Windows 11 on ARM64 Driver Signing Requirement

Xiaofan_Chen · January 6, 2024, 12:18am

Reference discussion:
https://github.com/pbatard/libwdi/issues/289#issuecomment-1878861404

From Pete Batard, the author of libwdi.
++++++++++++
For the record, my current guess is that whereas the (current) official documentation states:

If a driver package is signed by a Windows signing authority or a trusted publisher, Windows stages and installs the driver package without prompting the user.

thereby indicating that a driver packages where the signing certificate is present in Trusted Publishers should lead to driver installation, Microsoft might have introduced features of Windows S mode to Windows on ARM64, and especially:

Driver packages must be digitally signed with a Windows, WHQL, ELAM, or Store certificate (…)

thereby excluding self-signed credentials where the certificate part gets installed in Trusted Publishers.

However, as opposed to S Mode vs regular mode driver package installation differences, I have not been able to find any documentation related to x64 vs ARM64 driver package installation differences…

Xiaofan_Chen · January 6, 2024, 12:19am

Reference: old discussion for Windows 11 x64
Some Windows 11 x64 insider build has the same issue, but no problem with official release build version of Windows 11 on x64.
https://community.osr.com/discussion/comment/302735

Xiaofan_Chen · January 6, 2024, 12:21am

@Xiaofan_Chen said:
Reference: old discussion for Windows 11 x64
Some Windows 11 x64 insider build has the same issue, but no problem with official release build version of Windows 11 on x64.
https://community.osr.com/discussion/comment/302735

Peter posted the folloing comments in the above discussion.

@“Peter_Viscarola_(OSR)” said:
Just a side note (I have no experience to add about Win 11 and self-signed certs).

It’s easy for a lot of us to ignore this method of signing as a bad work-around for avoiding getting a “real” signature. But there are a significant number of Enterprise-level ISVs and (particularly) IHVs who use this method of driver signing. So, if a self-signed certs placed in the trusted publisher store no longer work, there a “a lot” of folks who are gonna be surprised come release time.

Peter

Xiaofan_Chen · January 15, 2024, 3:26am

Hopefully someone here can shed some light on this issue.

Dejan_Maksimovic · January 15, 2024, 10:01am

Could this method (self signed cert) work on Secure Boot? It would be a big
hole were it possible, and yet would’ve killed of any such use were it not.