Message 3 of 5
15 May 17 12:50
Join Date: 28 Jan 2005
Posts To This List: 11528
Driver Signing on Windows 10
George Luiz Bittencourt wrote:
> From what I have read starting from Windows 10 build 1607 I must sign
> my drivers with a EV certificate purchased from one of the following
> vendors: Symantec, DigiCert, Entrust or GlobalSign.
> I also need to submit my driver to the Dev Portal where Microsoft will
> do a second signing using their own certificate.
> Is my understanding correct? Does this Dev Portal do any additional
> check in my code?
Didn't I just answer this question last week? ;)
There are three separate scenarios here. If your client does not have
"secure boot" set in the BIOS, then the driver signing policies in 1607
and beyond are exactly the same as they always have been. Your standard
non-EV certificate will suffice. No Microsoft involvement is necessary.
If your client has "secure boot" set, then you need a Microsoft
blessing. You can get that in two ways. If you want to run your driver
through the full HCK suite (or HLK, whatever it's called now), you can
submit your driver for the WHQL signature. Such a driver package will
work on all the systems, old and new.
Otherwise, you can use the attestation signing, as you mentioned. The
attestation signing does no testing of your driver, although it does
rudimentary checking of your INF file. It has to do that, because they
throw out whatever CAT file you might have supplied and build a
brand-new CAT file from the INF. One side effect of this is that the
driver package you get back is ONLY marked for Windows 10. It will not
load in the earlier systems.
It's not necessary for you to sign your driver at all before submitting
it for attestation signing. The EV certificate is only necessary in
order for you to establish the Dev Portal account.
Tim Roberts, firstname.lastname@example.org
Providenza & Boekelheide, Inc.