Hello,
From what I have read starting from Windows 10 build 1607 I must sign my
drivers with a EV certificate purchased from one of the following
vendors: Symantec, DigiCert, Entrust or GlobalSign.
I also need to submit my driver to the Dev Portal where Microsoft will do a
second signing using their own certificate.
Is my understanding correct? Does this Dev Portal do any additional check
in my code?
–
-George
This is only correct if you support Secure Boot.
Bill Wandel
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of George Luiz Bittencourt
Sent: Monday, May 15, 2017 10:44 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Driver Signing on Windows 10
Hello,
From what I have read starting from Windows 10 build 1607 I must sign my drivers with a EV certificate purchased from one of the following vendors: Symantec, DigiCert, Entrust or GlobalSign.
I also need to submit my driver to the Dev Portal where Microsoft will do a second signing using their own certificate.
Is my understanding correct? Does this Dev Portal do any additional check in my code?
–
-George
— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at
George Luiz Bittencourt wrote:
From what I have read starting from Windows 10 build 1607 I must sign
my drivers with a EV certificate purchased from one of the following
vendors: Symantec, DigiCert, Entrust or GlobalSign.
I also need to submit my driver to the Dev Portal where Microsoft will
do a second signing using their own certificate.Is my understanding correct? Does this Dev Portal do any additional
check in my code?
Didn’t I just answer this question last week? 
There are three separate scenarios here. If your client does not have
“secure boot” set in the BIOS, then the driver signing policies in 1607
and beyond are exactly the same as they always have been. Your standard
non-EV certificate will suffice. No Microsoft involvement is necessary.
If your client has “secure boot” set, then you need a Microsoft
blessing. You can get that in two ways. If you want to run your driver
through the full HCK suite (or HLK, whatever it’s called now), you can
submit your driver for the WHQL signature. Such a driver package will
work on all the systems, old and new.
Otherwise, you can use the attestation signing, as you mentioned. The
attestation signing does no testing of your driver, although it does
rudimentary checking of your INF file. It has to do that, because they
throw out whatever CAT file you might have supplied and build a
brand-new CAT file from the INF. One side effect of this is that the
driver package you get back is ONLY marked for Windows 10. It will not
load in the earlier systems.
It’s not necessary for you to sign your driver at all before submitting
it for attestation signing. The EV certificate is only necessary in
order for you to establish the Dev Portal account.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thanks Tim!
So when using “attestation signing” I do not need to sign my driver because
Microsoft will sign with its own certificate?
And they trust me because I created a Dev Portal account using my EV
certificate?
Or once I get the driver back from Microsoft I still need to sign with my
own certificate?
Thanks,
-George
On Mon, May 15, 2017 at 1:50 PM, Tim Roberts wrote:
> George Luiz Bittencourt wrote:
> >
> > From what I have read starting from Windows 10 build 1607 I must sign
> > my drivers with a EV certificate purchased from one of the following
> > vendors: Symantec, DigiCert, Entrust or GlobalSign.
> > I also need to submit my driver to the Dev Portal where Microsoft will
> > do a second signing using their own certificate.
> >
> > Is my understanding correct? Does this Dev Portal do any additional
> > check in my code?
>
> Didn’t I just answer this question last week?
>
> There are three separate scenarios here. If your client does not have
> “secure boot” set in the BIOS, then the driver signing policies in 1607
> and beyond are exactly the same as they always have been. Your standard
> non-EV certificate will suffice. No Microsoft involvement is necessary.
>
> If your client has “secure boot” set, then you need a Microsoft
> blessing. You can get that in two ways. If you want to run your driver
> through the full HCK suite (or HLK, whatever it’s called now), you can
> submit your driver for the WHQL signature. Such a driver package will
> work on all the systems, old and new.
>
> Otherwise, you can use the attestation signing, as you mentioned. The
> attestation signing does no testing of your driver, although it does
> rudimentary checking of your INF file. It has to do that, because they
> throw out whatever CAT file you might have supplied and build a
> brand-new CAT file from the INF. One side effect of this is that the
> driver package you get back is ONLY marked for Windows 10. It will not
> load in the earlier systems.
>
> It’s not necessary for you to sign your driver at all before submitting
> it for attestation signing. The EV certificate is only necessary in
> order for you to establish the Dev Portal account.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>
–
-George</http:></http:>
George Luiz Bittencourt wrote:
Thanks Tim!
So when using “attestation signing” I do not need to sign my driver
because Microsoft will sign with its own certificate?
And they trust me because I created a Dev Portal account using my EV
certificate?
That’s exactly right, yes.
Or once I get the driver back from Microsoft I still need to sign with
my own certificate?
Nope. In fact, you CAN’T make any changes to what you get back. A CAT
contains a checksum of all of the covered files. If you change one of
the files, the CAT file becomes invalid.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.