Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Upcoming OSR Seminars:

Writing WDF Drivers I: Core Concepts, Nashua, NH 15-19 May, 2017
Writing WDF Drivers II: Advanced Implementation Tech., Nashua, NH 23-26 May, 2017
Kernel Debugging and Crash Analysis, Dulles, VA 26-30 June, 2017
Windows Internals & Software Driver Development, Nashua, NH 24-28 July, 2017


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 5  
15 May 17 10:44
George Bittencourt
xxxxxx@georgeluiz.com
Join Date: 20 Apr 2017
Posts To This List: 5
Driver Signing on Windows 10

Hello, From what I have read starting from Windows 10 build 1607 I must sign my drivers with a EV certificate purchased from one of the following vendors: Symantec, DigiCert, Entrust or GlobalSign. I also need to submit my driver to the Dev Portal where Microsoft will do a second signing using their own certificate. Is my understanding correct? Does this Dev Portal do any additional check in my code? -- -George --
  Message 2 of 5  
15 May 17 11:40
Bill Wandel
xxxxxx@bwandel.com
Join Date: 14 Sep 2010
Posts To This List: 125
Driver Signing on Windows 10

This is only correct if you support Secure Boot. Bill Wandel From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of George Luiz Bittencourt Sent: Monday, May 15, 2017 10:44 AM To: Windows System Software Devs Interest List <xxxxx@lists.osr.com> Subject: [ntdev] Driver Signing on Windows 10 Hello, From what I have read starting from Windows 10 build 1607 I must sign my drivers with a EV certificate purchased from one of the following vendors: Symantec, DigiCert, Entrust or GlobalSign. I also need to submit my driver to the Dev Portal where Microsoft will do a second signing using their own certificate. Is my understanding correct? Does this Dev Portal do any additional check in my code? -- -George --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at --
  Message 3 of 5  
15 May 17 12:50
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11455
Driver Signing on Windows 10

George Luiz Bittencourt wrote: > > From what I have read starting from Windows 10 build 1607 I must sign > my drivers with a EV certificate purchased from one of the following > vendors: Symantec, DigiCert, Entrust or GlobalSign. > I also need to submit my driver to the Dev Portal where Microsoft will > do a second signing using their own certificate. > > Is my understanding correct? Does this Dev Portal do any additional > check in my code? Didn't I just answer this question last week? ;) There are three separate scenarios here. If your client does not have "secure boot" set in the BIOS, then the driver signing policies in 1607 and beyond are exactly the same as they always have been. Your standard non-EV certificate will suffice. No Microsoft involvement is necessary. If your client has "secure boot" set, then you need a Microsoft blessing. You can get that in two ways. If you want to run your driver through the full HCK suite (or HLK, whatever it's called now), you can submit your driver for the WHQL signature. Such a driver package will work on all the systems, old and new. Otherwise, you can use the attestation signing, as you mentioned. The attestation signing does no testing of your driver, although it does rudimentary checking of your INF file. It has to do that, because they throw out whatever CAT file you might have supplied and build a brand-new CAT file from the INF. One side effect of this is that the driver package you get back is ONLY marked for Windows 10. It will not load in the earlier systems. It's not necessary for you to sign your driver at all before submitting it for attestation signing. The EV certificate is only necessary in order for you to establish the Dev Portal account. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 4 of 5  
15 May 17 13:14
George Bittencourt
xxxxxx@georgeluiz.com
Join Date: 20 Apr 2017
Posts To This List: 5
Driver Signing on Windows 10

Thanks Tim! So when using "attestation signing" I do not need to sign my driver because Microsoft will sign with its own certificate? And they trust me because I created a Dev Portal account using my EV certificate? Or once I get the driver back from Microsoft I still need to sign with my own certificate? Thanks, -George On Mon, May 15, 2017 at 1:50 PM, Tim Roberts <xxxxx@probo.com> wrote: > George Luiz Bittencourt wrote: > > > > From what I have read starting from Windows 10 build 1607 I must sign > > my drivers with a EV certificate purchased from one of the following > > vendors: Symantec, DigiCert, Entrust or GlobalSign. > > I also need to submit my driver to the Dev Portal where Microsoft will > > do a second signing using their own certificate. > > > > Is my understanding correct? Does this Dev Portal do any additional > > check in my code? <...excess quoted lines suppressed...> -- -George --
  Message 5 of 5  
15 May 17 20:07
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11455
Driver Signing on Windows 10

George Luiz Bittencourt wrote: > Thanks Tim! > > So when using "attestation signing" I do not need to sign my driver > because Microsoft will sign with its own certificate? > And they trust me because I created a Dev Portal account using my EV > certificate? That's exactly right, yes. > Or once I get the driver back from Microsoft I still need to sign with > my own certificate? Nope. In fact, you CAN'T make any changes to what you get back. A CAT contains a checksum of all of the covered files. If you change one of the files, the CAT file becomes invalid. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 03:17.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license