Question about driver signing

NTDEV
7

@Alan Thanks a lot for your help. That was truly enlightening!

@Tim I tested attestation signed driver on a Windows Server 2016 alongside Win 10 and it worked perfectly. After a long time trying to setup the lab environment described in the post below, I decided to give a try to attestation signing and on my 8th try, I managed to get my driver signed by Microsoft.

http://blog.morphisec.com/windows-drivers-and-digital-signatures

As a side note, attestation signing is not as scary as I thought in the beginning (maybe because I learned all aspects of it after 7 tries). If you pay attention to the items below, it generally takes 10 minutes.

Attestation signing process steps:

  1. If somehow you can not sign into Hardware Dev Center (which was the case in my scenario and took me 3 days to reach Microsoft support + 2 hours phone call) just go create a new Azure AD Account in whatever subscription. This is not important since they will identify you by requiring you to sign a file and upload it to the portal.

  2. Your package needs to have 3 files: SYS, INF, PDB. CAT file is not required and ignored by the portal.

  3. Make sure you create a valid INF file and verify it using INFVERIF.exe. You can find the template I used below:
    https://drive.google.com/file/d/1ysnsGa7w5F7w-YuCQD03zz8iyhVNGepn/view?usp=sharing

  4. If you are in a different timezone, INF file DriverVer value is automatically set to SYS file’s creation time and Portal gives an error such as “driverver set to a date in the future”. Adjust your timezone and build your driver again.

  5. Create a folder in any location and name it let’s say “MyPackage”. Create another sub folder inside it and name it “DriverPackage1”. Copy aforementioned 3 files inside it.

  6. Open IZArc and select File > New. Type “MyPackage.cab” into File name dialog. This will create a cab file and “Add Files” dialog will appear. This dialog is a bit misleading. It won’t open a CAB file, it will create it instead.

  7. Select “MyPackage” folder and you are done. IZArc creates the CAB file for you. Make sure that CAB file only has “DriverPackage1” folder in its root. Portal will fail if it encounters any other file in the root folder!

  8. Sign this CAB file using your SHA256 signature. Do *not* use SHA1 or dual signature else you will wait another 10-15 minutes :slight_smile:

  9. Portal will ask you which OS versions to sign for, please make sure you select the appropriate OS versions for your driver. Note that there are 32, 64 and ARM64 versions. So if you are uploading a 32 bit, only select 32 bit OS versions.

  10. If you are lucky, you will get a notification email in 10 minutes with the signed package.

Enjoy your attestation signed driver.

Hope it helps…