Automating EV Signing (Windows Attestation)

It is clear to me that currently Microsoft does not have a way to automatically upload/download packages for attestation signing. But, I was curious how much anyone has automated up to that point. Specifically around EV signing. What I’ve found so far is the smart card (dongle) disables remote and automated keyboard input. So one has to type the password physically into the keyboard.

I’m personally okay with the extra security and validation around EV signing. Frankly, for me at least, driver releases don’t happen extremely frequently throughout the year. So having to manually do this every once and a while isn’t a big deal. In any event I’m curious what others have done.

I have had success using AutoIT to fill in the credentials for the pop-up
challenge that occurs during EV code signing with a gemalto USB token and
the SafeNet client software.

In my environments, the AutoIT script needs to
“run as Administrator” in order to see and input to the pop-up challenge.

That - using autoIT - is a good idea, but really the provided functionality
is not ready for automated build systems and instead people have to hack
around this misfortune.

Mark Roddy

On Fri, Apr 21, 2017 at 8:35 AM, wrote:

> I have had success using AutoIT to fill in the credentials for the pop-up
> challenge that occurs during EV code signing with a gemalto USB token and
> the SafeNet client software.
>
> In my environments, the AutoIT script needs to
> “run as Administrator” in order to see and input to the pop-up challenge.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

Keep in mind that you do not need to use your EV certificate for signing, you just need an EV certificate and the non-EV certificate you sign with registered through the Microsoft portal.

See the following for Microsoft’s statement when they dropped this requirement:

https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/10/07/update-to-ev-certificate-requirement-per-submission/

Thus everything can be automated (and I’ve done this myself) other than, as you say, the upload of the CAB file and the download of the drivers to be signed and the download of the zip file with the Microsoft-signed files.

Eric

Last time I tired uploading a package without the EV cert it didn’t take it. I’ll have to try it again. It is possible that the nature of the driver I produce requires it be signed with the EV cert.

This is correct. We at OSR, together with support from several OEM/IHV types, worked *really* hard to get the policymrequiring EV signing of every submission reversed. MSFT was willing to listen to our arguments, and we were ultimately successful.

Peter
OSR
@OSRDrivers

They only allow us to have one certificate registered at a time.