA?
It took me <2 minutes to compile 18+1 different variations of my own
drivers (for different customers, architectures, windows versions,
etc…), with signing and packaging. It was all automated, and the
resulting package was ready for deployment.

Now, I have to do half the above process, then submit for attestation,
wait 20 minutes, do it 3 more times, because I always forget something
:D, and then have a file ready for deployment.

I agree the above would be a matter of opinion, whether it is a
nuisance - but so is the process of getting the EV cert. Once we get
the first token, renewals are automatic - just PAY. Nothing else!

In my opinion, the biggest drags to Attenstation signing are:

• Cost that we see no added value to, but is an obvious way to remove
  support for older Windows versions.
• It takes 20-30 minutes per driver package (10 to submit, unless you
  automated it via JSON API), even though the process can’t do anything
  more than verify I signed the .cab file, verify the INF, and sign the
  driver/cat. That is an <2second work on my old laptop. It should be an
  <2millisecond work on average on Azure cloud.
  What do I do when I need to submit 19 builds? Do a LOT of waiting

Cost: I just noticed that SSL.COM is offering EV Code Signing Certs for US$250/year… IIRC, that’s less than we paid for our (non-EV) Symantec Class 3 Code Signing cert.

Peter

(Conflict of interest statement: Neither I nor OSR have any relationship with or knowledge of SSL.COM, nor do we derive any revenue or consideration from SSL.COM)

I am not sure SSL.com will work, but there are 290$ones.

We paid less for our first EVs.

But, do tell what the verification was like for a US company?

SSL.COM will indeed work. I got it from the MSFT web site.

do tell what the verification was like for a US company

It required us to give Digicert an address and a phone number that they could look up and cross-check that it was listed as our business, they had to call that phone number and physically talk to the exact person we said they could reach at that number, and I believe that we had to give them something to verify our business (I think it was our D‑U‑N‑S Number).

And then they would only mail our token to the address that we gave them and that they had previously verified.

That felt sufficiently rigorous to me.

Peter

Never was the case, still isn’t. There is a list of trusted
EV providers (the ones for which a cross-cert exists). Others
will not work.

Nope, you are wrong. The certificate requirements for doing cross-signing are entirely different from the certificate requirements for setting up your dashboard account. The dashboard account cert does not need to be a code-signing certificate at all. Until the EV thing, the cheapest Symantec certificate available worked just fine. Now, as a developer, it was more convenient to get one certificate that worked in both cases, but the dashboard will work with ANY legitimate EV cert. It doesn’t have to be on a trusted list.

I meant signing certs.

>

> do tell what the verification was like for a US company

It required us to give Digicert an address and a phone number that they
could look up and cross-check that it was listed as our business, they had
to call that phone number and physically talk to the exact person we said
they could reach at that number, and I believe that we had to give them
something to verify our business (I think it was our D‑U‑N‑S Number).

And then they would only mail our token to the address that we gave them
and that they had previously verified.

That felt sufficiently rigorous to me.

Easily spoofed snd intercepted.

Easily spoofed snd intercepted.

Easily? I don’t think so. Possible, but the cost/benefit ratio doesn’t make much sense.

Malware on millions on computers before it is detected?