Hi, I have a non-PNP driver (a WFP module) and it seems that when loading
the driver with net start, the kernel doesn’t care about signature
verification through CAT files but instead require that the signature be
embedded.
Is it possible to test and obtain a WHQL signature for such a driver? From
what I understand WHQL will only sign a CAT file which for a non-PNP driver
isn’t even considered for signature verification purposes during load time?
If the above is true, is the only route to getting such a driver properly
signed through some thirdparty like Verisign, etc?
Have you looked at the HCK and tried to find a relevant certification program?
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Puchu Pachok
Sent: Thursday, April 25, 2013 8:21 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] signature verification for non-pnp driver
Hi, I have a non-PNP driver (a WFP module) and it seems that when loading the driver with net start, the kernel doesn’t care about signature verification through CAT files but instead require that the signature be embedded.
Is it possible to test and obtain a WHQL signature for such a driver? From what I understand WHQL will only sign a CAT file which for a non-PNP driver isn’t even considered for signature verification purposes during load time?
If the above is true, is the only route to getting such a driver properly signed through some thirdparty like Verisign, etc?
Hi, I have a non-PNP driver (a WFP module) and it seems that when
loading the driver with net start, the kernel doesn’t care about
signature verification through CAT files but instead require that the
signature be embedded.
There are two different signature checks. One check is done when a PnP
driver is installed. This applies to all of the system, but all it does
is present a warning that the user can override. After the warning is
presented, this check is never done again. This signature is always
embedded in the CAT file.
The other check is the KMCS check. This is done every time the driver
is loaded into memory, but it is only done on the 64-bit systems. For
this, you can sign the .SYS, or for a PnP driver package you can sign
the .CAT. A non-PnP driver does not have a driver package, so you can’t
sign the .CAT.
Is it possible to test and obtain a WHQL signature for such a driver?
From what I understand WHQL will only sign a CAT file which for a
non-PNP driver isn’t even considered for signature verification
purposes during load time?
There is no purpose in doing so. All the WHQL signature does is
suppress the warning dialog in the install-time check. Since you won’t
have an install-time check for a PnP driver, the WHQL signature is
pointless.
If the above is true, is the only route to getting such a driver
properly signed through some thirdparty like Verisign, etc?
Every serious driver developer needs a code-signing certificate, in my
opinion. You can’t simulate your client’s install experience without
one. They’re cheaper than WHQL, plus you have to have a Verisign
certificate to submit to WHQL anyway!
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
On Fri, Apr 26, 2013 at 9:23 AM, Tim Roberts wrote:
> Puchu Pachok wrote: > > Hi, I have a non-PNP driver (a WFP module) and it seems that when > > loading the driver with net start, the kernel doesn’t care about > > signature verification through CAT files but instead require that the > > signature be embedded. > > There are two different signature checks. One check is done when a PnP > driver is installed. This applies to all of the system, but all it does > is present a warning that the user can override. After the warning is > presented, this check is never done again. This signature is always > embedded in the CAT file. > > The other check is the KMCS check. This is done every time the driver > is loaded into memory, but it is only done on the 64-bit systems. For > this, you can sign the .SYS, or for a PnP driver package you can sign > the .CAT. A non-PnP driver does not have a driver package, so you can’t > sign the .CAT. > > > > Is it possible to test and obtain a WHQL signature for such a driver? > > From what I understand WHQL will only sign a CAT file which for a > > non-PNP driver isn’t even considered for signature verification > > purposes during load time? > > There is no purpose in doing so. All the WHQL signature does is > suppress the warning dialog in the install-time check. Since you won’t > have an install-time check for a PnP driver, the WHQL signature is > pointless. > > > > If the above is true, is the only route to getting such a driver > > properly signed through some thirdparty like Verisign, etc? > > Every serious driver developer needs a code-signing certificate, in my > opinion. You can’t simulate your client’s install experience without > one. They’re cheaper than WHQL, plus you have to have a Verisign > certificate to submit to WHQL anyway! > > – > Tim Roberts, xxxxx@probo.com > Providenza & Boekelheide, Inc. > > > — > NTDEV is sponsored by OSR > > OSR is HIRING!! See http://www.osr.com/careers > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
WHQL only signs CAT files. They don’t sign SYS files.
If you have an INF (and hence a CAT), and you pass the tests, and you
bundle up the results along with your driver package, and send the
results to WHQL along with the appropriate fees, then they will send
back a signed CAT file for your package.
Note that you STILL need a Verisign certificate to create a WHQL account
in order to submit your package. You can’t avoid getting a certificate
of your own.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.