Hello,
Is it possible sign device drivers properly (i.e. with time stamp) from an offline station (i.e. without internet connection)? If so, how?
We want to sign a device driver, so that we will be able to install and run it on customer’s machines (Windows 7 - 64 bits), even after our code signing certificate expires.
By the way, assuming we do not use time stamps, if we install our driver before our certificate expires, will the driver load after the expiration date? If this is the case, I guess we can just change the computer date to an earlier date, then install the device driver, and then restore the date.
Thanks,
Itai
You must actually be able to reach the time stamping server in order to request a countersignature from it.
- S
-----Original Message-----
From: xxxxx@rafael.co.il
Sent: Tuesday, August 30, 2011 1:21
To: Windows System Software Devs Interest List
Subject: [ntdev] Signing device drivers without internet connection
Hello,
Is it possible sign device drivers properly (i.e. with time stamp) from an offline station (i.e. without internet connection)? If so, how?
We want to sign a device driver, so that we will be able to install and run it on customer’s machines (Windows 7 - 64 bits), even after our code signing certificate expires.
By the way, assuming we do not use time stamps, if we install our driver before our certificate expires, will the driver load after the expiration date? If this is the case, I guess we can just change the computer date to an earlier date, then install the device driver, and then restore the date.
Thanks,
Itai
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
xxxxx@rafael.co.il wrote:
Is it possible sign device drivers properly (i.e. with time stamp) from an offline station (i.e. without internet connection)? If so, how?
You would have to set up your own time stamp server, and that is
theoretically possible. There was a conversation on this very forum a
month or two about this topic. Reading it would be educational for you.
By the way, assuming we do not use time stamps, if we install our driver before our certificate expires, will the driver load after the expiration date? If this is the case, I guess we can just change the computer date to an earlier date, then install the device driver, and then restore the date.
No, if the driver is not time-stamped, then the certificate is
considered invalid after its expiration date. The KMCS signature is
checked every time the driver loads, not just at install time.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Since we do not have internet connection in the driver development site, are there any time stamp server devices that we can install in the site, that
a) Will not need to be connected to the internet, and:
b) Will allow to add trusted time stamps to driver packages, in order to allow us to use the driver on Windows 7 (64 bits), even after the code signing certificate expires.
If such time stamp server devices exist, for how long do they work before becoming useless (i.e. every how many years do we need to buy a new server)? what is the estimated cost of such a device?
If this is not possible, which files need to be taken to an internet machine in order to add the time stamps?
Thanks,
Itai
Silly question, but you don’t have ANY internet connection in the driver development site at all!?!? Wow, that must make it really difficult to use WinDbg since you need an internet connection to keep the symbols updated and without updated symbols for WinDbg to use, stack dumps and quite a bit of WinDbg becomes near to unusable. Of course that assumes you use WinDbg at your driver development site, if not then consider signing the drivers where you use WinDbg, which probably does have an internet connection.
Gary G. Little
----- Original Message -----
From: xxxxx@rafael.co.il
To: “Windows System Software Devs Interest List”
Sent: Wednesday, August 31, 2011 7:22:35 AM
Subject: RE:[ntdev] Signing device drivers without internet connection
Since we do not have internet connection in the driver development site, are there any time stamp server devices that we can install in the site, that
a) Will not need to be connected to the internet, and:
b) Will allow to add trusted time stamps to driver packages, in order to allow us to use the driver on Windows 7 (64 bits), even after the code signing certificate expires.
If such time stamp server devices exist, for how long do they work before becoming useless (i.e. every how many years do we need to buy a new server)? what is the estimated cost of such a device?
If this is not possible, which files need to be taken to an internet machine in order to add the time stamps?
Thanks,
Itai
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
One could of course fetch the symbols using an internet connected site
and then move them to the secure unconnected site. Of course if you
can do that you can also sign the drivers at the insecure internet
connected site.
This is a very silly thread, but so was the last one. The real topic
is “How many obstacles can I put in the way of signing drivers without
it being absolutely impossible to do it?”
Mark Roddy
On Wed, Aug 31, 2011 at 8:39 AM, Gary G. Little wrote:
> Silly question, but you don’t have ANY internet connection in the driver
> development site at all!?!? Wow, that must make it really difficult to use
> WinDbg since you need an internet connection to keep the symbols updated and
> without updated symbols for WinDbg to use, stack dumps and quite a bit of
> WinDbg becomes near to unusable. Of course that assumes you use WinDbg at
> your driver development site, if not then consider signing the drivers where
> you use WinDbg, which probably does have an internet connection.
