Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

OSR Seminars


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 4  
07 Feb 18 15:16
Hakim
xxxxxx@yahoo.ca
Join Date: 11 Feb 2003
Posts To This List: 92
Windows 10 Code signing

Hello, We have class 3 certificate and use that for driver signing. Recently, we found that that the certificate is not working if Window 10 is booted with secure boot enabled. We contacted our certificate provider and they say that Microsoft has updated their driver signing policy for Windows 10 (effective version 1607, Aug. 2016 release) and require that Kernel mode drivers with Secure Boot turned ON must be signed with a Microsoft Signature via their Windows Hardware Developer Center Dashboard. We'll need to sign driver with an EV code signing cert and submit it to their dashboard. Does anyone know whether I've to perform WHQL test and send logs as well? Thanks, Hakim
  Message 2 of 4  
07 Feb 18 15:25
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 12023
Windows 10 Code signing

xxxxx@yahoo.ca wrote: > We have class 3 certificate and use that for driver signing. Recently, we found that that the certificate is not working if Window 10 is booted with secure boot enabled. We contacted our certificate provider and they say that Microsoft has updated their driver signing policy for Windows 10 (effective version 1607, Aug. 2016 release) and require that Kernel mode drivers with Secure Boot turned ON must be signed with a Microsoft Signature via their Windows Hardware Developer Center Dashboard. We'll need to sign driver with an EV code signing cert and submit it to their dashboard. Correct -- this has been discussed on this list dozens of times since the policy was announced two years ago. > Does anyone know whether I've to perform WHQL test and send logs as well? No.  That is certainly one option, and since the WHQL process is free, it might be the right option for you, but Microsoft has an alternative process called "attestation signing" where you submit a package that you have done your own testing on.  They will sign it and send it back.  The drawback to attestation signing is that the package can ONLY be installed on Windows 10.  It cannot be installed on earlier systems. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 3 of 4  
08 Feb 18 11:45
Alan Adams
xxxxxx@novell.com
Join Date: 20 Dec 2010
Posts To This List: 34
Windows 10 Code signing

> We'll need to sign driver with an EV code signing cert > and submit it to their dashboard. As Tim said, this is correct, although there is a further clarification to make there. You will need to HAVE an EV certificate, and you will need to have registered that EV certificate with a company account you created on the Microsoft Windows Dev Center portal. So long as you register your existing Class 3 certificate on the portal company account too, you can continue performing your actual /driver signing/, including the submissions of any .CABs, .HLKX and/or .HCKX files, using the Class 3 certificate you're using today. You simply must _have_ an EV certificate registered to "prove" identity of whom owns the company account you created on the Microsoft Windows Dev Center portal. But once that trust is established, they will trust any additional non-EV certificates you upload to your company account, too. So an EV certificate is required, but not specifically "to sign every driver", nor even to "sign every submission upload." Its fine if you /do/ use the EV certificate to perform your actual driver signing and/or submissions, but that's not strictly required, if you have other non-EV certificates registered too. There do happen to be Windows Dev Center submissions that _require_ being signed with the EV certificate, but those are things like UEFI firmware submissions, and not general driver signing. Alan Adams Client for Open Enterprise Server Micro Focus xxxxx@microfocus.com
  Message 4 of 4  
08 Feb 18 14:25
Peter Viscarola
xxxxxx@osr.com
Join Date:
Posts To This List: 6253
List Moderator
Windows 10 Code signing

See: https://www.osr.com/blog/2017/07/06/attestation-signing-mystery/ and numerous other blog posts on OSR.COM about this topic. Peter OSR @OSRDrivers
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 02:26.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license