As most of you are doubtless aware, drivers will need to be signed by Microsoft’s SYSDEV portal in order to be installed on new Win 10 V1607 systems (and later) that have secure boot enabled.
There are a narrow group of exceptions, but as time passes these exceptions will rapidly become irrelevant.
You’re probably also aware that in order to get your driver signed by SYSDEV, you need an Extended Validation Certificate (EV Cert) on file with SYSDEV.
While we’re not enthusiastic about this idea here at OSR, we don’t think requiring sysdev users to have an EV Cert is by itself a terrible thing. Microsoft tells us this provides additional security. An EV Cert certainly provides an extra level of scrutiny about the holding organization. We can live with it.
The issue that we think is a big problem for the Community is the fact that soon, every submission to SYSDEV will be required to be signed with the EV Cert.
Currently, you do not need to use this EV Cert to sign your SYSDEV submissions. You can sign your submissions with a “regular” Class 3 Code Signing Cert, so long as it is registered with SYSDEV for the submitting company, and the submitting company also has an EV Cert on file with sysdev. To us here at OSR, this makes sense.
However, Microsoft has made it clear that SOON any submission to SYSDEV will need to be signed with the EV Cert to be considered valid. No other cert will be accepted.
If you’ve used EV Certs, you know they’re a PITA. They’re restricted to residing on hardware tokens on similar “secure key storage” devices.
It is our observation that requiring every submission to be signed with the EV Cert creates significant problems for IHVs and OEMs. This is particularly true for IHVs and OEMs that have external teams do their HLK testing and SYSDEV submissions. How would a company located in, for example, Taiwan manage a SYSDEV submission performed by a team in the US?
Would they have somebody fly from Taiwan to the US with the EV Cert on a token every time a new submission needs to be done? Or, alternatively, does somebody in Taiwan need to install the HLK, learn how to use it, and import, sign, and upload the submission? Or would someone from the team that does the testing fly somebody to Taiwan to install the HLK and do the testing, and then use the EV Cert to sign the submission?
None of these alternatives are realistic. And this is a big problem.
If you think the requirement that every sysdev submission be signed with a company’s EV Cert is going to be a problem for your company, now is the time to speak up.
If you’re an OEM, IHV, or 3rd party specialist firm that does sysdev submissions, you CAN voice your opinion and be heard. In the past, working together, we have been successful in pointing out to Microsoft how certain plans were not in the best interests of the eco-system, and we have gotten those plans changed.
Here at OSR, we’ve filed a bug with SYSDEV on this topic. We’re working the topic with our colleagues. But without additional support, I expect our issue to be closed with “Yes, we know you don’t like this idea. Thanks for the feedback. Sorry. Have a nice day.”
So… What can you do?
At every opportunity, you can voice to Microsoft your concern over the practicality of having to use an EV Cert to sign *every* SYSDEV submission.
Work the issue through all the channels you have, both formal and informal.
If you’re an IHV or OEM, make sure your reps to MSFT are aware of this problem. Ask them to raise this issue as a specific topic at their regular review meetings.
File a bug at SYSDEV, with the letters “EVCERT:” at the beginning of the bug title.
If you have Premier Support, talk to your TAM about this issue and *specifically request* that they “raise the issue with the product team.” Regularly ask for status about what the product team says about this issue.
We’re bringing this issue to the attention of the community because we think requiring every submission to be signed with an EV Cert will create serious practical problems for OEMs and IHVs world wide. To avoid having this issue dismissed as purely being one of self-interest, let me be clear: OSR does (perhaps) one or two sysdev submissions a year on behalf of clients. We derive approximately zero percent of our revenue from sysdev submissions. While requiring sysdev submissions to be signed with an EV Cert will negatively impact OSR and our clients, it will impact other firms far more than it will impact us.
So… if you didn’t know before, now you know.
Peter
OSR
@OSRDrivers