Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Upcoming OSR Seminars:

Writing WDF Drivers I: Core Concepts, Nashua, NH 15-19 May, 2017
Writing WDF Drivers II: Advanced Implementation Tech., Nashua, NH 23-26 May, 2017
Kernel Debugging and Crash Analysis, Dulles, VA 26-30 June, 2017
Windows Internals & Software Driver Development, Nashua, NH 24-28 July, 2017


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 7  
20 Apr 17 19:10
Johnny Shaw
xxxxxx@live.com
Join Date: 11 Apr 2017
Posts To This List: 15
Automating EV Signing (Windows Attestation)

It is clear to me that currently Microsoft does not have a way to automatically upload/download packages for attestation signing. But, I was curious how much anyone has automated up to that point. Specifically around EV signing. What I've found so far is the smart card (dongle) disables remote and automated keyboard input. So one has to type the password physically into the keyboard. I'm personally okay with the extra security and validation around EV signing. Frankly, for me at least, driver releases don't happen extremely frequently throughout the year. So having to manually do this every once and a while isn't a big deal. In any event I'm curious what others have done.
  Message 2 of 7  
21 Apr 17 08:37
David Mary
xxxxxx@digitalguardian.com
Join Date: 05 Jan 2017
Posts To This List: 2
Automating EV Signing (Windows Attestation)

I have had success using AutoIT to fill in the credentials for the pop-up challenge that occurs during EV code signing with a gemalto USB token and the SafeNet client software. In my environments, the AutoIT script needs to "run as Administrator" in order to see and input to the pop-up challenge.
  Message 3 of 7  
21 Apr 17 14:11
Mark Roddy
xxxxxx@gmail.com
Join Date: 25 Feb 2000
Posts To This List: 3971
Automating EV Signing (Windows Attestation)

That - using autoIT - is a good idea, but really the provided functionality is not ready for automated build systems and instead people have to hack around this misfortune. Mark Roddy On Fri, Apr 21, 2017 at 8:35 AM, <xxxxx@digitalguardian.com> wrote: > I have had success using AutoIT to fill in the credentials for the pop-up > challenge that occurs during EV code signing with a gemalto USB token and > the SafeNet client software. > > In my environments, the AutoIT script needs to > "run as Administrator" in order to see and input to the pop-up challenge. > > > --- > NTDEV is sponsored by OSR <...excess quoted lines suppressed...> --
  Message 4 of 7  
22 Apr 17 08:51
Eric Berge
xxxxxx@gmail.com
Join Date: 17 Oct 2011
Posts To This List: 15
Automating EV Signing (Windows Attestation)

Keep in mind that you do not need to use your EV certificate for signing, you just need an EV certificate and the non-EV certificate you sign with registered through the Microsoft portal. See the following for Microsoft's statement when they dropped this requirement: https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/10/07/update -to-ev-certificate-requirement-per-submission/ Thus everything can be automated (and I've done this myself) other than, as you say, the upload of the CAB file and the download of the drivers to be signed and the download of the zip file with the Microsoft-signed files. Eric
  Message 5 of 7  
22 Apr 17 09:59
Johnny Shaw
xxxxxx@live.com
Join Date: 11 Apr 2017
Posts To This List: 15
Automating EV Signing (Windows Attestation)

Last time I tired uploading a package without the EV cert it didn't take it. I'll have to try it again. It is possible that the nature of the driver I produce requires it be signed with the EV cert.
  Message 6 of 7  
22 Apr 17 10:07
Peter Viscarola (OSR)
xxxxxx@osr.com
Join Date:
Posts To This List: 5879
List Moderator
Automating EV Signing (Windows Attestation)

<quote> just need an EV certificate and the non-EV certificate you sign with registered through the Microsoft portal. </quote> This is correct. We at OSR, together with support from several OEM/IHV types, worked *really* hard to get the policymrequiring EV signing of every submission reversed. MSFT was willing to listen to our arguments, and we were ultimately successful. Peter OSR @OSRDrivers
  Message 7 of 7  
22 Apr 17 11:10
Johnny Shaw
xxxxxx@live.com
Join Date: 11 Apr 2017
Posts To This List: 15
Automating EV Signing (Windows Attestation)

They only allow us to have one certificate registered at a time.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 06:34.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license