>
> Gary G. Little
>
> ________________________________
> From: xxxxx@rafael.co.il
> To: “Windows System Software Devs Interest List”
> Sent: Wednesday, August 31, 2011 7:22:35 AM
> Subject: RE:[ntdev] Signing device drivers without internet connection
>
> Since we do not have internet connection in the driver development site, are
> there any time stamp server devices that we can install in the site, that
> a) Will not need to be connected to the internet, and:
> b) Will allow to add trusted time stamps to driver packages, in order to
> allow us to use the driver on Windows 7 (64 bits), even after the code
> signing certificate expires.
> If such time stamp server devices exist, for how long do they work before
> becoming useless (i.e. every how many years do we need to buy a new server)?
> what is the estimated cost of such a device?
> If this is not possible, which files need to be taken to an internet machine
> in order to add the time stamps?
> Thanks,
> Itai
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
xxxxx@rafael.co.il wrote:
Since we do not have internet connection in the driver development site, are there any time stamp server devices that we can install in the site, that
a) Will not need to be connected to the internet, and:
b) Will allow to add trusted time stamps to driver packages, in order to allow us to use the driver on Windows 7 (64 bits), even after the code signing certificate expires.
If such time stamp server devices exist, for how long do they work before becoming useless (i.e. every how many years do we need to buy a new server)? what is the estimated cost of such a device?
If this is not possible, which files need to be taken to an internet machine in order to add the time stamps?
Did you, as I suggested, go back and read the discussion in this very
forum a month or two ago? Seriously, we had a long discussion on this
very topic, and if you aren’t willing to go back and read that, then
you’re just wasting our time.
RFC 3161 defines time stamp servers. I was told, to my surprise, that
“signtool” would accept any RFC 3161 compliant time stamp server. If
the server is trusted, then your time stamped signature will be valid
forever.
There is no “device” and no cost. The time stamp server is just a piece
of software.
You need to sign the CAT file for your package, and/or the driver SYS
files. I sign both (because it’s free), but they tell me only the CAT
file is necessary. You could build the driver package, copy the files
to a USB drive, take it to an Internet-connected machine, and run
“signtool” there.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Tim, Yes, I read the discussion labeled “Driver with expired certificate”. I’m very confused from it.
Even if “signtool” accepts a local time stamp server, does it necessary mean that WINDOWS will load the driver after our code signing certificate expires?
Did anyone verify it with Windows 7 64 bits?
What about future updates (hot fixes) to the operating system?
Can you name some time stamp server software that will do the work? Are they free or commercial?
Where can I get more information about the subject?
I wonder what Microsoft has to say about this. Do you know who can I contact there?
Thanks,
Itai
xxxxx@rafael.co.il wrote:
Tim, Yes, I read the discussion labeled “Driver with expired certificate”. I’m very confused from it.
Many of us were.
Even if “signtool” accepts a local time stamp server, does it necessary mean that WINDOWS will load the driver after our code signing certificate expires?
Did anyone verify it with Windows 7 64 bits?
That’s partly what started that whole conversation. I had assumed that
the KMCS checker actually validated the timestamp certificate, just like
it validates the KMCS certificate. The response was that it doesn’t
have time to do that. As long as the timestamp certificate is
self-consistent, the loader assumes that “signtool” did the validation.
No one here as tested it, because it’s not a mainstream configuration.
Look, if you’re worried about this, and this is “mission critical”, then
you would be a fool to take anyone’s word for this. You can’t trust
what we say. You need to set this up yourself and test it. Frankly,
that would have taken a lot less time than this conversation has already
taken.
What about future updates (hot fixes) to the operating system?
What about them? No one here can predict the future.
Can you name some time stamp server software that will do the work? Are they free or commercial?
Where can I get more information about the subject?
Are you not familiar with Google? That’s certainly where I got the
information I already sent you.
I wonder what Microsoft has to say about this. Do you know who can I contact there?
No. Several folks from the driver team participate in this forum, but
they are not generally permitted to make policy statements on behalf of
the company. If you want an authorized statement, you will have to call
Microsoft Product Support and pay for a support incident. But, as I
said, it would be a quicker and a lot cheaper just to set it up and try it.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.